{
	"id": "5a520bf6-c02c-4aae-9ec0-df99cd52ab94",
	"created_at": "2026-04-06T01:30:04.625701Z",
	"updated_at": "2026-04-10T13:12:08.013798Z",
	"deleted_at": null,
	"sha1_hash": "95d3ad6e3d67b9d1f128800e2421aee2388774d3",
	"title": "OriginLogger: A Look at Agent Tesla’s Successor",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2064882,
	"plain_text": "OriginLogger: A Look at Agent Tesla’s Successor\r\nBy Jeff White\r\nPublished: 2022-09-13 · Archived: 2026-04-06 00:57:44 UTC\r\nExecutive Summary\r\nOn March 4, 2019, one of the most well-known keyloggers used by criminals, called Agent Tesla, closed up shop due to\r\nlegal troubles. In the announcement message posted on the Agent Tesla Discord server, the keylogger’s developers\r\nsuggested people switch over to a new keylogger: “If you want to see a powerful software like Agent Tesla, we would like to\r\nsuggest you OriginLogger. OriginLogger is an AT-based software and has all the features.” OriginLogger is a variant of\r\nAgent Tesla. As such, the majority of tools and detections for Agent Tesla will still trigger on OriginLogger samples.\r\nRecently, when sitting down to analyze some malware tagged as Agent Tesla, I was surprised to learn I was actually looking\r\nat something else. This fact revealed itself to me when I began analyzing the malware families’ configurations at scale after\r\ncreating tooling to extract them.\r\nIn this blog, I will cover the OriginLogger keylogger malware, how it handles the string obfuscation for configuration\r\nvariables and what I found when looking at the extracted configurations that allowed for better identification and further\r\npivoting.\r\nPalo Alto Networks customers receive protections from both OriginLogger and its predecessor malware Agent Tesla through\r\nCortex XDR and the Next-Generation Firewall with cloud-delivered security services including WildFire and Advanced\r\nThreat Prevention.\r\nOriginLogger Builder\r\nWhen I began researching OriginLogger, I could find little to no public information about it. There are several Agent Tesla-related analysis blogs that I now recognize as pertaining to OriginLogger – sometimes tagged as “AgentTeslav3” – but\r\notherwise, the public internet is pretty light on relevant information.\r\nDuring my search, I stumbled across a YouTube video posted in 2018 (before Agent Tesla closed up shop) by a person\r\nselling “fully undetectable” (FUD) tools. This person showed off the OriginLogger tools with a link to buy it from a known\r\nsite that traffics in malware, exploits and the like.\r\nFigure 1. OriginLogger feature highlights (Source: screenshots of the OriginLogger sale page from a YouTube\r\nvideo on OriginLogger).\r\nhttps://unit42.paloaltonetworks.com/originlogger/\r\nPage 1 of 17\n\nFigure 2. OriginLogger feature list.\r\nAdditionally, they showed both the web panel and the malware builder.\r\nFigure 3. OriginLogger web panel (Source: OriginLogger YouTube video).\r\nFigure 4. OriginLogger builder.\r\nThe image of the builder shown in Figure 4 was particularly interesting to me as it provided a default string – facebook,\r\ntwitter, gmail, instagram, movie, skype, porn, hack, whatsapp, discord – that might be unique to this application. Sure\r\nenough, a content search on VirusTotal shows one matching file (SHA256:\r\n595a7ea981a3948c4f387a5a6af54a70a41dd604685c72cbd2a55880c2b702ed) uploaded on May 17, 2022.\r\nhttps://unit42.paloaltonetworks.com/originlogger/\r\nPage 2 of 17\n\nFigure 5. VirusTotal search for string.