{
	"id": "ce8f7c03-5106-40a6-a8c4-265d93ee254a",
	"created_at": "2026-04-06T00:13:34.241486Z",
	"updated_at": "2026-04-10T13:12:53.951172Z",
	"deleted_at": null,
	"sha1_hash": "2ed4195fd6ff086328a2cba38145359ddc65bafd",
	"title": "“Face mask manufacturer” supplies Agent Tesla Malware: campaign employs Covid-19 lures and sophisticated evasion techniques",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 545142,
	"plain_text": "“Face mask manufacturer” supplies Agent Tesla Malware:\r\ncampaign employs Covid-19 lures and sophisticated evasion\r\ntechniques\r\nBy Elaine Dzuba\r\nPublished: 2020-08-27 · Archived: 2026-04-05 17:33:17 UTC\r\n2020-08-27\r\n6 min read\r\nThis blog originally appeared in August 2020 on the Area 1 Security website, and was issued in advance of\r\nCloudflare's acquisition of Area 1 Security on April 1, 2022. Learn more.\r\nIt’s no surprise that the world is currently facing a major shortage of the now-iconic blue surgical mask. Once only\r\nseen in hospitals and medical dramas, these masks are now the hottest selling streetwear. New state regulations\r\nnow have businesses saying, “No Shirt, No Shoes, No Mask, No Service.” The incredible demand has led\r\nopportunistic businesses to get into the import/export of this vital article.\r\nhttps://www.area1security.com/blog/facemask-phishing-agent-tesla-malware/\r\nPage 1 of 8\n\nRecent phishing campaigns are also capitalizing on this trend by sending email attachments infected with Agent\r\nTesla malware, an advanced Remote Access Trojan (RAT), to various companies under the guise of a mask\r\nproduction business venture. Area 1 Security caught these attacks filled with enticing traps that bypass legacy\r\nvendors and would have otherwise made their way into users’ inboxes.\r\nFace Mask and Forehead Thermometer Phishing\r\nA prevalent phishing campaign loaded with a malicious executable is attempting to wreak havoc on companies\r\nworldwide, spanning numerous industry verticals. This campaign began as early as May, during the start of major\r\nlockdowns and mask shortages across the globe due to the COVID-19 pandemic. There have been numerous\r\niterations of the campaign, but the main body of text remains the same.\r\nThe attacker lures targets by using language that preys on fears surrounding COVID-19 and claiming to offer face\r\nmasks and forehead thermometers, products currently in high demand but short supply. To avoid detection, the\r\nphishing campaign generally follows a 10-day cycle wherein the threat actor slightly modifies their Tactics,\r\nTechniques, and Procedures (TTPs) before launching a new wave of emails. A recent phishing message from this\r\ncampaign can be found below.\r\nTranschem Inc. is not associated in any way with this attack\r\nThe attacker spoofs chemical manufacturers and import/export businesses to make the phishing message appear\r\nmore legitimate. Area 1 Security’s research shows that the attacker continually revises their phishing messages by\r\nperiodically spoofing different companies in an effort to evade detection. For the example phish above, the\r\nattacker spoofed Transchem Inc., a legitimate chemical supplier. With previously spoofed companies, the attacker\r\nhttps://www.area1security.com/blog/facemask-phishing-agent-tesla-malware/\r\nPage 2 of 8\n\nincluded the real email address of the purported sender in the signature block; however, in this latest campaign,\r\nthey remove it to reduce the chances of being detected.\r\nTo achieve the greatest success in reaching the most inboxes, the attacker uses a dynamic approach to stay one\r\nstep ahead of common email security defenses:\r\nWith each wave of the campaign, the attacker rotates to a new IP address in a likely attempt to bypass\r\nfilters that only deny based on known sources of malicious activity;\r\nFurthermore, the malware in the attachment is continually modified in order to change its hash; and\r\nWith a new hash value, the malware is effectively brand new — legacy detections that are configured to\r\nscan for known malicious hashes will not alert on this.\r\nAdditionally, due to flaws in the implementation and configuration of email authentication protocols, such as\r\nDMARC, SPF and DKIM, the attacker is able to successfully spoof the legitimate sender domains of numerous\r\ncompanies. This demonstrates that the complexity and nuances involved in setting up these protocols can leave\r\nyou open to attack, and, even when implemented properly, are not enough to protect you from the dynamic\r\nphishing attacks that plague companies and individuals.\r\nAfter bypassing a well-known email gateway and DMARC controls, the only defense left is for the email recipient\r\nto recognize this email as a phish. However, the attacker goes to great lengths to present an authentic façade.