{ "id": "36abc4ab-2ae2-4007-b5ae-1f3456dabe2c", "created_at": "2026-04-06T00:11:07.765228Z", "updated_at": "2026-04-10T03:29:51.199415Z", "deleted_at": null, "sha1_hash": "71748eadbc23ff93d77c058c85954900a77ca037", "title": "SWEED: Exposing years of Agent Tesla campaigns", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4979001, "plain_text": "SWEED: Exposing years of Agent Tesla campaigns\r\nBy Edmund Brumaghin\r\nPublished: 2019-07-15 · Archived: 2026-04-05 14:58:55 UTC\r\nMonday, July 15, 2019 11:04\r\nBy Edmund Brumaghin and other Cisco Talos researchers.\r\nExecutive summary\r\nCisco Talos recently identified a large number of ongoing malware distribution campaigns linked to a threat actor\r\nwe're calling \"SWEED,\" including such notable malware as Formbook, Lokibot and Agent Tesla. Based on our\r\nresearch, SWEED — which has been operating since at least 2017 — primarily targets their victims with stealers\r\nand remote access trojans.\r\nSWEED remains consistent across most of their campaigns in their use of spear-phishing emails with malicious\r\nattachments. While these campaigns have featured a myriad of different types of malicious documents, the actor\r\nprimarily tries to infect its victims with a packed version of Agent Tesla — an information stealer that's been\r\naround since at least 2014. The version of Agent Tesla that SWEED is using differs slightly from what we've seen\r\nin the past in the way that it is packed, as well as how it infects the system. In this post, we'll run down each\r\ncampaign we're able to connect to SWEED, and talk about some of the actor's tactics, techniques and procedures\r\n(TTPs).\r\n2017: Steganography\r\nOne of the earliest SWEED campaigns Talos identified dates back to 2017. In this attack, the actors placed\r\ndroppers inside of ZIP archives, and then attached those ZIPs to emails. The attachments usually had file names\r\nhttps://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html\r\nPage 1 of 22\n\nsimilar to \"Java_Updater.zip\" or \"P-O of Jun2017.zip\". Here's an example of an email associated with this\r\ncampaign:\r\nThe attached ZIP archive contained a packed version of Agent Tesla. The packer uses .NET and leverages\r\nsteganography to hide and decode a second .NET executable, which uses the same technique to retrieve the final\r\nAgent Tesla payload. Here's the file stored in the resource:\r\nhttps://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html\r\nPage 2 of 22\n\nAnd here's the algorithm used to decode the PE stored in that image:\r\nThe decoded binary is stored in the array.\r\nJanuary 2018: Java droppers\r\nhttps://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html\r\nPage 3 of 22\n\nIn early 2018, we observed that SWEED began leveraging Java-based droppers. Similar to previous campaigns,\r\nthe JAR was directly attached to emails and used file names such as \"Order_2018.jar\". The purpose of the JAR\r\nwas to obtain information about the infected system and facilitate the download of a packed version of Agent\r\nTesla. Interestingly, only a few months prior to these campaigns, a HackForums user with the account name\r\n\"Sweed\" actively sought  out a Java crypter — but we'll get to that activity later.\r\nApril 2018: Office exploit (CVE-2017-8759)\r\nIn April 2018, SWEED began making use of a previously disclosed Office exploit. One of the documents featured\r\nin these email campaigns was notable because it was a PowerPoint document (PPXS). Code contained inside one\r\nof the slides triggers an exploit for CVE-2017-8759, a remote code execution vulnerability in Microsoft .NET\r\nframework.\r\nYou can see the execution of external content hosted on the attacker-controlled web server using the file name\r\n\"chuks.png\". As expected, the PNG is not actually an image. Instead, it is a Soap definition in XML, as seen in the\r\nscreenshot below:\r\nThe purpose of this code is to decode a URL and download a PE32 hosted on an attacker-controlled web server.\r\nThe resulting executable is a packed version of Agent Tesla.\r\nMay 2018: Office exploit (CVE-2017-11882)\r\nIn May 2018, campaigns being conducted by SWEED began leveraging another vulnerability in Microsoft Office:\r\nCVE-2017-11882, a remote code execution bug in Microsoft Office that is commonly observed being leveraged in\r\nhttps://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html\r\nPage 4 of 22\n\nmalicious documents used in commodity malware distribution.