{
	"id": "7d944744-67b0-4796-83e9-d2a9c1ea30c2",
	"created_at": "2026-04-09T02:22:34.441543Z",
	"updated_at": "2026-04-10T13:11:55.951671Z",
	"deleted_at": null,
	"sha1_hash": "6ec64e9d2d1475acae5a81bde98982c9bf712819",
	"title": "Agent Tesla Targeting United States \u0026 Australia: Revealing the Attackers’ Identities",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 148711,
	"plain_text": "Agent Tesla Targeting United States \u0026 Australia: Revealing the\r\nAttackers’ Identities\r\nBy ramanl\r\nPublished: 2024-04-02 · Archived: 2026-04-09 02:00:15 UTC\r\nResearch by: Antonis Terefos, Raman Ladutska\r\nPart I from the series E-Crime \u0026 Punishment\r\nIntroduction\r\nWhen considering a notoriously famous topic known for quite a long time, it may feel like there is nothing new to\r\nadd to this area anymore – all paths traced, all words said, all “i”s dotted. Is it worth an investigation to begin\r\nwith? As it turns out, there are new discoveries with previously hidden information of valuable significance that\r\ncan be built into the already-painted picture.\r\nIn this research series conducted by Check Point Research (CPR), the Agent Tesla malware acts as the master\r\nvillain. It is an example of an advanced remote access trojan (RAT) specializing in the theft and infiltration of\r\nsensitive information from infected machines. This malware can collect various types of data, including\r\nkeystrokes and login credentials used in browsers (such as Google Chrome and Mozilla Firefox) and email clients\r\nused on infected machines. Agent Tesla is a malware family with a rich and infamous history in the cyber\r\nlandscape: it has been repeatedly included in the monthly reports of top 10 prevalent malware families since 2020.\r\nA Deadly Agent (Tesla)\r\nCheck Point Research uncovered a recent malware campaign of Agent Tesla operation aimed against American\r\nand Australian organizations. On the 7th of November 2023, an Agent Tesla campaign started against Australian\r\norganizations, and the same actor performed another campaign targeting mainly Australian entities. Phishing\r\ncampaigns mainly target organization email credentials to access entities and perform further campaigns but with\r\nthe next goal, to execute the malware samples of Agent Tesla. In this case, the attack base constituted 62,000\r\nemails. 2 subsequent spam campaigns were launched on the 8th and 30th of November.\r\nAfter further investigation, CPR tracked down the activity of 2 cyber-crime actors behind Agent Tesla operations\r\nwith the evidence of being connected with each other:\r\nBignosa (main threat actor)\r\nGods\r\nThe main actor appears to be a part of a group operating malware and phishing campaigns, targeting\r\norganizations, which is testified by the US and Australian email business databases, as well as individuals. Apart\r\nfrom campaigns originating from companies’ victims, the group maintains a large number of servers, which are\r\nhttps://research.checkpoint.com/2024/agent-tesla-targeting-united-states-and-australia/\r\nPage 1 of 31\n\nused either for RDP connections or for malware campaigns using Round Cube – separate machines are used for\r\nconsequent steps in the cyber-operations.\r\nThe malicious campaigns were all conducted in the same manner. The spam emails are prepared abusing the\r\nformal mail from with the topic of purchasing goods and order delivery, social engineered in a way to increase the\r\nprobability of the victim to click the button and initiate the infection chain.\r\nUpon clicking on the email, the Agent Tesla sample protected by the Cassandra Protector is downloaded to the\r\nvictim’s machine and executed. The Cassandra protector is designed to work exclusively with .NET samples and\r\nintroduces various features: anti-AV and anti-emulation tricks or signing the resulting file with the certificate – to\r\nname a few. We will describe this protector in more details in the section linked to the “Bignosa” actor.