{
	"id": "ce3aa56b-2ab4-43dd-9078-379191256548",
	"created_at": "2026-04-06T00:13:47.744546Z",
	"updated_at": "2026-04-10T03:20:02.800521Z",
	"deleted_at": null,
	"sha1_hash": "c6c935a9dd55db33501988c5ae4eb66abe2cf764",
	"title": "The Rise of Agent Tesla: Understanding the Notorious Keylogger",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 665570,
	"plain_text": "The Rise of Agent Tesla: Understanding the Notorious Keylogger\r\nArchived: 2026-04-05 19:14:51 UTC\r\nBy: James Arndt\r\nWhat is Agent Telsa?\r\nAgent Tesla is a keylogger written in .NET. It can monitor keystrokes, take screenshots, steal passwords from a\r\nvariety of applications, and exfiltrate this data back to the threat actor through common protocols. Though it has\r\nbeen regularly used by threat actors over the past eight years, its usage soared in late 2020 and early 2021. Due to\r\nthe relatively low price compared to other malware families and the high functionality it possesses, we have no\r\nreason to believe it will be going away any time soon.\r\nThe History of Agent Tesla\r\nAgent Tesla first appeared in 2014 and has been a staple in the malware landscape ever since. This keylogger was\r\noriginally advertised on a Turkish website as a remote access tool to monitor your own personal computer. It could\r\ncompile your personal passwords, monitor your keystrokes, and avoid being caught by your endpoint’s anti-virus.\r\nAs early as 2016, Agent Tesla’s (now defunct) website started offering a tiered support structure for customers.\r\nFigure 1: Tiered support offerings in 2017.\r\nThe website also hosted web panels for customers to access the data sent from infected endpoints. The people\r\nbehind the website had to stop hosting the Web Panel service in September of 2016 due to legal issues and\r\nhttps://cofense.com/blog/the-rise-of-agent-tesla-understanding-the-notorious-keylogger/\r\nPage 1 of 7\n\nCloudFlare banning their IP addresses. Customers were then given the files needed to host their own Web Panels.\r\nAgent Tesla has gone through a variety of upgrades over the years. Besides changes intended to ensure that every\r\nnew release can bypass anti-virus scans, it now advertises the ability to steal credentials from over 55 applications\r\nincluding web browsers, VPN applications, FTP applications, and mail clients. It has also continually improved its\r\nability to circumvent or avoid sandbox technologies. While at first it only used SMTP to communicate back to the\r\nattacker, it now also supports communication over HTTP, FTP, and Telegram.\r\nNotable Uses\r\nAgent Tesla Keylogger was originally sold as a remote access tool, and it could be argued that it functions no\r\ndifferently from legitimate remote access tools like GoToMyPC or LogMeIn. However, U.S. federal prosecutors\r\nhave argued when someone is selling a tool and instructs users how to “install the product in ways that are\r\narguably deceptive (such as through the use of software exploits, spam, or disguising the tool as another program),\r\nthe proprietor has crossed the legal line and can be criminally prosecuted under computer misuse\r\nlaws.”(https://krebsonsecurity.com/2018/10/who-is-agent-tesla/). Similar remote access tools have been sold in\r\nthis manner and the sellers have been prosecuted and sent to prison.\r\nIn March 2020, during the beginning of worldwide lockdowns due to COVID-19, threat actors used COVID-19-\r\nthemed phishing lures to spread Agent Tesla Keylogger. Its popularity surged in the third and fourth quarters of\r\n2020 and the first two quarters of 2021. Office documents with macros and malicious .rtf documents exploiting\r\nCVE-2017-11882 were often used to download and execute Agent Tesla Keylogger.\r\nFile-Originating Delivery and Exfiltration Methods\r\nAs shown in Figure 2, an Agent Tesla Keylogger executable is typically delivered via a direct attachment to an\r\nemail. The CVE-2017-11882 vulnerability, attached DotNET Loaders, and embedded URLs follow as popular\r\ndelivery methods. The chief exfiltration method over the past year remains SMTP. Telegram traffic is a popular\r\nchoice as well.\r\nhttps://cofense.com/blog/the-rise-of-agent-tesla-understanding-the-notorious-keylogger/\r\nPage 2 of 7\n\nFigure 2: Agent Tesla's most common delivery mechanisms and exfiltration methods in 2022.\r\nCapabilities\r\nThe Agent Tesla builder has allowed for a variety of configurations. Early versions only allowed exfiltration via\r\nSMTP, but exfiltration was expanded to both SMTP and FTP in 2017. Current versions have added HTTP and\r\nTelegram exfiltration. Figure 3 shows the progression of these exfiltration capabilities as advertised by the authors\r\nbetween 2016 and 2017.\r\nFigure 3: Agent Tesla exfiltration options from 2016 and 2017.\r\nThe ‘password recovery’ feature has expanded significantly from its early iterations. Figure 4 shows two examples\r\nof the builder from 2016 and 2017. Agent Tesla Keylogger currently attempts to harvest and exfiltrate passwords\r\nfrom over 55 applications.\r\nhttps://cofense.com/blog/the-rise-of-agent-tesla-understanding-the-notorious-keylogger/\r\nPage 3 of 7\n\nFigure 4: Expansion of password recovery options from 2016 and 2017 respectively.\r\nFigure 5 shows how the web panel in 2019 displayed exfiltrated data to the attacker.\r\nFigure 5: Web panel from 2019 showing keystrokes that were sent back to the attacker.