\r\nWe see how the vulnerability abuses the Equation Editor in Office when executing the sample in ThreatGrid:\r\nAs seen below, the malicious document is designed to appear as if it is an invoice.\r\nAs consistent with previous campaigns, the purpose of this malicious document is to download and execute a\r\npacked version of Agent Tesla.\r\n2019: Office macros and AutoIT droppers\r\nhttps://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html\r\nPage 5 of 22\n\nBeginning in 2019, the campaigns associated with SWEED began leveraging malicious Office macros. As with\r\nprevious attacks, they are leveraging spear-phishing emails and malicious attachments to initiate the infection\r\nprocess.\r\nThe attached XLS contains an obfuscated VBA macro, which executes a PowerShell script using a WMI call. The\r\nPowerShell script is also obfuscated using XOR operations to hide its code. Once decoded, it reveals itself to be\r\n.NET.\r\nThis .NET code is responsible for performing some checks and downloading another executable file. The\r\nobfuscation scheme used in this code is the same as the one used in the previously described PowerShell. The\r\ndownloaded file is then saved and executed.\r\nhttps://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html\r\nPage 6 of 22\n\nCall graph after WMI execution.\r\nThe downloaded binary is an AutoIT-compiled script. The script has a lot of junk code designed to make the\r\nanalysis more difficult and time-consuming.\r\nExtracted AutoIT script.\r\nThe strings and some of the commands contained in the AutoIT script have been obfuscated using XOR\r\noperations, as described below.\r\nThe decoder receives two hex strings: The first is the string to deobfuscate, while the second determines the\r\nnumber of rounds of the XOR operation. The XOR operation is performed on each character against the length of\r\nthe second parameter. This operation is then repeated for as many times as the length with the length and the\r\nposition. If the length value is one, then the operation is repeated twice using the same key, which leads to a\r\nplaintext hex string.\r\nhttps://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html\r\nPage 7 of 22\n\nAfter performing environment checks, the malware will reconstruct the assembly code which is obfuscated in a\r\nhex string. Using the AutoIT scripting language Dll* family functions the code is loaded into the current process\r\naddress space.\r\nMemory allocation\r\nFinally, the malware executes the assembly code with two arguments. The first argument is the path for an\r\nexecutable. This assembly will create a process with the executable and will inject the payload into this process.\r\nAs expected, the final payload in this campaign is another packed version of Agent Tesla.\r\nUAC bypass\r\nOne of the common characteristics with several of the campaigns associated with SWEED is the use of various\r\ntechniques to bypass User Account Control (UAC) on infected systems. An example of this is present within the\r\ncampaigns observed in 2019. When the malware is first executed on systems, it executes \"fodhelper.exe\", which is\r\na Windows process running as high integrity. Prior to executing it, the malware sets the following registry key:\r\nHKCU\\Software\\Classes\\ms-settings\\shell\\open\\command\r\nThis registry key points to the location of the malicious executable:\r\nhttps://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html\r\nPage 8 of 22\n\nThis key is used by \"fodhelper.exe\" and its value is executed as administrator whenever fodhelper.exe is executed.\r\nThis functionality simply allows for the malware to bypass UAC and is not a privilege escalation vulnerability —\r\nthe user must already have administrative access rights on the system. It is used to avoid displaying a UAC\r\nprompt to the user. This second instance of the malware is then executed with administrative access to the infected\r\nsystem.