{
	"id": "8f8128e1-54b4-429c-96a2-0090b2cb08c3",
	"created_at": "2026-04-14T02:21:52.0421Z",
	"updated_at": "2026-04-14T17:02:31.571439Z",
	"deleted_at": null,
	"sha1_hash": "c3581ed089803cd1adf352fea0b68b399fddcd00",
	"title": "Agent Tesla Targeting United States \u0026 Australia: Revealing the Attackers’ Identities",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46027,
	"plain_text": "Agent Tesla Targeting United States \u0026 Australia: Revealing the\r\nAttackers’ Identities\r\nBy gmcdouga\r\nPublished: 2024-04-03 · Archived: 2026-04-14 02:16:42 UTC\r\nHighlights\r\nCheck Point Research (CPR) uncovered three recent malicious campaigns of one of the most prevalent\r\nmalware in the market – Agent Tesla. These operations were aimed against US and Australian\r\norganizations and exploited the topics of goods purchasing and order delivery as their lures\r\nUpon investigation, we discovered that these threat actors had a database of 62,000 emails, including\r\nindividuals and organizations from different spheres\r\nApart from campaigns originating from victims of companies, the group maintains a large number of\r\nservers, which are used for protection of their identity\r\nDespite the efforts of threat actors to keep their anonymity, CPR revealed their true identities and\r\nsource, re-constructed their steps in the conducted attacks, with continued monitoring of their activity\r\nLong-known malware\r\nAgent Tesla malware is an advanced remote access trojan (RAT) specializing in the theft and infiltration of\r\nsensitive information from infected machines. This malware can collect various types of data, including\r\nkeystrokes and login credentials used in browsers (such as Google Chrome and Mozilla Firefox) and email clients\r\nused on infected machines. Agent Tesla has an infamous history in the cyber landscape, repeatedly included in the\r\nmonthly reports of top 10 prevalent malware families since 2020.\r\nThe Source : Two cyber-crime actors\r\nCPR tracked down the activity of 2 cyber-crime actors behind Agent Tesla operations with the evidence of them\r\nbeing connected with each other :\r\n“Bignosa” (main threat actor)\r\n“Gods”\r\nThe main actor, “Bignosa” appears to be part of a group operating malware and phishing campaigns, targeting\r\norganizations, which is testified by the US and Australian email business databases, as well as ordinary\r\nindividuals. “Bignosa” employed Cassandra Protector for obfuscation and utilized various malware families,\r\nsignaling a secondary level of cyber-crime tactics and tools.\r\nWith a dual identity, “Gods” also known online as “Kmarshal” earlier involved in phishing attacks, later\r\ntransitioned to malware campaigns. He also demonstrated capabilities in web design and phishing operations.\r\nhttps://blog.checkpoint.com/research/agent-tesla-targeting-united-states-australia-revealing-the-attackers-identities/\r\nPage 1 of 4\n\nDuring our investigation, we tracked the links between various clues, drew connections and secured the identities\r\nof these two threat actors, including their pictures from their LinkedIn pages. They appeared to be of African\r\norigin, with one of them holding legitimate assignments within their business.\r\nTheir technical level looked to be different, with “Gods” being more experienced, and both communicate via\r\nJabber, open technology for instant messaging, with ‘Gods” providing assistance to “Bignosa” in matters of\r\nvarying difficulty. Using Agent Tesla, however, was not an obstacle for both of them. We also tracked their\r\nmalicious activity behind Agent Tesla and shared all the discoveries with the relevant law enforcement agencies.\r\nRecent campaigns\r\nThe malware campaigns were meticulously prepared, rather than simply initiating the spam with a single click.\r\nUtilizing phishing emails with topics related to purchasing goods and order delivery, the attackers attempted to\r\nsocial engineer victims into initiating the malware infection. These emails were sent from the servers deployed by\r\nthe threat actors right before the campaigns with the main purpose of anonymity. The malware itself was protected\r\nby the Cassandra Protector, adding in anti-detection capabilities to make it harder to get caught.\r\nThe diagram below shows the times of preparation and execution steps for these attacks:\r\nhe principal scheme of the first two operations is shown in the diagram below:\r\nhttps://blog.checkpoint.com/research/agent-tesla-targeting-united-states-australia-revealing-the-attackers-identities/\r\nPage 2 of 4\n\nThe principal scheme for the third attack is similar to the first ones, except for the different addresses used in the\r\nattacking machines:\r\nTo get further information and follow our investigation step-by-step with full details around the threat actors\r\ndiscovered, please visit the dedicated page in the Research blog.\r\nConclusion and Recommendations\r\nThis research highlights the importance of vigilance in cybersecurity. The identification of these threat actors was\r\nmade possible through meticulous analysis of digital footprints, demonstrating the power of digital forensics.\r\nhttps://blog.checkpoint.com/research/agent-tesla-targeting-united-states-australia-revealing-the-attackers-identities/\r\nPage 3 of 4\n\nTo mitigate the risks of being affected by such threats, it is essential to:\r\n– Keep operating systems and applications updated, through timely patches and other means.\r\n– Be cautious of unexpected emails with links, especially from unknown senders.\r\n– Enhance cybersecurity awareness among employees.\r\n– Consult security specialists for any doubts or uncertainties.\r\nProtections\r\nCheck Point customers remain protected against the threat described in this research.\r\nCheck Point Threat Emulation and Harmony Endpoint provide comprehensive coverage of attack tactics, file-types, and operating systems and protect against the type of attacks and threats described in this report.\r\nSpyware.Win32.Tesla.TC.*\r\nAgentTesla.TC.*\r\nFor more details, visit the CPR blog.\r\nSource: https://blog.checkpoint.com/research/agent-tesla-targeting-united-states-australia-revealing-the-attackers-identities/\r\nhttps://blog.checkpoint.com/research/agent-tesla-targeting-united-states-australia-revealing-the-attackers-identities/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.checkpoint.com/research/agent-tesla-targeting-united-states-australia-revealing-the-attackers-identities/"
	],
	"report_names": [
		"agent-tesla-targeting-united-states-australia-revealing-the-attackers-identities"
	],
	"threat_actors": [
		{
			"id": "733eb70c-e636-4d55-be1d-6ff0f7084027",
			"created_at": "2024-04-19T02:00:03.619798Z",
			"updated_at": "2026-04-14T02:00:04.053831Z",
			"deleted_at": null,
			"main_name": "Bignosa",
			"aliases": [],
			"source_name": "MISPGALAXY:Bignosa",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1776133312,
	"ts_updated_at": 1776186151,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c3581ed089803cd1adf352fea0b68b399fddcd00.pdf",
		"text": "https://archive.orkl.eu/c3581ed089803cd1adf352fea0b68b399fddcd00.txt",
		"img": "https://archive.orkl.eu/c3581ed089803cd1adf352fea0b68b399fddcd00.jpg"
	}
}