\r\nDownloading and attempting to run this file resulted in errors due to missing dependencies; however, knowing the builder’s\r\nfilename, OriginLogger.exe, allowed me to expand the search and locate a Zip archive (SHA256:\r\nb22a0dd33d957f6da3f1cd9687b9b00d0ff2bdf02d28356c1462f3dbfb8708dd) containing all of the files required to run\r\nOriginLogger.\r\nFigure 6. Bundled files in Zip archive.\r\nThe settings.ini file contains the configuration the builder will use, and in Figure 7 we can see the previous search string\r\nlisted under SmartWords.\r\nhttps://unit42.paloaltonetworks.com/originlogger/\r\nPage 3 of 17\n\nFigure 7. OriginLogger Builder settings.ini file.\r\nThe file profile.origin contains the embedded username/password that a customer registers with when purchasing\r\nOriginLogger.\r\nFigure 8. OriginLogger builder login screen.\r\nAmusingly, if you flip around the values in the profile file, the plaintext password is revealed.\r\nhttps://unit42.paloaltonetworks.com/originlogger/\r\nPage 4 of 17\n\nFigure 9. Contents of profile.origin file.\r\nFigure 10. OriginLogger builder login screen with threat actor password revealed in plaintext.\r\nWhen a user logs in, the builder attempts to authenticate with the OriginLogger servers to validate the subscription.\r\nAt this point, I had two versions of the builder. The first one (b22a0d*), contained in the Zip file, was compiled Sept. 6,\r\n2020. The other, which contained the SmartWords string (595a7e*), was compiled on June 29, 2022, just about two years\r\nafter the first.\r\nThe later version makes its authentication request over TCP/3345 to IP 23.106.223[.]46. Since March 3, 2022, this IP has\r\nresolved to the domain originpro[.]me. This domain has resolved to the following IP addresses:\r\n23.106.223[.]46\r\n204.16.247[.]26\r\n31.170.160[.]61\r\nThe second IP, 204.16.247[.]26, stands out due to resolving these other OriginLogger related domains:\r\noriginproducts[.]xyz\r\norigindproducts[.]pw\r\noriginlogger[.]com\r\nThings get more interesting when looking at the older builder. This one attempts to reach out to a different IP address for the\r\nauthentication.\r\nFigure 11. PCAP showing remote IP address.\r\nUnlike the IP addresses associated with\r\noriginpro[.]me, 74.118.138[.]76\r\ndoes not resolve to any OriginLogger domains directly but instead resolves to\r\n0xfd3[.]com\r\nhttps://unit42.paloaltonetworks.com/originlogger/\r\nPage 5 of 17\n\n. Pivoting on this domain shows it contains both DNS MX and TXT records for\r\nmail.originlogger[.]com\r\n.\r\nBeginning around March 7, 2022, the domain in question began resolving to IP 23.106.223[.]47, which is one value higher\r\nin the last octet than the IP used for originpro[.]me, which used 46.\r\nThese two IP addresses have shared multiple SSL certificates:\r\nSHA1 Serial Number Common Name IPs Obser\r\n2dec9fdf91c3965960fecb28237b911a57a543e2 38041735159378560318847695768150611562\r\nWIN-4K804V6ADVQ23.106.22\r\n23.106.22\r\n7a7e732229287c1d53a360e08201616179217117 133152806647474295963986900899009859692\r\nWIN-4K804V6ADVQ\r\n23.106.22\r\n23.106.22\r\n74.118.13\r\n204.16.24\r\n3b3cf8039b779d93677273e09961203ffaac2d6f 89480234209393487842197137895395039274\r\nWIN-4K804V6ADVQ\r\n23.106.22\r\n23.106.22\r\n74.118.13\r\n204.16.24\r\nTable 1. Shared SSL certificates.\r\nThe RDP login screens for both of the servers beginning with IP 23.106.223.X show a Windows Server 2012 R2 server with\r\nmultiple accounts.\r\nFigure 12. RDP login screen for 23.106.223[.]46.\r\nWhen further searching for this domain, I came across the GitHub profile for user\r\nhttps://unit42.paloaltonetworks.com/originlogger/\r\nPage 6 of 17\n\n0xfd3\r\n, which contains the two repositories shown in Figure 13.\r\nFigure 13. User 0xfd GitHub.