\r\nSWEED infrastructure\r\nThe various distribution campaigns linked to SWEED feature use of a limited amount of distribution and C2\r\ninfrastructure with the same servers used across many different campaigns over long periods of time. The majority\r\nof the registrants associated with the domains used by SWEED list the following email addresses:\r\naaras480@gmail[.]com\r\nsweed.[redacted]@gmail[.]com\r\nThe registrant contact information used to register most of the domains is also consistent:\r\nIn April 2018, a security researcher published a screenshot of an RDP server believed to have been actively\r\nleveraged by SWEED (84.38.134[.]121):\r\nhttps://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html\r\nPage 9 of 22\n\nIn the screenshot above, the list of user accounts established on the RDP server can be seen, which includes an\r\naccount named \"sweed.\" The fact that multiple users are currently active indicates that this server is being used in\r\na multi-user capacity and provides a platform on which members of SWEED can function collaboratively. This\r\nalso likely indicates a business relationship between multiple individuals responsible for these ongoing malware\r\ndistribution campaigns.\r\nWe also identified several DDNS domains which were being used to facilitate connectivity to the shared RDP\r\nserver that feature many of the same values as the RDP user accounts:\r\nsweedoffice[.]duckdns[.]org\r\nsweedoffice-olamide[.]duckdns[.]org\r\nsweedoffice-chuks[.]duckdns[.]org\r\nwww.sweedoffice-kc.duckdns[.]org\r\nsweedoffice-kc.duckdns[.]org\r\nsweedoffice-goodman.duckdns[.]org\r\nsweedoffice-bosskobi.duckdns[.]org\r\nwww.sweedoffice-olamide.duckdns[.]org\r\nwww.sweedoffice-chuks.duckdns[.]org\r\nDuring our analysis of various campaigns associated with SWEED, we identified several common elements that\r\nalso reflect the distinct values associated with users of the RDP server. In many cases, the distribution servers\r\nbeing used to host malicious PE32 being distributed by SWEED contained a directory structure consisting of\r\nmultiple directories containing the binaries being distributed. In many cases, the binary file names used, as well as\r\nthe directory names used to host the malicious content reflected the same users present on the RDP server.\r\nFor example, in June 2019, the following URLs were hosting malicious content associated with these campaigns:\r\nhttps://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html\r\nPage 10 of 22\n\nhxxp://aelna[.]com/file/chuks.exe\r\nhxxp://aelna[.]com/file/sweed.exe\r\nhxxp://aelna[.]com/file/duke.exe\r\nLikewise, when investigating samples associated with known domains used to exfiltrate sensitive information\r\nfrom infected systems, we can see the following binary file names being used repeatedly across campaigns over a\r\nlong period of time:\r\ndadi.exe\r\nkelly.exe\r\nchuks.exe\r\nolamide.exe\r\nsweed.exe\r\nkc.exe\r\nhero.exe\r\ngoodman.exe\r\nduke.exe\r\nhipkid.exe\r\nIn several cases, the directory structure present on the distribution servers contained multiple directories hosting\r\nmalicious files, an example listing below using the domain sodismodisfrance[.]cf:\r\nsodimodisfrance[.]cf/2/chuks.exe\r\nsodimodisfrance[.]cf/6/chuks.exe\r\nsodimodisfrance[.]cf/5/goodman.exe\r\nsodimodisfrance[.]cf/1/chuks.exe\r\nsodimodisfrance[.]cf/1/hipkid.exe\r\nsodimodisfrance[.]cf/5/sweed.exe\r\nsodimodisfrance[.]cf/2/duke.boys.exe\r\nThese appear to match the handles used by actors known to be associated with SWEED. Another known domain\r\nused to exfiltrate sensitive information collected by Agent Tesla is sweeddehacklord[.]us. Analysis of known\r\nmalware seen communicating with this domain shows similar patterns of operations.\r\nIn analyzing the malware activity associated with SWEED, we also investigated the use of interesting paths in the\r\nhosting of the administration panels associated with the various RATs and stealers being distributed by this group.