Agent Tesla .NET Remote Access Trojan — Credential and Data Theft via Keylogging and MaaS Operations — Threadlinqs Intelligence
Threat ID: TL-2026-0912 · Severity: HIGH · Status: ACTIVE · Category: MALWARE
Agent Tesla is a .NET-based Remote Access Trojan and information stealer sold as Malware-as-a-Service since 2014. It harvests credentials from 80+ browsers, email, FTP, VPN and Wi-Fi clients, logs
Agent Tesla is one of the most prevalent commodity Remote Access Trojans (RATs) in circulation, first observed in late 2014 and continuously developed and resold as Malware-as-a-Service (MaaS) on dark-web forums. Built on the Microsoft .NET framework, it functions primarily as a keylogger and information stealer while retaining full RAT capabilities including remote command execution, file download, screen capture, and webcam access.
Initial access is overwhelmingly achieved through spear-phishing emails carrying malicious attachments. Over its lifetime the delivery vehicle has evolved from macro-enabled Word documents and Microsoft Office equation-editor exploits (CVE-2017-11882, CVE-2017-8570) to OLE objects, batch scripts in archives, and most recently compiled HTML Help (.chm) files and JScript (.jse) loaders packaged inside RAR/GZ archives. A representative 2026 multi-stage chain analyzed by FortiGuard Labs proceeds: email > RAR attachment > JScript (.jse) loader > downloaded PowerShell > in-memory PowerShell > in-memory .NET loader > .NET Agent Tesla payload, with the final payload injected via process hollowing into a legitimate signed .NET binary such as Aspnet_compiler.exe or RegAsm.exe.
The loader chain is heavily obfuscated (Obfuscar, Rijndael/AES-CBC PKCS7 string and payload encryption, Base64-encoded assemblies) and largely fileless — payloads are reflectively loaded into memory rather than written to disk. Anti-analysis routines detect virtualization (VMware, VirtualBox, Hyper-V) and scan for sandbox/EDR DLLs (snxhk.dll, SbieDll.dll, cmdvrt32.dll) before detonation.
Once running, Agent Tesla establishes persistence via Registry Run keys, the Startup folder, Winlogon Shell/Load values, and scheduled tasks (Schtasks.exe /Create). It performs broad system reconnaissance (WMI 'select * from win32_operatingsystem', username, computer name, OS, CPU, RAM, video card), collects Wi-Fi profiles via 'netsh wlan show profile', captures keystrokes through SetWindowsHookEx (logging to %temp%\log.tmp), grabs clipboard contents, takes desktop screenshots, and records webcam video. It steals stored credentials from 80+ applications — Chrome, Firefox, Edge, Brave, Opera, Vivaldi and other Chromium browsers, Outlook, Thunderbird, Mailbird, FileZilla, WinSCP, OpenVPN, NordVPN — by parsing SQLite stores, configuration files, and Registry entries.
Harvested data is archived (3DES/encryption), formatted into CO_/SC_/KL_ prefixed files, and exfiltrated over hardcoded SMTP (TLS, port 587), FTP (STOR with embedded credentials), HTTP, or Telegram Bot API. Telegram has become a dominant C2 channel: Agent Tesla accounted for roughly three-quarters of Telegram-C2 malware samples observed in 2024. Stolen data flows to attacker-controlled mail servers such as mail.taikei-rmc-co.biz, whose bounce traffic betrays large-scale exfiltration operations. Agent Tesla remains a top-10 malware family (Q4 2025, CIS MS-ISAC) and primarily targets the United States, China, Germany, and the global education sector.
Weaknesses (CWE)
CWE-94, CWE-507
Target sectors: education, government, manufacturing, energy, logistics, financial
Target regions: North America, Asia, Europe
Detections & IOCs
This threat has 9 detection rule(s) across Splunk SPL, Microsoft KQL and Sigma, and 29 indicator(s) of compromise. Detection query text and full IOC values are available to authenticated users and programmatically via the Threadlinqs MCP server (Purple tier). View plans.
MALWARE, HIGH, threat intelligence, cybersecurity, CVE-2017-11882, CVE-2017-8570, T1566, T1204, T1203, T1059, T1047, T1547, T1053, T1055, T1027, T1140