\r\nI’ll circle back to these later in the blog when looking at the code, but (spoiler alert) they are also used in OriginLogger.\r\nDropper Lure\r\nBefore diving into the malware, I’ll quickly cover the dropper that led to the sample I set out to analyze. As both Agent Tesla\r\nand OriginLogger are commercialized keyloggers, the initial droppers will vary greatly between campaigns and should not\r\nbe considered unique to either. I present the below as a real-world example of an attack dropping OriginLogger and show\r\nthat they can be quite convoluted and obfuscated.\r\nThe initial lure document is a Microsoft Word file (SHA256:\r\nccc8d5aa5d1a682c20b0806948bf06d1b5d11961887df70c8902d2146c6d1481). When opened, this document displays a\r\nphoto of a passport for a German citizen, along with a credit card. I’m not quite sure how enticing this would be as a lure for\r\na normal user, but either way, you’ll note the inclusion of numerous Excel Worksheets below the image, as shown in Figure\r\n14.\r\nhttps://unit42.paloaltonetworks.com/originlogger/\r\nPage 7 of 17\n\nFigure 14. Lure document.\r\nEach of these sheets are contained in separate embedded Excel Workbooks and are exactly the same:\r\ndc8b81e2f3ea59735eb1887128720dab292f73dfc3a96b5bc50824c1201d97cf Microsoft_Excel_97-2003_Worksheet.xls\r\ndc8b81e2f3ea59735eb1887128720dab292f73dfc3a96b5bc50824c1201d97cf Microsoft_Excel_97-2003_Worksheet1.xls\r\ndc8b81e2f3ea59735eb1887128720dab292f73dfc3a96b5bc50824c1201d97cf Microsoft_Excel_97-2003_Worksheet10.xls\r\ndc8b81e2f3ea59735eb1887128720dab292f73dfc3a96b5bc50824c1201d97cf Microsoft_Excel_97-2003_Worksheet2.xls\r\ndc8b81e2f3ea59735eb1887128720dab292f73dfc3a96b5bc50824c1201d97cf Microsoft_Excel_97-2003_Worksheet3.xls\r\ndc8b81e2f3ea59735eb1887128720dab292f73dfc3a96b5bc50824c1201d97cf Microsoft_Excel_97-2003_Worksheet4.xls\r\ndc8b81e2f3ea59735eb1887128720dab292f73dfc3a96b5bc50824c1201d97cf Microsoft_Excel_97-2003_Worksheet5.xls\r\ndc8b81e2f3ea59735eb1887128720dab292f73dfc3a96b5bc50824c1201d97cf Microsoft_Excel_97-2003_Worksheet6.xls\r\ndc8b81e2f3ea59735eb1887128720dab292f73dfc3a96b5bc50824c1201d97cf Microsoft_Excel_97-2003_Worksheet7.xls\r\ndc8b81e2f3ea59735eb1887128720dab292f73dfc3a96b5bc50824c1201d97cf Microsoft_Excel_97-2003_Worksheet8.xls\r\ndc8b81e2f3ea59735eb1887128720dab292f73dfc3a96b5bc50824c1201d97cf Microsoft_Excel_97-2003_Worksheet9.xls\r\nWithin each Workbook is a singular macro that simply saves a command to execute at the following location:\r\nC:\\Users\\Public\\olapappinuggerman.js\r\nhttps://unit42.paloaltonetworks.com/originlogger/\r\nPage 8 of 17\n\nFigure 15. Excel VBA macro.\r\nOnce run, this will download and execute via MSHTA the contents of the file at\r\nhxxp://www.asianexportglass[.]shop/p/25.html. A screenshot of the website is shown in Figure 16.\r\nFigure 16. Website to appear legitimate.\r\nThis file contains an embedded obfuscated script in the middle of the document as a comment.\r\nFigure 17. Website hidden comment.\r\nUnescaping the script reveals the code shown in Figure 18, which downloads the next payload from a BitBucket snippet\r\n(hxxps://bitbucket[.]org/!api/2.0/snippets/12sds/pEEggp/8cb4e7aef7a46445b9885381da074c86ad0d01d6/files/snippet.txt)\r\nand establishes persistence with a scheduled task named calsaasdendersw that runs every 83 minutes and uses MSHTA again\r\nto execute the script contained within hxxp://www.coalminners[.]shop/p/25.html.\r\nhttps://unit42.paloaltonetworks.com/originlogger/\r\nPage 9 of 17\n\nFigure 18. Unescaped script.\r\nThe snippet hosted on the BitBucket website contains further obfuscated PowerShell code and two binaries encoded and\r\ncompressed.