\r\nThey:\r\nImpersonate real employees at various companies to fool unsuspecting targets into downloading purported\r\ninformation on the production of face masks and forehead thermometers;\r\nInclude the legitimate logo of the spoofed company, as well as accurate mailing and contact details; and\r\nInclude the URL in the email’s signature block also leading to the legitimate website of the impersonated\r\ncompany.\r\nThe attacker is clearly going the extra mile to ensure this spoof will appear as authentic as possible for\r\nunsuspecting targets.\r\nOnce the email is delivered, recipients are a mere two steps away from executing the Agent Tesla RAT. The target\r\nonly needs to extract the compressed attachment, then click on the resulting “PDF”, which will launch the\r\nmalware.\r\nTo further reduce suspicion, the attachment’s file name is manipulated to make it appear legitimate. More\r\nspecifically, the attacker always names the attached file “Supplier-Face Mask Forehead Thermometer.pdf.gz”. The\r\nuse of a double extension will often trick targets into thinking the file is a PDF, when in fact it’s a compressed\r\nexecutable. This ruse is made possible by the fact that many modern operating systems do not display the file\r\nextension (in this case “.gz”) for known extensions by default.\r\nOnce downloaded, victims may only see “Supplier-Face Mask Forehead Thermometer.pdf”, which is the actual\r\nfile name. To make matters worse, some legacy vendors inspect an attachment’s extension rather than the file\r\nhttps://www.area1security.com/blog/facemask-phishing-agent-tesla-malware/\r\nPage 3 of 8\n\nproperties itself, thus allowing compressed executables to bypass rule filtering that is based on file extension.\r\nAnalysis of Executable\r\nThe attachment is the focal point of this face mask-themed campaign. In order to carry out its information stealing\r\ncapabilities, this infected attachment requires the target to take action by unzipping and clicking on the resulting\r\nfile, “Supplier-Face Mask Forehead Thermometer.pdf.exe”. If this file is opened, the victim host will be infected\r\nwith Agent Tesla, a form of Malware-As-A-Service (MaaS), which provides attackers with a dashboard and user\r\ninterface (UI) to monitor the success of their campaign. Agent Tesla is an advanced RAT that functions as a\r\nkeylogger and information stealer, and its primary delivery method is via attachments in phishing emails.\r\nWhat is Agent Tesla?\r\nAlthough Agent Tesla first surfaced in 2014, it is making a resurgence as the preferred MaaS for attackers,\r\nsuperseding even TrickBot and Emotet. The main advantage of Agent Tesla is its ability to adapt and change to\r\navoid detection, providing attackers with a stealthy platform to launch attacks and bypass security measures.\r\nVarious tiers are available for purchase that provide additional licenses and different functionality. However, in\r\ntypical internet fashion, there is a torrent available on Russian websites.\r\nFor the initial file, the attacker uses a 32-bit Windows executable to ensure that the malware can be executed on\r\ncommon Windows devices. This file is a trojan, appearing as a benign application but containing hidden,\r\nmalicious functionality. This initial phase determines if it is in a malware analysis environment so the program can\r\ndecide whether to proceed with the attack or go to sleep.\r\nIf the malware detects it is in a target’s device, it will make a connection to the attacker’s command and control\r\n(C2) server located at us2[.]smtp[.]mailhostbox[.]com. This initial connection does not contain any information;\r\nhttps://www.area1security.com/blog/facemask-phishing-agent-tesla-malware/\r\nPage 4 of 8\n\nrather, it is only an attempt to provide the attacker with confirmation that the malware successfully ran on the\r\ntarget device.\r\nThe malware contains functionality to read the data within a victim’s AppData folder, which contains browser\r\ncredentials and credentials from email clients. The malware will attempt to load missing DLLs and download\r\nadditional files in order to exfiltrate stolen information from the AppData folder. This data is sent to the C2 via\r\nSMTP as seen in packet capture below. This is a common tactic for exfiltration, given outgoing emails containing\r\nsensitive information are not likely to be marked as suspicious unless Data Loss Prevention (DLP) software is\r\nconfigured. The exfiltrated victim information is then available to the attacker via the Agent Tesla UI for use in\r\nfuture attacks.\r\nWith each new wave of this phishing campaign, the malware is updated by using a number of advanced\r\nobfuscation techniques to avoid detection by antivirus software:\r\nFirstly, the attacker generates a new hash for the attached file in order to circumvent defenses that leverage\r\ndatabases of known malware files. This is done in part by generating executables written for the .NET\r\nframework and constantly recompiling with alternative feature sets.