\r\nIndeed, on a single C2 server, we identified several panel with the following URLs:\r\nsweed-office.comie[.]ru/goodman/panel\r\nsweed-office.comie[.]ru/kc/panel/\r\nwlttraco[.]com/sweed-office/omee/panel/login.php\r\nwlttraco[.]com/sweed-client/humble1/panel/post.php\r\nwlttraco[.]com/sweed-client/sima/panel/post.php\r\nwlttraco[.]com/sweed-office/omee/panel/post.php\r\nwlttraco[.]com/sweed-office/kc/panel/post.php\r\nhttps://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html\r\nPage 11 of 22\n\nwlttraco[.]com/sweed-office/olamide/panel/post.php\r\nwlttraco[.]com/sweed-office/jamil/panel/post.php\r\nwlttraco[.]com/sweed-client/niggab/panel/post.php\r\nwlttraco[.]com/sweed-client/humble2/panel/post.php\r\nwlttraco[.]com/sweed-office/harry/panel/post.php\r\nBased on our research, as well as the panel-hosting locations, we believe that wiki, olamide, chuks, kc, goodman,\r\nbosskobi, dadi, hipkid, and others are SWEED customers or business associates. Using the binary file names,\r\ndirectory structures, and other artifacts, we have been able to identify interesting online behavior and interests\r\nexhibited across various hacking forums, IRC servers, etc. that appear to link some of these users with various\r\nelements of the malware distribution campaigns.\r\nThere are several other domains that can be linked to SWEED that appear to be associated with various malware\r\nfamilies and distribution campaigns. These have been observed to resolve to the IP associated with the\r\naforementioned RDP server, as well.\r\nsweeddehacklord[.]us\r\nsweed-office.comie[.]ru\r\nsweed-viki[.]ru\r\nUse of typosquatting\r\nAnother interesting element of many of the campaigns associated with SWEED is the use of typosquatting for the\r\ndomains used to host the packed Agent Tesla binaries that have been distributed over the past few years.\r\nVictims' geographic dispersion.\r\nLooking at the victimology from a country point of view it is clear that there is no geographic focus, when\r\nchoosing their target. SWEED target companies all over the world.\r\nhttps://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html\r\nPage 12 of 22\n\nBreakdown of victim's activity by industry.\r\nThe breakdown by activity however does show a clear tendency for manufacturing and logistics companies.\r\nHere's a rundown of these domains, along with the companies they are supposed to look like and the industry that\r\nthe company is associated with. In some cases we were unable to determine the targeted organization from the\r\ntyposquatted domain.\r\nhttps://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html\r\nPage 13 of 22\n\nIn all of the domains listed above, the registrant account information associated with the domains is consistent\r\nwith what we have identified as associated with SWEED campaign activity.\r\nOperational Security (OPSEC)\r\nWe identified various behavior on hacking forums, IRC channels, and other web sites that appeared consistent\r\nwith the TTPs we observed with the actor distributing this malware.\r\n\"SWEE D\"\r\nhttps://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html\r\nPage 14 of 22\n\nDuring our analysis, we identified a user on HackForums using the moniker \"SWEE D.\" In most of the online\r\nposts associated with this user, their contact information was included in the post and listed the Skype address\r\n\"sweed.[redacted]\".\r\nIn the months leading up to the January 2018 campaigns, we observed this user posting asking for access to a Java\r\ncrypter. Typically, crypters are used to help evade antivirus detection as they \"crypt\" the contents of the malicious\r\npayload being distributed.\r\nThe same user posted repeatedly in threads related to Java crypters, and even annoyed other users with how often\r\nthey were posting:\r\nThe same Skype account listed in the HackForums posts was also used by someone using the name \"Daniel\" in\r\n2016 while commenting on a blog related to the creation of Facebook phishing pages:\r\nhttps://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html\r\nPage 15 of 22\n\nThis same Skype account was also used in 2015 by someone going by the name \"[redacted] Daniel.\"\r\nNote: [redacted] is also the name used in the email address associated with the registrant account for the domain\r\nwlttraco[.]com (sweed.[redacted]@gmail.com).\r\nWe also located screenshots that were published on the Twitter account .sS!.! showing the Discord server \"Agent\r\nTesla Live\" that listed sweed ([redacted] Daniel) as a member of the staff.\r\nhttps://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html\r\nPage 16 of 22\n\nIt is important to note that the avatar used by this Discord user (SWEE D) is the same avatar that is used by Skype\r\nuser sweed.[redacted].