{
	"id": "f1d16507-767e-4223-a0ae-9722d6785bef",
	"created_at": "2026-04-06T00:17:48.172104Z",
	"updated_at": "2026-04-10T03:21:26.069367Z",
	"deleted_at": null,
	"sha1_hash": "9507f72da00299eea02387e210dcc54edd820208",
	"title": "Hackers steal WiFi passwords using upgraded Agent Tesla malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1350496,
	"plain_text": "Hackers steal WiFi passwords using upgraded Agent Tesla malware\r\nBy Sergiu Gatlan\r\nPublished: 2020-04-16 · Archived: 2026-04-05 15:47:59 UTC\r\nSome new variants of the Agent Tesla info-stealer malware now come with a dedicated module for stealing WiFi passwords\r\nfrom infected devices, credentials that might be used in future attacks to spread to and compromise other systems on the\r\nsame wireless network.\r\nThe new samples are heavily obfuscated and are designed by the malware's author to collect wireless profile credentials\r\nfrom compromised computers by issuing a netsh command with a wlan show profile argument for listing all available WiFi\r\nprofiles.\r\nTo get the WiFi passwords from the discovered SSIDs (the Wi-Fi networks names), the Agent Tesla info-stealer issues a new\r\nnetsh command adding the SSID and a key=clear argument to show and extract the password in plain text for each profile as\r\nMalwarebytes' Threat Intelligence team found.\r\nhttps://www.bleepingcomputer.com/news/security/hackers-steal-wifi-passwords-using-upgraded-agent-tesla-malware/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/hackers-steal-wifi-passwords-using-upgraded-agent-tesla-malware/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\n\"In addition to wifi profiles, the executable collects extensive information about the system including FTP clients, browsers,\r\nfile downloaders, machine info (username, computer name, OS name, CPU architecture, RAM) and adds them into a list,\"\r\nMalwarebytes' report says.\r\n\"We believe this may be used as a mechanism to spread [..] or perhaps to set the stage for future attacks.\"\r\nWiFi password shown in plain text\r\nEmotet also got upgraded with a WiFi module\r\nAgent Tesla is not the only malware that has recently been updated with WiFi capabilities. An Emotet Trojan sample spotted\r\nearlier this year also got upgraded with a standalone WiFi spreader tool allowing it to infect new victims connected to\r\nnearby insecure wireless networks.\r\nThis standalone spreader version was used by the Emotet gang for at least two years without any notable changes\r\nresearchers at Binary Defense who discovered the newly upgraded Emotet samples told BleepingComputer.\r\nEmotet's developers later upgraded the spreader to a fully-fledged Wi-Fi worm module and started using it in the wild\r\naccording to a researcher who observed evidence of the Emotet Wi-Fi spreader being used to spread throughout one of his\r\nclient's networks.\r\nWith their new focus on this WiFi spreader module, the Emotet gang is on a straight path to developing a highly capable and\r\nvery dangerous Wi-Fi worm module that will show up more and more often while actively used in the wild.\r\nhttps://www.bleepingcomputer.com/news/security/hackers-steal-wifi-passwords-using-upgraded-agent-tesla-malware/\r\nPage 3 of 6\n\nEmotet's Wi-Fi spreader in action (Binary Defense)\r\nMalware with keylogging and RAT features\r\nAgent Tesla is a commercially available .Net-based info-stealing program with keylogging and remote access Trojan\r\n(RAT) capabilities active since at least 2014.\r\n\"During the months of March and April 2020, it was actively distributed through spam campaigns in different formats such\r\nas ZIP, CAB, MSI, IMG files, or Office documents,\" Malwarebytes says.\r\nIt is currently highly popular among business email compromise (BEC) scammers who use it for recording keystrokes and\r\ntaking screenshots of infected machines.\r\nThe info-stealer can also be used for collecting system information, for stealing clipboard contents data from the clipboard,\r\nand for killing running analysis processed and antivirus solutions.\r\nhttps://www.bleepingcomputer.com/news/security/hackers-steal-wifi-passwords-using-upgraded-agent-tesla-malware/\r\nPage 4 of 6\n\nAgent Tesla stealing WiFi passwords (Malwarebytes)\r\nTo avoid getting infected with a malicious Agent Tesla payload, you have to be very cautious when opening suspicious\r\nemails or when visiting hyperlinks received via email, as well as avoid downloading email attachments received from\r\nunknown senders.\r\nAgent Tesla ranked second in a 'Top 10 most prevalent threats' ranking published by interactive malware analysis platform\r\nAny.Run in December 2019, with 10,324 sample uploads submitted for analysis throughout last year.\r\nhttps://www.bleepingcomputer.com/news/security/hackers-steal-wifi-passwords-using-upgraded-agent-tesla-malware/\r\nPage 5 of 6\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/hackers-steal-wifi-passwords-using-upgraded-agent-tesla-malware/\r\nhttps://www.bleepingcomputer.com/news/security/hackers-steal-wifi-passwords-using-upgraded-agent-tesla-malware/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/hackers-steal-wifi-passwords-using-upgraded-agent-tesla-malware/"
	],
	"report_names": [
		"hackers-steal-wifi-passwords-using-upgraded-agent-tesla-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434668,
	"ts_updated_at": 1775791286,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9507f72da00299eea02387e210dcc54edd820208.pdf",
		"text": "https://archive.orkl.eu/9507f72da00299eea02387e210dcc54edd820208.txt",
		"img": "https://archive.orkl.eu/9507f72da00299eea02387e210dcc54edd820208.jpg"
	}
}