\r\nBelow, we present the details of the investigation, reveal clues that allowed us to draw connections between\r\nvarious pieces of information, make breakdowns of steps and timeframes during the malicious campaigns, link\r\nactors with each other, and uncover their identities.\r\nCampaigns\r\nThe malware campaigns were meticulously prepared, rather than simply initiating the spam with a single click,\r\nThe diagram below shows the times of preparation and execution steps:\r\nImage 1 – Activity of the “Bignosa” threat actor shown on the timeline\r\nPhishing texts used in these campaigns appear to be taken from the following sites:\r\nhttps://www.dailylifedocs.com/sales-letter-samples.html\r\nhttps://www.writeexpress.com/\r\nMalware campaigns 7-8th of November\r\nOn the 7th of November, the main threat actor “Bignosa” launched a malware campaign targeting more than\r\n11,000 Australian companies. The actor possesses email databases focused on different attack targets, and for this\r\ncampaign, Australian recipients have been chosen:\r\nhttps://research.checkpoint.com/2024/agent-tesla-targeting-united-states-and-australia/\r\nPage 2 of 31\n\nUS Businesses (”USA Database 2.txt”)\r\nAU Businesses (”AU B2B Lead.txt”/”Australia Mail list.doc”)\r\nEducational (”Edu Email.txt”)\r\nThe campaign was performed by “Bignosa” using the email support@chserver.top with an attachment PDF.IMG,\r\nwhich is a disguised Agent Tesla sample, is protected with the Cassandra Protector.\r\nImage 2 – Malware campaign targeting AU 7th of November\r\nThe server chserver.top-172.81.60.206 is a server that belongs to the actor, he installed Plesk and Round Cube\r\nto perform the campaign on the previous day at 19:57:46. “Bignosa” connected to it with SSH using an IP from\r\nKenya 41.90.185.44 . The actor used RDP to connect to the machine 91.215.152.7 , logged in to Webmail, and\r\nlaunched the spam campaign.\r\nImage 3 – RDP connection to 91.215.152.7 to connect to the mail server\r\nThe principal scheme of this operation is shown in the diagram below:\r\nhttps://research.checkpoint.com/2024/agent-tesla-targeting-united-states-and-australia/\r\nPage 3 of 31\n\nImage 4 – Attack scheme for these two campaigns\r\nMalware campaign 29-30th of November\r\nOn the 29th of November, the threat actor from 41.90.177.10 connected via SSH to 192.236.236.35 and\r\ninstalled Plesk \u0026 Round Cube once again. Using his Bulgarian RDP connection, 91.215.152.7 , he created an\r\nemail address and logged into Webmail. Around 16:00, the machine was ready for the campaign.\r\nImage 5 – Test email after installation\r\nOn the 30th of November, “Bignosa” executed the campaign targeting multiple organizations in Australia and\r\nUnited States. The file attachment was once again an Agent-Tesla with the same C\u0026C as the campaign earlier in\r\nthe month.\r\nhttps://research.checkpoint.com/2024/agent-tesla-targeting-united-states-and-australia/\r\nPage 4 of 31\n\nImage 6 – Malspam text and attachment\r\nThe principal scheme of this operation is shown in the diagram below:\r\nImage 7 – Attack scheme for this campaign\r\nThe schemes are similar in both campaigns except for the addresses of the server where Plesk and RoundCube\r\nwere installed – these are the only differences between the attacks.\r\nCassandra Protector\r\nDuring both campaigns “Bignosa” used Cassandra Protector to obfuscate the samples’ initial code and later\r\nconvert the executables into ISO. The actor has been a customer of Cassandra Protector since 24/6/2023 (with that\r\nspecific email):\r\nhttps://research.checkpoint.com/2024/agent-tesla-targeting-united-states-and-australia/\r\nPage 5 of 31\n\nImage 8 – “Bignosa” account details for Cassandra Protector\r\nCassandra Protector has been used to “protect” 67 samples:\r\nImage 9 – Actor’s protected samples, time, and filename – dates correlate with the campaigns\r\nlaunch time\r\nCassandra Protector supports only .NET samples and provides various functionalities such as (as described on the\r\nsales site):\r\n1. Injection method.