\r\nWe actually contacted SWEE D on Skype and were able to confirm that the same user operates the Discord and\r\nSkype accounts:\r\nhttps://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html\r\nPage 17 of 22\n\nDuring our interaction with SWEE D, they mentioned that they are a student studying ethical hacking and that\r\nthey work in the IT departments of various companies to help remove malware and increase their security.\r\nThis is contrary to the following activity which was observed in an IRC transaction where a user named \"sweed\"\r\nwas submitting credit card information to a bot listening in the channel in an effort to check the validity and\r\nusability of presumably stolen credit card information.\r\nThe IRC channel appeared to be created and used solely for this purpose, with a bot named \"chkViadex24\"\r\nreturning information related to the credit card that was submitted:\r\nThis is an example demonstrating how stolen credit information is actively being used by adversaries to determine\r\nwhether or not they can monetize the information once they have stolen it from victims.\r\nIt's possible that \"SWEE D\", \"sweed\" and [redacted] Daniel may be the same person. We also identified the\r\nfollowing LinkedIn profile that listed the same name:\r\nhttps://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html\r\nPage 18 of 22\n\nThis account lists Nigeria as their location. \"[redacted]\" is a Nigerian novel. Many of the details we identified\r\nduring our analysis of \"sweed,\" such as information in the LinkedIn profile, the references to \"[redacted],\" the\r\nregistrant information used, and the location listed in the Skype account indicate the individual is likely located in\r\nNigeria. We believe \"sweed\" is a key member of the group and that other accounts are likely associated with\r\ncustomers or business partners.\r\nConclusion\r\nSWEED has been active for at least three years — and a user with that name has been active on various forums,\r\nIRC channels and Discord servers since at least 2015. Currently, SWEED is actively targeting small and medium-sized companies around the world. Based on the TTPs used by this group, SWEED should be considered a\r\nrelatively amateur actor. They use well-known vulnerabilities, commodity stealers and RATs (Pony, Formbook,\r\nUnknownRAT, Agent Tesla, etc.) and appear to rely on kits readily available on hacking forums. SWEED\r\nconsistently leverages packing and crypting in order to minimize detection by anti-malware solutions. We assess\r\nthat SWEED also does not have effective operational security, as they used several of the same online accounts for\r\nabout five years, allowing for the discovery of a lot of their information, operations and associates.\r\nAt this time, we cannot say with certainty whether the other accounts and associated individuals associated with\r\nSWEED are business associates or customers. However, they all use the same infrastructure in a coordinated\r\nmanner across domains, rely on the same malware and packers, and all operate very similarly. While SWEED is\r\nrelatively well-known in the security research community, this research provides insight into how these\r\ncybercriminal organizations operate and evolve over time in an effort to maximize their ability to generate revenue\r\nand evade detection. We expect SWEED to continue to operate for the foreseeable future and we will continue to\r\nmonitor their activities to ensure that customers remain protected.\r\nCoverage\r\nhttps://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html\r\nPage 19 of 22\n\nWays our customers can detect and block this threat are listed below.\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware detailed in this\r\npost. Below is a screenshot showing how AMP can protect customers from this threat. Try AMP for free here.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), and Meraki MX can detect malicious activity associated with this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nAdditional protections with context to your specific environment and threat data are available from the Firepower\r\nManagement Center.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIndicators of Compromise (IOCs)\r\nThe following IOCs have been observed as being associated with malware campaigns conducted by this group.