\r\nSecondly, a number of anti-debugging methods are employed to halt any reverse engineering. These\r\nmethods check if a debugger is present, as well as hiding threads and breakpoints from debugging tools.\r\nhttps://www.area1security.com/blog/facemask-phishing-agent-tesla-malware/\r\nPage 5 of 8\n\nRecommendations\r\nIf you think your device may have been compromised by malware, it’s imperative to run a full scan of your\r\nsystem to check for signs of infection. It’s also vital to keep your software and OS secure by installing the latest\r\nupdates on a routine basis in order to reduce exposure to this “Face Mask Supplier” phishing campaign.\r\nIt is not enough to rely on email gateways, cloud email suites and traditional AV to protect against these\r\ntypes of attacks, as the threat actor is continually evolving and finding new ways to leverage commodity\r\nmalware like Agent Tesla.\r\nhttps://www.area1security.com/blog/facemask-phishing-agent-tesla-malware/\r\nPage 6 of 8\n\nAs attackers often rely on the end user to download and install malicious executables, it is also vital that\r\nemployees are aware of common tactics an attacker may use to trick targets into opening malicious files.\r\nUnsolicited emails from unknown companies should be regarded as guilty until proven otherwise and reported to\r\nthe security team. Additionally, any attachments containing compressed files should be handled with extreme\r\ncaution, and any executable files should not be opened. These extra verifications are just a small precaution but go\r\na long way toward ensuring the safety and security of your organization.\r\nWith each wave of the campaign, the malicious files and attacker infrastructure are altered to evade detection.\r\nFortunately, Area 1 Security’s comprehensive protection detects and blocks Agent Tesla-based phishing attacks\r\nand other targeted campaigns before they can cause any damage.\r\nArea 1 Security‘s advanced Machine Learning and Artificial Intelligence technology allow our algorithms to\r\nuncover new tactics malicious actors are using to bypass legacy vendors and cloud email providers in real time\r\nversus waiting days or weeks for signature updates. Our time-zero detections lead the industry with reliable\r\nverdicts that stop phishing attempts at delivery time. This has many advantages over post-delivery retraction in\r\nthat the user is never exposed to the attack.\r\nIndicators of Compromise\r\nAttachment: Supplier-Face Mask Forehead Thermometer.pdf.gz:\r\nMD5: fdfaaf9efb8507262ee9b97324bbb69a\r\nSHA1: 846da85a2f2e6e79ebc7ed84b00ed97af513c80f\r\nSHA256: b419849ce915ede72fda1ea0b566651e233ef5eaffbf8b9211bd44085407ad5e\r\nExecutable: Supplier-Face Mask Forehead Thermometer.pdf.exe\r\nMD5: 64bc654373549584f7e596de24e1d8cc\r\nSHA1: 6a39bd3ddaa2c9846e2a4912a80fd718eaee622f\r\nSHA256: 53445247552485c277400bafba84458670f0c1001c91b4f0bcc15935c12d662b \r\nCommand and Control Server:\r\nus2[.]smtp[.]mailhostbox[.]com\r\nSender IP Addresses:\r\n209[.]58[.]149[.]65\r\n203[.]188[.]252[.]14\r\n185[.]66[.]40[.]36\r\n50[.]28[.]40[.]153\r\nhttps://www.area1security.com/blog/facemask-phishing-agent-tesla-malware/\r\nPage 7 of 8\n\n62[.]210[.]83[.]136\r\n72[.]32[.]232[.]136\r\n95[.]216[.]16[.]146\r\n209[.]58[.]149[.]66\r\n89[.]33[.]246[.]113\r\n178[.]239[.]161[.]164\r\n156[.]96[.]47[.]65\r\n209[.]58[.]149[.]69\r\n95[.]211[.]208[.]50\r\n209[.]58[.]149[.]87\r\n37[.]48[.]85[.]232\r\n208[.]91[.]199[.]224\r\nCloudflare's connectivity cloud protects entire corporate networks, helps customers build Internet-scale\r\napplications efficiently, accelerates any website or Internet application, wards off DDoS attacks, keeps hackers at\r\nbay, and can help you on your journey to Zero Trust.\r\nVisit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.\r\nTo learn more about our mission to help build a better Internet, start here. If you're looking for a new career\r\ndirection, check out our open positions.\r\nEmail SecurityCloud Email SecurityPhishing\r\nSource: https://www.area1security.com/blog/facemask-phishing-agent-tesla-malware/\r\nhttps://www.area1security.com/blog/facemask-phishing-agent-tesla-malware/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.area1security.com/blog/facemask-phishing-agent-tesla-malware/"
	],
	"report_names": [
		"facemask-phishing-agent-tesla-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434414,
	"ts_updated_at": 1775826773,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2ed4195fd6ff086328a2cba38145359ddc65bafd.pdf",
		"text": "https://archive.orkl.eu/2ed4195fd6ff086328a2cba38145359ddc65bafd.txt",
		"img": "https://archive.orkl.eu/2ed4195fd6ff086328a2cba38145359ddc65bafd.jpg"
	}
}