\r\nThe first of the two files (SHA256: 23fcaad34d06f748452d04b003b78eb701c1ab9bf2dd5503cf75ac0387f4e4f8) is a C#\r\nreflective loader using CSharp-RunPE. This tool is used to hollow out a process and inject another executable inside of it; in\r\nthis case, the keylogger payload will be placed inside the aspnet_compiler.exe process.\r\nFigure 19. PowerShell command to execute method contained in dotNet assembly.\r\nNote the\r\nprojFUD.PA\r\nclass that the\r\nExecute\r\nmethod is called from. Morphisec released a blog in 2021 called “\r\nRevealing the Snip3 Crypter, a highly evasive RAT loader\r\n,” where they analyze a crypter-as-a-service and fingerprint the crypter’s author using this artifact.\r\nThe second of the two files (SHA256: cddca3371378d545e5e4c032951db0e000e2dfc901b5a5e390679adc524e7d9c) is the\r\nOriginLogger payload.\r\nOriginLogger Configuration\r\nAs previously stated, the original intention of this analysis was to automate and extract configuration-related details from the\r\nkeylogger. To achieve this, I started by looking at how the configuration-related strings are used.\r\nI won’t be diving into any of the actual functionality of the malware as it’s fairly standard and mirrors analysis of older\r\nAgent Tesla variants. Just as the threat actors’ advertisements state, the malware uses tried and true methods and includes the\r\nability to keylog, steal credentials, take screenshots, download additional payloads, upload your data in a myriad of ways\r\nand attempt to avoid detection.\r\nTo start extracting configuration-related details, I needed to figure out how the user-supplied data is stored in the malware; it\r\nturned out to be straightforward. The builder will take the dynamic string values and concatenate them into a giant blob of\r\ntext which is then encoded and stored in a byte array to be decoded at runtime. Once the malware runs and hits a particular\r\nfunction that needs a string, such as the HTTP address to upload screenshots to, it will pass the offset and string length to a\r\nfunction that will then carve out the text at that location within the blob.\r\nTo illustrate, below you can see the decoding logic used for the main blob of text.\r\nFigure 20. OriginLogger plaintext blob decoding.\r\nhttps://unit42.paloaltonetworks.com/originlogger/\r\nPage 10 of 17\n\nEach byte is XOR’d by the index of the byte within the byte array, and again XOR’d by the value 170 to reveal the plaintext.\r\nFor each sample generated by the builder, this blob of text will differ depending on what’s configured, so offsets and\r\npositioning will change. Looking at the raw text shown in Figure 21 is helpful, but without splicing it up, it becomes hard to\r\ndetermine where the boundaries end or begin.\r\nFigure 21. Plaintext blob.\r\nIt also does not help when it comes time to analyze the malware, as you won’t be able to discern when or where something\r\nis used. To figure this next piece out, I needed to look at how OriginLogger handles the splicing.\r\nBelow you can see the function responsible for carving out the string, followed by the beginning of the individual methods\r\ncontaining the offset and length.\r\nFigure 22. OriginLogger string functions.\r\nIn this case, if the B() method is called at some point by the malware, it will pass 2, 2, 27 to the obfuscated nameless\r\nfunction at the top of the image. The first integer is used for the array index where the decoded string will be stored. The\r\nsecond (offset) and third (length) integers are then passed to the GetString function to obtain the text. For this particular\r\nhttps://unit42.paloaltonetworks.com/originlogger/\r\nPage 11 of 17\n\nentry, the resulting value – \u003cfont color=\"#00b1ba\"\u003e\u003cb\u003e[ – is used during the creation of the HTML page it uploads to\r\ndisplay the stolen data.