\r\n2. Persistence method.\r\n3. Anti-Virus \u0026 Emulation.\r\n4. Delaying execution.\r\n5. Signing protected with a Certificate.\r\n6. Icon Change.\r\n7. Pop-up message box with custom text.\r\n8. Custom Assembly features.\r\n9. Create and execute downloader.\r\nhttps://research.checkpoint.com/2024/agent-tesla-targeting-united-states-and-australia/\r\nPage 6 of 31\n\n10. Protection options.\r\nImage 10 – Cassandra Protector options\r\nCassandra Protector allows the end user to choose a file to be downloaded and/or executed after launch, lets\r\nconfigure sleep time before continuing execution and choose a fake message box to be shown.\r\nUnder the hood the Protector has the capabilities of putting itself to Defender exclusion via Powershell:Add-MpPreference –ExclusionPath command. It can copy itself to the “AppData” folder, set the file as\r\nhidden/system and set a new ACL (Access Control List). For persistence Cassandra Protector adds the file to\r\nScheduled Tasks.\r\nThe injection option is also configurable, it can be a PE Hollowing or .NET Reflection to itself:\r\nhttps://research.checkpoint.com/2024/agent-tesla-targeting-united-states-and-australia/\r\nPage 7 of 31\n\nImage 11 – Cassandra Protector “Injection Persistence” options\r\nOnce the sample was “protected”, the actor used ISO Burner to convert the .NET into an ISO file with “.img”\r\nextension and attached the resulting file to spam emails.\r\nThreat actors\r\nWe have covered the technical aspects of the campaigns; now we will examine the profiles of threat actors linked\r\nto these campaigns, starting with the main one – “Bignosa.”\r\nFirst Threat Actor – Bignosa\r\nThe Threat Actor “Bignosa” was behind the described campaigns. “Bignosa” appears to have been using Agent\r\nTesla for quite a while and performing phishing attacks in the past as well.\r\nThis actoruses another alias as well as a name which gives an indication of where he is originally from. The\r\nnickname that was also observed was Nosakhare which is of Nigerian origin and means “What God say will be/is\r\ndestiny”.\r\nThe further profile description is tightly connected with the other Threat Actor who appears to be assisting\r\n“Bignosa” in allegedly taking the first steps into the malware world on the rights of a seemingly more experienced\r\none. The nickname of the other Threat Actor is “Gods.” A bright example of the interaction between the two is\r\nshown on the Skype excerpt where “Bignosa”gets advice from “Gods” ( live:.cid.1b6f75099c70b269 ) regarding\r\nwhich malspam text to use for the campaign.\r\nImage 12 – “Gods” provides a text to be used in the malicious campaign to “Bignosa”\r\nhttps://research.checkpoint.com/2024/agent-tesla-targeting-united-states-and-australia/\r\nPage 8 of 31\n\nThe actors have been observed to communicate via Jabber – a service for instant messaging via an open protocol\r\nused since 1999 – where, in multiple instances, “Bignosa” wasn’t able to clean his machine from the Agent Tesla\r\ntest infections and provided a Team Viewer access to “Gods” for assistance in cleaning up the machine.\r\nImage 13 – Bignosa \u0026 Gods Jabber conversations\r\nThe following screenshot shows how “Gods” connected via Team Viewer to the “Bignosa” machine to remove\r\nAgent Tesla infection:\r\nhttps://research.checkpoint.com/2024/agent-tesla-targeting-united-states-and-australia/\r\nPage 9 of 31\n\nImage 14 – “Gods” in the process of removing Agent-Tesla test-infection from the “AppData”\r\nfolder\r\nInitially, we considered the collaboration between “Bignosa” and “Gods” to be solely in the form of a “student-mentor” role model. However, later findings suggest a closer collaboration between the two actors and show\r\nevidence of them performing as a group. We will get back to this after we take a closer look at the profile of the\r\n“God’s” threat actor right in the next section.