\r\nIn The Wild\r\nAgent Tesla Keylogger accounts for about 20% to 30% of the malware-based Active Threat Reports\r\nhttps://cofense.com/blog/the-rise-of-agent-tesla-understanding-the-notorious-keylogger/\r\nPage 4 of 7\n\nFigure 6: Agent Tesla Keylogger reports over the past year as a percentage of total malware-based reports seen\r\nby Cofense Intelligence.\r\nBehavior\r\nStage one of an Agent Tesla Keylogger infection typically begins with either a packed PE file or one that has been\r\nwritten in .NET. In either case, the first step is to unpack or decode a large chunk of data before stage two can be\r\nexecuted. Figure 7 below is an example of the PE file being written in .NET. The resource String1 contains a long\r\nstring of characters. The code replaces certain characters with others and stores the result in an array. This array\r\nbecomes the second stage of the infection process when it is executed.\r\nFigure 7: .NET executable replacing characters to create and execute the second stage.\r\nOnce the second stage is running, it performs some basic checks to see if it is running in a debugger, to determine\r\nwhether it is being scrutinized by a security analyst. If it determines that it is not being analyzed, it then gathers\r\ninformation about the infected endpoint, such as the MAC address, processor information, and motherboard serial\r\nnumber. This information is sent back to the attacker. Based upon how it was originally configured (Figure 3),\r\nAgent Tesla will start monitoring keystrokes, check for the existence of applications from which to steal\r\npasswords, and exfiltrate screenshots at regular intervals.\r\nThe more recent versions of Agent Tesla Keylogger rely heavily on a large byte array (Figure 8) for functionality.\r\nReferences to this byte array are seen throughout the second stage. Rather than items like registry keys and file\r\npaths being in plain text, the code will select certain bytes from this array and decode them on the fly as they are\r\nneeded.\r\nFigure 2: The beginning of the encoded byte array.\r\nhttps://cofense.com/blog/the-rise-of-agent-tesla-understanding-the-notorious-keylogger/\r\nPage 5 of 7\n\nFor example, Figure 9 below shows part of a function which exfiltrates data via FTP. The value for the\r\nftpWebRequest.Method can be found inside the encoded byte array. The function is instructed to start at the 1336th\r\nbyte and select the next four bytes. Those bytes are decoded to produce the string “STOR”, a command used by\r\nthe FTP protocol to upload files to a remote server.\r\nFigure 3: Example of the decoding function.\r\nBy decoding the entire byte array in the same way, we can see a variety of commands, registry settings, URLs, and\r\ntargeted applications that will be used by the Agent Tesla Keylogger in some way.\r\nFigure 4: Decoded strings reveal a Telegram URL, registry keys, and application paths.\r\nhttps://cofense.com/blog/the-rise-of-agent-tesla-understanding-the-notorious-keylogger/\r\nPage 6 of 7\n\nDetection and Hunting\r\nPhishing emails that deliver Agent Tesla through both attachments and links have been seen reaching enterprise\r\nusers in environments protected by some of the leading secure email gateways (SEGs). However, Agent Tesla\r\nKeylogger’s behavior on an endpoint should be detectable by modern endpoint security suites and network\r\nactivity.\r\nNetwork Traffic\r\nAgent Tesla can exfiltrate data via FTP, SMTP, HTTP, and Telegram messaging. Opportunities for detection\r\ninclude monitoring outbound web traffic on port 20 or 21 (FTP) and port 25 or 587 (standard SMTP ports) from\r\nclient devices to unknown servers. Since Telegram’s popularity for exfiltration has risen over the past year, it may\r\nalso be beneficial to monitor and/or create policies to regulate outbound traffic to api.telegram.org.\r\nEndpoint Activity\r\nIdentifying unusual network traffic may point to a certain endpoint for further investigation. Modern endpoint\r\nsecurity suites should be able to tie network activity to its corresponding process. Investigate those unusual\r\nprocesses and their corresponding parent processes.\r\nFigure 10 above showed evidence of how Agent Tesla Keylogger is using the CurrentVersionRun and\r\nStartupApprovedRun registry keys to establish persistence. Changes to those and other common registry keys used\r\nfor malware persistence should be monitored.\r\nAll third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise,\r\nremain the property of their respective holders, and use of these trademarks in no way indicates any relationship\r\nbetween Cofense and the holders of the trademarks.\r\nThe Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos\r\ndisplayed on this blog are registered trademarks or trademarks of Cofense Inc.\r\nSource: https://cofense.com/blog/the-rise-of-agent-tesla-understanding-the-notorious-keylogger/\r\nhttps://cofense.com/blog/the-rise-of-agent-tesla-understanding-the-notorious-keylogger/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"ETDA"
	],
	"references": [
		"https://cofense.com/blog/the-rise-of-agent-tesla-understanding-the-notorious-keylogger/"
	],
	"report_names": [
		"the-rise-of-agent-tesla-understanding-the-notorious-keylogger"
	],
	"threat_actors": [],
	"ts_created_at": 1775434427,
	"ts_updated_at": 1775791202,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c6c935a9dd55db33501988c5ae4eb66abe2cf764.pdf",
		"text": "https://archive.orkl.eu/c6c935a9dd55db33501988c5ae4eb66abe2cf764.txt",
		"img": "https://archive.orkl.eu/c6c935a9dd55db33501988c5ae4eb66abe2cf764.jpg"
	}
}