\r\nKnowing how the string parsing works, I could then automate the extraction of these strings. To start, it helps to look at the\r\nunderlying intermediate language (IL) assembly instructions.\r\nFigure 23. OriginLogger IL instructions for string function.\r\nFor each of these lookups, the structure of the function block will remain the same. At index 6-8 in Figure 23, you will see\r\nthree ldc.i4.X instructions where X dictates an integer value that will be pushed onto the stack before calling the previously\r\ndescribed splicing function. This overall structure creates a framework that can then be used to match all of the\r\ncorresponding functions in the binary for parsing.\r\nLeveraging this, I wrote a script to identify the encoded byte array, determine the XOR values and then splice up the\r\ndecoded blob in the same fashion the malware uses it. With this, you can scroll through the decoded strings and look for\r\nthings of interest. Once something is identified, knowing the offset and subsequent function name, you can pivot into the\r\npart of the malware that leverages them.\r\nFigure 24. OriginLogger decoded strings.\r\nFrom here, I started renaming the obfuscated methods to reflect their actual values, which made analysis easier on the eyes.\r\nhttps://unit42.paloaltonetworks.com/originlogger/\r\nPage 12 of 17\n\nFigure 25. OriginLogger FTP upload function.\r\nIt should be noted that the same string deobfuscation can be achieved by using de4dot and its dynamic string decryption\r\nfeature by specifying the string types as delegate and identifying the tokens of interest. This works extremely well for single\r\nfile analysis.\r\nRecall that I mentioned in the OriginLogger Builder section of this blog that I’d circle back to the GitHub repositories of the\r\n0xfd3 user. Take a look in Figure 26 at the Chrome Password Recovery code uploaded in March 2020 after OriginLogger\r\ntook Agent Tesla’s prominence in the keylogger world.\r\nFigure 26. Chrome Password Recovery.\r\nCompare Figure 26 to the code from the OriginLogger sample with renamed methods shown in Figure 27.\r\nhttps://unit42.paloaltonetworks.com/originlogger/\r\nPage 13 of 17\n\nFigure 27. OriginLogger Chrome password stealing function.\r\nLook familiar? These types of similarities abound as OriginLogger has continued development where Agent Tesla left off.\r\nIdentifying OriginLogger Through Artifacts\r\nUsing this tooling, I extracted 1,917 different configurations, which gives insight into the exfiltration methods used and\r\nallows for clustering of samples based on the underlying infrastructure.\r\nThis is where I began to understand that what I was looking at wasn’t Agent Tesla but instead a different keylogger –\r\nOriginLogger. Two particular exfiltration methods that both showed multiple references to “origin” in some fashion led me\r\nto connect the dots.\r\nFor example, one of the URLs configured for a sample to upload keylogger and screenshot data to was\r\nhxxps://agusanplantation[.]com/new/new/inc/7a5c36cee88e6b.php. This URL is no longer active so I started searching for\r\nhistorical information about it to understand what was on the receiving end of these HTTP POST requests. By plugging in\r\nthe domain to URLScan.io, it showed login pages for the panel in the same directory but, more importantly, that the\r\nOriginLogger web panel (SHA256: c2a4cf56a675b913d8ee0cb2db3864d66990e940566f57cb97a9161bd262f271) was\r\nobserved on this host at the time of scanning four months ago.