\r\nWe summarize the information mapped to the activities of “Bignosa” in the diagram below:\r\nImage 15 – The map of traces linked to “Bignosa”\r\nAccording to the name “Nosakhare” that was used by the threat actor, the “NG” acronym in Skype, Kenyan traces\r\nin the malicious campaigns, and several other clues – we can draw a conclusion that we’re dealing with a Kenyan\r\nhttps://research.checkpoint.com/2024/agent-tesla-targeting-united-states-and-australia/\r\nPage 10 of 31\n\nman Nosakhare Godson. There is a LinkedIn profile revealing the photo of this person:\r\nImage 16 – LinkedIn profile of Nosakhare Godson\r\nOther bits of interest to add to his profile come from examining his RDP desktop:\r\nImage 17 – RDP desktop with many links to examine\r\nWe can spot three other malware families on this desktop: Quasar, Warzone, and PureCrypter.  Quasar and\r\nWarzone are available in the public access, and Quasar is even open-sourced, so the “modified” suffix in the\r\nfolder name implies that the malware code could be edited to suit the needs of the actor. There is a tutorial in a\r\nseparate file describing the usage of PureCrypter.\r\nThere are separate files with the emails of Australian and miscellaneous customers, as well as the whole folder\r\nwith the USA victims. Grammarly is also part of the actor’s toolkit in his spam activities. SuperMailer is seen as\r\n(likely) the test tool as it was not used in the malicious campaigns. The application was not bought as evidenced\r\nby the crack for it also seen in the desktop – probably to save money whenever possible for maximum profit from\r\nmalicious activities. Another piracy evidence is the folder with the name “activator.”\r\nhttps://research.checkpoint.com/2024/agent-tesla-targeting-united-states-and-australia/\r\nPage 11 of 31\n\nHaving familiarized ourselves with the main actor, it’s time to investigate the activities of the one using the\r\n“Gods” alias – the mentor of “Bignosa”.\r\nSecond Threat Actor – Gods/Kmarshal\r\nThis Threat Actor has been performing phishing attacks since March 2023 and then transitioned to malspam and\r\nmalware operations around June 2023. Those phishing attacks appear to have been reporting the data to\r\n“logteam@netc.eu”:\r\nImage 18 – Phishing attacks with the email logteam@netc.eu used by “Gods” threat actor\r\nThe campaign conducted around June 2023 involved several widely used services, Microsoft sign-in form as one\r\nof the vivid examples:\r\nImage 19 – The phishing page and the code behind it\r\nOn the 15th of August “Gods” appears to have performed a malware campaign connecting via RDP to VDS server\r\n79.110.48.6 and then to Webmail. This campaign targeted a mix of Australian and UK companies using “Agent\r\nhttps://research.checkpoint.com/2024/agent-tesla-targeting-united-states-and-australia/\r\nPage 12 of 31\n\nTesla” as well.\r\nThis actor uses two nicknames more frequently than the others – “Gods” and “Kmarshal” – as present in the threat\r\nactor’s Jabber account:\r\nImage 20 – “Gods” and “Kmarshal” in one Jabber account\r\nThis fact potentially allows us to assume that there could possibly be, at least two persons behind this threat actor.\r\nHowever, future findings proved that all the nicknames belonged to one person. Let us see the clues we have\r\ngathered regarding this threat actor.