\r\nCampaign #1\r\nhttps://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html\r\nPage 20 of 22\n\nJava_Updater.zip -\u003e 59b15f6ace090d05ac5f7692ef834433d8504352a7f45e80e7feb05298d9c2dd\r\nP-O of Jun2017.zip -\u003e e397ba1674a6dc470281c0c83acd70fd4d772bf8dcf23bf2c692db6575f6ab08\r\nAgent Tesla: 8c8f755b427b32e3eb528f5b59805b1532af3f627d690603ac12bf924289f36f\r\nCampaign #2\r\nJava sample=\u003e d27a29bdb0492b25bf71e536c8a1fae8373a4b57f01ad7481006f6849b246a97\r\nCampaign #3\r\nNew Order For Quotation.ppsx -\u003e 65bdd250aa4b4809edc32faeba2781864a3fee7e53e1f768b35a2bdedbb1243b\r\nCampaign #4\r\nSETTLEMENT OF OUTSTANDING.xlsx -\u003e\r\n111e1fff673466cedaed8011218a8d65f84bee48d5ce6d7e8f62cb37df75e671\r\nCampaign #5\r\nRequest and specification of our new order.xls -\u003e\r\n1dd4ac4925b58a2833b5c8969e7c5b5ff5ec590b376d520e6c0a114b941e2075\r\nAgent Tesla -\u003e fa6557302758bbea203967e70477336ac7a054b1df5a71d2fb6d822884e4e34\r\nDomains\r\nsweeddehacklord[.]us\r\nsweed-office.comie[.]ru\r\nsweed-viki[.]ru\r\nsweedoffice.duckdns[.]org\r\nsweedoffice-olamide.duckdns[.]org\r\nsweedoffice-chuks.duckdns[.]org\r\nwww.sweedoffice-kc.duckdns[.]org\r\nsweedoffice-kc.duckdns[.]org\r\nsweedoffice-goodman.duckdns[.]org\r\nsweedoffice-bosskobi.duckdns[.]org\r\nwww.sweedoffice-olamide.duckdns[.]org\r\nwww.sweedoffice-chuks.duckdns[.]org\r\naelna[.]com\r\ncandqre[.]com\r\nspedaqinterfreight[.]com\r\nworldjaquar[.]com\r\nzurieh[.]com\r\naiaininsurance[.]com\r\naidanube[.]com\r\nanernostat[.]com\r\nhttps://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html\r\nPage 21 of 22\n\nblssleel[.]com\r\nbwayachtng[.]com\r\ncablsol[.]com\r\ncatalanoshpping[.]com\r\ncawus-coskunsu[.]com\r\ncrosspoiimeri[.]com\r\ndougiasbarwick[.]com\r\nerieil[.]com\r\netqworld[.]com\r\nevegreen-shipping[.]com\r\ngufageneys[.]com\r\nhybru[.]com\r\nintermodaishipping[.]net\r\njltqroup[.]com\r\njyexports[.]com\r\nkayneslnterconnection[.]com\r\nkn-habour[.]com\r\nleocouriercompany[.]com\r\nlnnovalues[.]com\r\nmglt-mea[.]com\r\nmti-transt[.]com\r\nprofbuiiders[.]com\r\nquycarp[.]com\r\nregionaitradeinspections[.]com\r\nrepotc[.]com\r\nrsaqencies[.]com\r\nsamhwansleel[.]com\r\nserec[.]us\r\nsnapqata[.]com\r\nsukrltiv[.]com\r\nsupe-lab[.]com\r\nusarmy-mill[.]com\r\nvirdtech[.]com\r\nwillistoweswatson[.]com\r\nxlnya-cn[.]com\r\nzarpac[.]us\r\nOralbdentaltreatment[.]tk\r\nwlttraco[.]com\r\nSource: https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html\r\nhttps://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html\r\nPage 22 of 22", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html" ], "report_names": [ "sweed-agent-tesla.html" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "fe3d8dee-3bee-42e6-8f16-b6628b6189ae", "created_at": "2023-01-06T13:46:39.039285Z", "updated_at": "2026-04-10T02:00:03.193589Z", "deleted_at": null, "main_name": "SWEED", "aliases": [], "source_name": "MISPGALAXY:SWEED", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f2c53785-fb8b-460d-ba73-7fbfba36f0f5", "created_at": "2022-10-25T16:07:24.247949Z", "updated_at": "2026-04-10T02:00:04.911034Z", "deleted_at": null, "main_name": "Sweed", "aliases": [], "source_name": "ETDA:Sweed", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "ForeIT", "Formbook", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "Negasteal", "Origin Logger", "RDP", "Remote Desktop Protocol", "ZPAQ", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "257efa81-fa09-4318-ac8f-7e32b54b88bb", "created_at": "2022-10-25T16:07:24.195026Z", "updated_at": "2026-04-10T02:00:04.896357Z", "deleted_at": null, "main_name": "Sima", "aliases": [], "source_name": "ETDA:Sima", "tools": [ "Luminosity RAT", "LuminosityLink", "Sima" ], "source_id": "ETDA", "reports": null }, { "id": "eeb03ad7-d11f-4600-a587-b7c86aa38e5f", "created_at": "2023-01-06T13:46:38.564888Z", "updated_at": "2026-04-10T02:00:03.025514Z", "deleted_at": null, "main_name": "Sima", "aliases": [], "source_name": "MISPGALAXY:Sima", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434267, "ts_updated_at": 1775791791, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/71748eadbc23ff93d77c058c85954900a77ca037.pdf", "text": "https://archive.orkl.eu/71748eadbc23ff93d77c058c85954900a77ca037.txt", "img": "https://archive.orkl.eu/71748eadbc23ff93d77c058c85954900a77ca037.jpg" } }