{
	"id": "36a24bba-41cf-4a70-ae42-85487571f8b5",
	"created_at": "2026-04-06T00:06:29.440201Z",
	"updated_at": "2026-04-10T03:21:51.010821Z",
	"deleted_at": null,
	"sha1_hash": "cf4512d9d8fcd46d1301dc57aa7eebd7d643c133",
	"title": "Exclusive: Researchers dumped Gigabytes of data from Agent Tesla C2Cs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 843691,
	"plain_text": "Exclusive: Researchers dumped Gigabytes of data from Agent\r\nTesla C2Cs\r\nBy Pierluigi Paganini\r\nPublished: 2021-10-06 · Archived: 2026-04-05 16:46:46 UTC\r\nResecurity researchers dumped Gigabytes of data from Agent Tesla C2Cs, one of\r\nthe most well-known cyberespionage tools suffers a data leakage.\r\nAgent Tesla, first discovered in late 2014, is an extremely popular “malware-as-a-service” Remote Access Trojan\r\n(RAT) tool used by threat actors to steal information such as credentials, keystrokes, clipboard data and other\r\ninformation from its operators’ targets.\r\nBoth cybercriminal groups and actors involved in espionage operations use this RAT due to Agent Tesla’s stability,\r\nflexibility and functionality that allows for the collection of sensitive data and exfiltration from the victim. \r\nLos Angeles-based Resecurity, Inc. and its cyber threat intelligence and R\u0026D unit, HUNTER, drained the Agent\r\nTesla Command \u0026 Control Servers (C2) and extracted over 950GB of logs containing compromised Internet users\r\ncredentials, files and other sensitive information stolen by malicious code. The data extraction was made possible\r\nthrough a collaboration with Resecurity, law enforcement and several ISPs in the European Union, Middle East\r\nand North America.\r\nhttps://securityaffairs.co/wordpress/123039/malware/agent-tesla-c2c-dumped.html\r\nPage 1 of 3\n\nThe collected information allowed for the recovery of knowledge about the victims and the timeline of the\r\ncampaigns conducted by actors leveraging Agent Tesla. \r\nThe distribution of victims per geographical area included: USA, Canada, Italy, Germany, Spain, Mexico,\r\nColombia, Chile, Brazil, Singapore, South Korea, Malaysia, Taiwan, Japan, Egypt, United Arab Emirates (UAE),\r\nKuwait, Kingdom of Saudi Arabia (KSA) and other countries in the Gulf region.\r\nThe majority of intercepted credentials by Agent Tesla related to financial services, online-retailers, e-government\r\nsystems and personal and business e-mail accounts. \r\nResearchers found active instances of Agent Tesla and developed a mechanism to enumerate the affected clients\r\nand extract compromised data. To share knowledge and encourage information security researchers to combat\r\nmalicious code, Resecurity’s HUNTER unit has prepared an educational video demonstrating the .NET reverse\r\nengineering and deobfuscation techniques used for the Agent Tesla analysis. \r\n“Successful tracking of Agent Tesla activity allowed for the recovery of critical insights about the victims affected\r\nby it globally and the probable threat actors targeting them. In some cases, we saw obvious patterns of\r\ncybercriminals. However, we also saw other actors closely affiliated with particular foreign states leveraging this\r\ncyberespionage tool due to its availability in underground hacking communities,” said Ahmed Elmalky, an\r\nOffensive Cyber Security Researcher at Resecurity, Inc. \r\nAccording to multiple independent cybersecurity researchers and companies involved in Agent Tesla tracking, this\r\nRAT remains a consistent threat for the Microsoft Windows environment and is primarily delivered via e-mail as a\r\nmalicious attachment.\r\nIn the recent update, Agent Tesla is targeting Microsoft’s anti-malware software interface (ASMI) in order to\r\navoid detection, alongside using sophisticated evasion mechanisms to transfer stolen data.   \r\nLast year, Agent Tesla was spotted in highly targeted campaigns against the oil and gas industry. In one of these\r\ncampaigns, the actors were impersonating a well-known Egyptian engineering contractor involved in onshore and\r\noffshore projects (Enppi – Engineering for Petroleum and Process Industries) to target the energy industry in\r\nMalaysia, the United States, Iran, South Africa, Oman and Turkey.\r\nhttps://securityaffairs.co/wordpress/123039/malware/agent-tesla-c2c-dumped.html\r\nPage 2 of 3\n\nThe second campaign, impersonating the shipment company, used legitimate information about a chemical/oil\r\ntanker, to make the email believable when targeting victims from the Philippines.\r\nAbout the author: Resecurity’s cyber threat intelligence and R\u0026D unit\r\nFollow me on Twitter: @securityaffairs and Facebook\r\n[adrotate banner=”9″] [adrotate banner=”12″]\r\nPierluigi Paganini\r\n(SecurityAffairs – hacking, malware)\r\n[adrotate banner=”5″]\r\n[adrotate banner=”13″]\r\nSource: https://securityaffairs.co/wordpress/123039/malware/agent-tesla-c2c-dumped.html\r\nhttps://securityaffairs.co/wordpress/123039/malware/agent-tesla-c2c-dumped.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://securityaffairs.co/wordpress/123039/malware/agent-tesla-c2c-dumped.html"
	],
	"report_names": [
		"agent-tesla-c2c-dumped.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775433989,
	"ts_updated_at": 1775791311,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cf4512d9d8fcd46d1301dc57aa7eebd7d643c133.pdf",
		"text": "https://archive.orkl.eu/cf4512d9d8fcd46d1301dc57aa7eebd7d643c133.txt",
		"img": "https://archive.orkl.eu/cf4512d9d8fcd46d1301dc57aa7eebd7d643c133.jpg"
	}
}