\r\nWe identified that two machines related to “Gods”had usernames with prefixes “km” and “KM”:\r\nhttps://research.checkpoint.com/2024/agent-tesla-targeting-united-states-and-australia/\r\nPage 13 of 31\n\nImage 21 – “KM” prefix in the machine name\r\nOne of the machines has the name “KM-MacBook-Pro”. He is part of a chat group in Jabber where 10 other\r\ncontacts are present:\r\nWe found that the email that is used by “Gods” threat actor – unlimitedsendertech@gmail.com – appears to be\r\nthe same as from the YouTube channel “8 Letter Tech”:\r\nhttps://research.checkpoint.com/2024/agent-tesla-targeting-united-states-and-australia/\r\nPage 14 of 31\n\nImage 23 – email address of “Gods” on the YouTube channel\r\nThis channel contains videos on setting up RoundCube and Zimbra Mail:\r\nImage 24 – “8 Letter Tech” channel on YouTube\r\nThe same email appears in one of the videos on the channel:\r\nhttps://research.checkpoint.com/2024/agent-tesla-targeting-united-states-and-australia/\r\nPage 15 of 31\n\nImage 25 – The “Gods” registration email appears in the video\r\nAll of this means that the channel is directly related to the “Gods” threat actor.\r\nAlas, these facts did not help us with de-anonymizing the actor. At this point, we decided to summarize all the data\r\nbits we had about him:\r\nImage 26 – The map of traces linked to “Gods/Kmarshal”\r\nThe interesting fact is that although there are a lot of Turkish IP addresses. These addresses are likely connected\r\nwith the past of the actor where he must have studied at the Turkish university – as evidenced by our later\r\nfindings. The actor does not speak Turkish and uses ChatGPT via an RDP machine to translate spam messages to\r\nthis language:\r\nhttps://research.checkpoint.com/2024/agent-tesla-targeting-united-states-and-australia/\r\nPage 16 of 31\n\nImage 27 – ChatGPT used to translate spam messages to Turkish\r\nBefore we proceed with the de-anonymization of “Gods,” let us first investigate a close connection between\r\n“Bignosa” and “Gods,” extending more than a “student-mentor” relationship.\r\nCollaboration between the “Bignosa” and “Gods”\r\nLet us consider the following receipt, which is VDS paid by “Bignosa” under one of his aliases, “Andrei Ivan”:\r\nImage 28 – Swiss VDS paid by “Bignosa”\r\nhttps://research.checkpoint.com/2024/agent-tesla-targeting-united-states-and-australia/\r\nPage 17 of 31\n\nAs a side note, the same phone number as in the receipt is used for 2FA for his “work” Gmail account. What drew\r\nour interest besides this fact was the history of VDS account operations:\r\nImage 29 – History of operations for the VDS\r\nWe spotted the “sterdiffa-steel.ddndsfree.com” site that has its IP set to one used by “Gods” – 80.68.159.15:\r\nImage 30 – Dynamic DNS service used by “Gods”\r\nWe know this IP belongs to “Gods” from the fact that the email used in DynuDNS service is the one linked to him:\r\nhttps://research.checkpoint.com/2024/agent-tesla-targeting-united-states-and-australia/\r\nPage 18 of 31\n\nImage 31 – DynuDNS service account with the email used by “Gods”\r\nAlso, we spotted an administrator change. At first, the administrator email was set to the address used by\r\n“Bignosa” – “lwork6356@gmail.com”:\r\nImage 32 – The administrator address set to the email of “Bignosa”\r\nWithin 2 days, this Plesk instance “changed” hands and went under the government of “Gods” with his address\r\n“unlimitedsendertech@gmail.com”:\r\nhttps://research.checkpoint.com/2024/agent-tesla-targeting-united-states-and-australia/\r\nPage 19 of 31\n\nImage 33 – The administrator address set to the email of “Gods”\r\nWe managed to link their collaboration as early back as March 2023 when they performed phishing attacks\r\ntargeting email credentials. The earliest indications for the use of malware in their campaigns appear to be in June\r\n2023.\r\nFurther connections and de-anonymization via social media\r\nIn the course of the investigation, we saw relations in these attacks to the following previously unseen nicknames:\r\n1. GODINHO\r\n2. TAMEGURUS\r\nWe will focus on the 2nd one as it is crucial for the research, as it turned out to be. TAMEGURUS appears to be\r\nrelated to Tamedevelopers according to the search in Google:\r\nImage 34 – “Tamegurus” tag encountered in the TikTok account\r\nOnly one video from the TikTok network has this tag, and in this video, the author speaks about an ongoing web\r\nproject for the actor’s legitimate job in relation to Chinese customers:\r\nhttps://research.checkpoint.com/2024/agent-tesla-targeting-united-states-and-australia/\r\nPage 20 of 31\n\nImage 35 – “Tamegurus” tag in the video related to Chinese customers\r\nIt’s important to state that this activity is not related to the malicious one, on the contrary, it is a part of this\r\nlegitimate job, a web-design project related to China, hence we see this connection.