\r\nFigure 28. URLScan.io scan history for domain.\r\nSimilarly, one of the exfiltration methods is through Telegram bots. To utilize them, OriginLogger requires a Telegram bot\r\ntoken to be included so the malware can interact with it. This provides another unique opportunity to analyze the\r\ninfrastructure in use. In this case, I can use the token to query Telegram with what equates to a\r\nwhoami\r\nhttps://unit42.paloaltonetworks.com/originlogger/\r\nPage 14 of 17\n\ncommand and observe the names used by the bot creator. Below are a handful of examples showing relevant naming.\r\n\"id\":2046248941,\"is_bot\":true,\"first_name\":\"origin\",\"username\":\"mailerdemon_bot\"\r\n\"id\":1731070785,\"is_bot\":true,\"first_name\":\"@CodeOnce_bot\",\"username\":\"PWORIGIN_bot\"\r\n\"id\":1644755040,\"is_bot\":true,\"first_name\":\"ORIGINLOGGER\",\"username\":\"softypaulbot\"\r\n\"id\":1620445910,\"is_bot\":true,\"first_name\":\"ORIGINLOGS\",\"username\":\"badboi450hbot\"\r\n\"id\":2081699912,\"is_bot\":true,\"first_name\":\"Zara\",\"username\":\"Zaraoriginbot\"\r\n\"id\":5054839999,\"is_bot\":true,\"first_name\":\"Origin Poster\",\"username\":\"origin_post_bot\"\r\nMalicious Infrastructure\r\nLike other keyloggers that are commercially sold, OriginLogger is used by a wide variety of people for various malicious\r\npurposes around the globe. In the past, I’ve written about taking a deeper look at the victims of keyloggers and what\r\nanalyzing their screenshots can reveal about the potential intentions of the attackers. In this blog post, I will summarize\r\nsome observations of the data extracted from the corpus of OriginLogger samples I collected. Most samples had multiple\r\nexfiltration techniques configured and I’ll cover each one below.\r\nSMTP is still the primary mechanism used for exfiltrating data and was identified in 1,909 samples. This is most likely\r\nbecause:\r\nThe traffic will blend in with normal user traffic better than other included protocols.It’s relatively easy for attackers\r\nto obtain stolen e-mail accounts.\r\nE-mail providers usually offer a large amount of storage space.\r\nThere were 296 unique e-mail recipient addresses for the stolen data and 334 unique e-mail account credentials used to send\r\nthem.\r\nFTP was configured in 1,888 samples using 56 unique FTP servers and 79 unique FTP accounts, with multiple accounts\r\nlogging to different directories, likely based on different campaigns. Across the accessible servers, which were limited to 11\r\nof the 56, there are 442 unique victims, with some victims being logged hundreds of times.\r\nWeb uploads to the OriginLogger panel followed closely behind and were configured in 1,866 samples, uploading to 92\r\nunique URLs. When analyzing these URLs, the PHP file used for the upload showed a pattern of alphanumeric characters in\r\nthe filename, with a couple of additional patterns presenting themselves in the directory structure. Looking into the source\r\ncode of the web panel as shown in Figure 29 shows that the PHP filename is an MD5 value of some random bytes and is\r\nplaced in the /inc/ (incoming) directory.\r\nFigure 29. OriginLogger source code for setup.php.