\r\nOn another social media network, Instagram, we find the account of “tamedevelopers”, who is a Web Designer\r\nfrom Nigeria somehow connected to Turkey:\r\nhttps://research.checkpoint.com/2024/agent-tesla-targeting-united-states-and-australia/\r\nPage 21 of 31\n\nImage 36 – “Tamedevelopers” account on Instagram\r\nFrom earlier on, we saw that a lot of Turkish IP addresses were connected to “Gods”. @Tamedevelopers’ account\r\non the social network Fiverr, where he goes by his name Fredrick Peter, demonstrates the clue to such a\r\nconnection: he studied at the Turkish University, and the threat actor “Gods” probably studied there as well:\r\nhttps://research.checkpoint.com/2024/agent-tesla-targeting-united-states-and-australia/\r\nPage 22 of 31\n\nImage 37 – “Tamedevelopers” account on Fiverr\r\n@Tamedevelopers is followed by another Instagram account @8LetterStudio (remember that “8 Letter Tech” is\r\nthe YouTube channel), where a post mentioning him was made:\r\nhttps://research.checkpoint.com/2024/agent-tesla-targeting-united-states-and-australia/\r\nPage 23 of 31\n\nImage 38 – Post by “8LetterStudio” mentioning “Tamedevelopers”\r\n@8letterstudio, in its turn, is being followed by another known name – @king_kmarshal (King KM), which is\r\nfrequently used by “Gods”:\r\nhttps://research.checkpoint.com/2024/agent-tesla-targeting-united-states-and-australia/\r\nPage 24 of 31\n\nImage 39 – “king_kmarshal” following “8LetterStudio”\r\nWe feel like we are on the right track, as many details are starting to link together. The next step is to search for “8\r\nLetter Studio” in other social media, for example, Facebook:\r\nImage 40 – “8LetterStudio”page on Facebook\r\nWe see the connection to Chinese customers right at the top post on the page, just what we started with when we\r\nencountered the “Tamedevelopers” account in TikTok. As we mentioned previously, this part is probably related to\r\nhis legitimate job – a web-design project related to the customers from Hong Kong.\r\nOn this page, we see that in 2015, it was created under a different name:\r\nhttps://research.checkpoint.com/2024/agent-tesla-targeting-united-states-and-australia/\r\nPage 25 of 31\n\nImage 41 – “Kmbrand Design” is the former name for “8 Letter Studio”\r\nSearching for the name “Kmbrand Design” we encounter the page on Fiverr network:\r\nImage 42 – “kmbranddesign” in the Fiverr network\r\nHe states his knowledge of Turkish is basic, which explains the usage of ChatGPT for translation:\r\nhttps://research.checkpoint.com/2024/agent-tesla-targeting-united-states-and-australia/\r\nPage 26 of 31\n\nImage 43 – Language knowledge of Kingsley F\r\nThe videos on his page are the same as on the YouTube channel “8 Letter Tech”. At one point, the email\r\nunlimitedsendertech@gmail.com – used by “Gods” – is seen in the video:\r\nImage 44 – Email used by “Gods” in the video by Kingsley F\r\nNow the things are really getting hot. We almost know the name of “Gods”.  