\r\nKeep in mind that many keylogger purchasers may not have much technical experience and tend to use a “full service”\r\nvendor that creates everything for them so that all they are required to do is distribute the keylogger. I suspect this is a reason\r\nfor a lot of the URIs having similar structures. For example, the structure http://\u003cipaddress\u003e/\u003cname\u003e/inc/\u003cmd5\u003e.php is\r\nrepeated throughout, and the first level of the directory shows values unlikely to be generated automatically – possibly\r\naccount-related:\r\nhttps://unit42.paloaltonetworks.com/originlogger/\r\nPage 15 of 17\n\nb0ss/inc\r\nrich/inc\r\ndivine/inc\r\nma2on/inc\r\ndarl/inc\r\njboy/inc\r\nnewmoney/inc\r\nLikewise, this directory structure changes the inc to mawa and prepends webpanel to the name:\r\nwebpanel-roth/mawa\r\nwebpanel-qwerty/mawa\r\nwebpanel-dawn/mawa\r\nwebpanel-charles/mawa\r\nwebpanel-muti/mawa\r\nwebpanel-ghul/mawa\r\nwebpanel-reza/mawa\r\nFor the last exfiltration method, we have Telegram identified in 1,732 samples with 181 unique Telegram bots receiving the\r\nstolen data. In addition to being able to issue a whoami for the bot, we’re able to query for information related to the\r\nchannels where stolen information was uploaded. The most prominent of the channels are below with the details currently in\r\nuse:\r\nCount Channel Bio Owner Bot Name\r\n41\r\nInvest in bitcoin now and attain financial\r\nfreedom\r\nAlaa Ahmed obomike_bot\r\n25 Free Cannabis Cry_ptoSand\r\nsales3w7_bot, oasisx_bot,\r\nvaliat073_bot\r\n21\r\nAtrium Investment Ltd: We Help You\r\nACHIEVE YOUR LIFE GOALS\r\nDoris E. Athey Tino08Bot\r\n20 Self Discipline, Consistency and humanity. Lucas Grayson Odion2023bot\r\n18 Come Closer Anthony Forbes Anthonyforbes2023bot\r\n14 Think it, Code It CodeOnce DeSpartan PWORIGIN_bot\r\n12 Dream cha$er 4L Lurgard da Great johnwalkkerBot\r\n11\r\ncoder..no system is safe.. Private crypt\r\n100$..knowledge is power\r\n☠️The Devil☠️( do not\r\ndisturb ))\r\nSkiddoobot\r\n10 PhD Engineering Alexander Macbill swft_bot\r\nTable 2. Prominent Channels\r\nFinally, one feature that is not utilized very often is the ability for OriginLogger to download an additional payload after\r\ninfecting the victim system. In the samples discussed here, only two were configured to download additional malware.\r\nConclusion\r\nOriginLogger, much like its parent Agent Tesla, is a commoditized keylogger that shares many overlapping similarities and\r\ncode, but it’s important to distinguish between the two for tracking and understanding. Commercial keyloggers have\r\nhistorically catered to less advanced attackers, but as illustrated in the initial lure document analyzed here, this does not\r\nhttps://unit42.paloaltonetworks.com/originlogger/\r\nPage 16 of 17\n\nmake attackers any less capable of using multiple tools and services to obfuscate and make analysis more complicated.\r\nCommercial keyloggers should be treated with equal amounts of caution as would be used with any malware.\r\nLuckily, in this instance, because of the similarities between the two aforementioned keyloggers, detections and protections\r\ncarried over from one generation to the next – albeit with slightly inaccurate signature naming.\r\nPalo Alto Networks customers receive protections from both OriginLogger and its predecessor malware Agent Tesla through\r\nCortex XDR and the Next-Generation Firewall with cloud-delivered security services including WildFire and Advanced\r\nThreat Prevention.\r\nSource: https://unit42.paloaltonetworks.com/originlogger/\r\nhttps://unit42.paloaltonetworks.com/originlogger/\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/originlogger/"
	],
	"report_names": [
		"originlogger"
	],
	"threat_actors": [],
	"ts_created_at": 1775439004,
	"ts_updated_at": 1775826728,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/95d3ad6e3d67b9d1f128800e2421aee2388774d3.pdf",
		"text": "https://archive.orkl.eu/95d3ad6e3d67b9d1f128800e2421aee2388774d3.txt",
		"img": "https://archive.orkl.eu/95d3ad6e3d67b9d1f128800e2421aee2388774d3.jpg"
	}
}