Further search leads to the page on\r\nBehance network (that uses the same profile photo as in the Fiverr network) which explains the relationship\r\nhttps://research.checkpoint.com/2024/agent-tesla-targeting-united-states-and-australia/\r\nPage 27 of 31\n\nbetween “tamedevelopers” and “Gods” – he must be part of the web-designers team:\r\nImage 45 – The profile of Kingsley Fredrick on Behance network\r\nThis page also reveals the name of the man behind “Gods” alias – Kingsley Fredrick. Yet another cross-link\r\nconnection to the beginning of de-anonymizing research is the Instagram profile of this man following\r\n“tamedevelopers”:\r\nImage 46 – The profile of Kingsley Fredrick on Instagram network\r\nRecent Activity, 6\r\nth\r\n March\r\nThe story of the described threat actors is not yet finished; on the contrary, it’s just getting started. We have\r\nspotted them launching a phishing campaign in December 2023 and January 2024. One the 6th of March 2024 one\r\nof the organizations that was mimicked during this attack is the Furman University in South Carolina:\r\nhttps://research.checkpoint.com/2024/agent-tesla-targeting-united-states-and-australia/\r\nPage 28 of 31\n\nImage 47 – The phishing page and the code behind it\r\nWe linked this campaign to the “GODINHO” alias (remember the start of the de-anonymization process for\r\n“Gods”), which appears to be yet another skin for the “Gods” actor. Several HTML pages used in this attack are\r\nuploaded to VT with the following hashes:\r\n8ba55cc754638714764780542eefd629c55703ecf63ae20d5eb65b8c14d3e645\r\n87709f72683c5ffc166f348212b37aadb7943b5653419f2f0edf694fb50f1878\r\n691761d401a6650872d724c30b7ef5972e3792e9a2ba88fdca98b4312fb318d8\r\nWe can surmise that legal activity like web design is not enough, as when it comes to making profits, any means\r\nof additional income, even those not so innocent in nature, will suffice for the cyber-crime actors – be it malware\r\nusage or classical phishing. We continue to monitor the ongoing activities of evil-oriented minds and are actively\r\ncollaborating with the legal authorities to stop this group and other threats.\r\nConclusion\r\nAs seen from the description of these threat actors’ actions, no rocket science degree is required to conduct the\r\ncyber-crime operations behind one of the most prevalent malware families in the last several years. It’s an\r\nunfortunate course of events caused by the low-entry level threshold so that anyone willing to provoke victims to\r\nlaunch the malware via spam campaigns can do so.\r\nThere is an upside to this though: multiple traces left by cyber-crime actors allowed us to pinpoint them, re-create\r\ntheir actions, and get a peek into their daily activities. There are occasional data pieces on the web: seemingly tiny\r\nand unimportant pieces of data can sum up the big picture and reveal the truths that usually prefer to remain\r\nhidden. In this case, these pieces allowed us to reveal the identities of cyber-crime actors from Africa, re-create\r\nsteps and timeframes when the main actor conducted his malicious campaigns, understand the pattern, and provide\r\nprotection against these and future attacks. The power of social media blossomed in all its beauty to help us in the\r\nchase.\r\nhttps://research.checkpoint.com/2024/agent-tesla-targeting-united-states-and-australia/\r\nPage 29 of 31\n\nCPR managed to predict and prevent occurring as well as future campaigns targeting our customers. As a note of\r\nimportance, we have worked closely with law enforcement on this investigation. The research about Agent Tesla\r\nwill continue in the 2nd part of the series, stay tuned for the updates!\r\nRecommendations\r\nThis research highlights the importance of vigilance in cybersecurity. The identification of these threat actors was\r\nmade possible through meticulous analysis of digital footprints, demonstrating the power of digital forensics.\r\nTo mitigate the risks of being affected by such threats, it is essential to:\r\n– Keep operating systems and applications updated, through timely patches and other means.\r\n– Be cautious of unexpected emails with links, especially from unknown senders.\r\n– Enhance cybersecurity awareness among employees.\r\n– Consult security specialists for any doubts or uncertainties.\r\nProtections\r\nCheck Point customers remain protected against the threat described in this research.\r\nCheck Point Threat Emulation and Harmony Endpoint provide comprehensive coverage of attack tactics, file-types, and operating systems and protect against the type of attacks and threats described in this report.\r\nSpyware.Win32.Tesla.TC.*\r\nAgentTesla.TC.*\r\nIOCs\r\nAlias\r\nPersonal/VPN\r\nIPs\r\nAssociated Emails/Jabbers\r\nAssociated\r\nPhones\r\nMalicious\r\nInfrastructure\r\nBignosa 105.160.122.192\r\n105.161.75.138\r\n105.161.81.79\r\n197.237.92.228\r\n41.90.176.165\r\n41.90.177.10\r\n41.90.179.140\r\n41.90.180.123\r\n41.90.180.219\r\n41.90.181.104\r\n41.90.185.44\r\n41.90.186.173\r\nadmin@dllserver.top\r\nandrewbailey@sent.com\r\nbaileyandrewjr@mailo.com\r\ncontact@chserver.top\r\ndickson@outlook.com\r\nenquires@dllserver.top\r\nfelixjensen84@gmail.com\r\nfelixjensenjr@gmail.com\r\nfelixreederjr@gmail.com\r\niamhere@mailo.com\r\ninfo@chserver.top\r\ninfo@sterdiffa-wat.site\r\n+1\r\n5623757370\r\n+254\r\n105051021\r\n+254\r\n741439531\r\n142.202.190.222\r\n172.81.60.206\r\n192.236.146.12\r\n192.236.194.247\r\n192.236.236.35\r\n80.68.159.15\r\n91.215.152.7\r\nhttps://research.checkpoint.com/2024/agent-tesla-targeting-united-states-and-australia/\r\nPage 30 of 31\n\n41.90.186.247\r\n41.90.186.248\r\n41.90.188.113\r\n41.90.189.214\r\n91.215.152.7\r\niwork@hot-chilli.net\r\nlwork6356@gmail.com\r\nnosakharegodson@gmail.com\r\npeterdave@mailo.com\r\npeterdavejr@gmail.com\r\npeterdavejr@mailo.com\r\nsales@kenyapride.co.ke\r\nsupport@chserver.top\r\nsupport@cloverleave.info\r\nsupport@dllserver.top\r\nsupport@sterdiffa-wat.site\r\nGods\r\n147.189.161.184\r\n149.0.216.243\r\n149.0.91.214\r\n176.218.220.145\r\n192.223.25.77\r\n192.223.25.85\r\n212.133.214.104\r\n31.155.119.217\r\n46.2.179.191\r\n46.2.181.103\r\n46.2.254.164\r\n46.2.35.156\r\n79.110.48.6\r\n84.38.130.226\r\n91.92.244.255\r\naccount-security@eutrade.top\r\ndfk@dtdc.eu.org\r\ngods@openim.eu\r\ninfo@eutrade.top\r\nj.klaus@johnokimattorney.eu.org\r\nkmarshal101@hotmail.com\r\nkmarshal@jabbers.one\r\nkmarshal@sure.im\r\nlegal@johnokimattorney.eu.org\r\nlogteam101@gmail.com\r\nlogteam@netc.eu\r\nmsgate@net-c.ca\r\nno-replu@hlgroup.eu.org\r\nno-reply@hlgroup.eu.org\r\nnoreply@grillminings.tech\r\nonye.oma50@gmail.com\r\nsmtps@hlgroup.eu.org\r\nunlimitedsendertech@gmail.com\r\n+1\r\n7024041730\r\n142.202.188.238\r\n147.189.161.184\r\n156.227.0.187\r\n45.38.135.112\r\n79.110.48.6\r\n80.68.159.15\r\n84.38.130.226\r\n91.210.166.29\r\nSource: https://research.checkpoint.com/2024/agent-tesla-targeting-united-states-and-australia/\r\nhttps://research.checkpoint.com/2024/agent-tesla-targeting-united-states-and-australia/\r\nPage 31 of 31\n\n https://research.checkpoint.com/2024/agent-tesla-targeting-united-states-and-australia/     \nImage 36- “Tamedevelopers” account on Instagram   \nFrom earlier on, we saw that a lot of Turkish IP addresses were connected to “Gods”. @Tamedevelopers’ account\non the social network Fiverr, where he goes by his name Fredrick Peter, demonstrates the clue to such a\nconnection: he studied at the Turkish University, and the threat actor “Gods” probably studied there as well:\n   Page 22 of 31",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://research.checkpoint.com/2024/agent-tesla-targeting-united-states-and-australia/"
	],
	"report_names": [
		"agent-tesla-targeting-united-states-and-australia"
	],
	"threat_actors": [
		{
			"id": "733eb70c-e636-4d55-be1d-6ff0f7084027",
			"created_at": "2024-04-19T02:00:03.619798Z",
			"updated_at": "2026-04-10T02:00:03.613351Z",
			"deleted_at": null,
			"main_name": "Bignosa",
			"aliases": [],
			"source_name": "MISPGALAXY:Bignosa",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775701354,
	"ts_updated_at": 1775826715,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6ec64e9d2d1475acae5a81bde98982c9bf712819.pdf",
		"text": "https://archive.orkl.eu/6ec64e9d2d1475acae5a81bde98982c9bf712819.txt",
		"img": "https://archive.orkl.eu/6ec64e9d2d1475acae5a81bde98982c9bf712819.jpg"
	}
}