{
	"id": "76195b44-35b8-41a4-bb0e-326bf9fcdc43",
	"created_at": "2026-04-06T00:15:24.417147Z",
	"updated_at": "2026-04-10T03:21:28.955603Z",
	"deleted_at": null,
	"sha1_hash": "cfb263652e44af5a6ccc150117a9e79a1aff3ede",
	"title": "Data Insights on AgentTesla and OriginLogger Victims | Bitsight",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1164480,
	"plain_text": "Data Insights on AgentTesla and OriginLogger Victims | Bitsight\r\nBy Written by André Tavares Sr. Threat Researcher\r\nArchived: 2026-04-05 19:36:38 UTC\r\nAgentTesla (also known as OriginLogger) remains a prevalent commodity stealer, being daily distributed,\r\nmainly via email attachments;\r\n \r\nThe primary method for exfiltrating data remains the usage of mail servers, although Telegram utilization is\r\nincreasing;\r\n \r\nAvailable infection telemetry suggests that the most targeted countries are the United States, China and\r\nGermany.\r\nAgentTesla is a Windows malware written in .NET, designed to steal sensitive information from the victim's\r\nsystem. It’s considered commodity malware given its accessibility and relatively low cost. Commodity malware\r\nposes a significant threat as it enables less sophisticated cybercriminals to conduct various types of cyberattacks\r\nwithout requiring extensive technical knowledge. AgentTesla has been a persistent and widespread threat since its\r\nemergence in 2014.\r\nAlso known as Negasteal, it was rebranded to OriginLogger (also known as AgentTesla v3 – and beyond) in 2019.\r\nThis change followed revelations by Krebs on Security in October 2018, spotlighting one of the suspected actors\r\nbehind the malware, a Turkish individual – while writing this blog post, another suspected author was revealed, a\r\nsecond Turkish individual, which appears to be the actual author of the malware. The first disclosure led to the\r\nsudden suspension of AgentTesla sales shortly thereafter. By March 2019, the developers announced via their\r\nDiscord customer support server that they were shutting down the shop due to legal trouble but also prompted an\r\nalternative product, OriginLogger:\r\n“If you want to see a powerful software like Agent Tesla, we would like to suggest you OriginLogger.\r\nOriginLogger is an AT-based software and has all the features.”\r\nOriginLogger is in fact a variant of AgentTesla, since they share the same code base. Consequently, existing\r\ndetection methods for AgentTesla are effective for identifying OriginLogger, frequently causing OriginLogger\r\nsamples to be classified as belonging to the AgentTesla family. Similar to AgentTesla, OriginLogger operates as a\r\nlicensed-based Malware as a Service (MaaS), maintaining a presence on the clear web, using suggestive websites\r\nsuch as agenttesla[.]com and originpro[.]me. Figure 1 presents the current face of the OriginLogger website.\r\nhttps://www.bitsight.com/blog/data-insights-agenttesla-and-originlogger-victims\r\nPage 1 of 7\n\nhttps://www.bitsight.com/blog/data-insights-agenttesla-and-originlogger-victims\r\nPage 2 of 7\n\nFig. 1 - Image from the OriginLogger website.\r\nThe website offers time-limited licenses for purchase, spanning up to six months. These licenses grant customers\r\naccess to the malware builder, enabling them to customize their own instance of AgentTesla, including the\r\nconfiguration of the data exfiltration method.\r\nWith AgentTesla and OriginLogger sharing so many similarities, distinguishing between them individually\r\nbecomes quite challenging. Throughout this article, we refer to both as AgentTesla for simplicity's sake, except\r\nhttps://www.bitsight.com/blog/data-insights-agenttesla-and-originlogger-victims\r\nPage 3 of 7\n\nwhen we are comparing them.\r\nSince its rebranding, the malware has undergone regular updates, with the most recent one occurring in\r\nNovember. It has been consistently ranked among the top charts for the most widespread and prevalent malware,\r\nas evidenced by platforms such as ANY.RUN, Unpac.Me, and MalwareBazaar.\r\nTypically, AgentTesla campaigns involve phishing emails carrying malicious attachments, oftentimes involving\r\nmalware loaders down the infection chain, such as GuLoader and PureCrypter, or as the initial infection vector,\r\nsuch as PrivateLoader. After all infection stages are executed on the victim's system, the final payload initiates\r\nactions to sustain persistence, aiming to harvest credentials, keystrokes, clipboard data, and screenshots for as long\r\nas possible. More specifically, it harvests a wide array of sensitive information from browsers, VPN clients, mail\r\nclients, FTP clients, VNC clients, Microsoft applications, and social media apps. Further details regarding tactics,\r\ntechniques, and procedures (TTPs) can be found here, here and here. This exfiltration of data can be accomplished\r\nthrough various protocols: SMTP, FTP, and HTTP – which encompass the Telegram and Discord APIs, both later\r\nintroduced on the OriginLogger variant in August 2020 and October 2022 respectively. Finally, the data is sent\r\nunencrypted to the threat actor’s server and remains there also unencrypted.\r\nFig. 2 -  AgentTesla exfiltration methods by number of configs.\r\nFor the past 3 months, Bitsight identified more than 1500 AgentTesla configurations (which can be roughly\r\ntranslated to campaigns), extracted from samples originating from several diverse sources, including spam\r\ncampaigns. About 75% of these configurations primarily utilize email accounts for data exfiltration, although the\r\nuse of the Telegram API holds a significant share, around 14% (Fig. 2). The last observation of a configuration\r\nusing HTTP exfiltration was in December 2022.\r\nBitsight obtained access to 3 months of victim data from about 210 campaigns of the malware. Between October\r\nand December 2023, at least 5300 computers were compromised. From those, we're also able to identify about\r\n2000 IP addresses, which allow us to geographically map their location (Fig. 3) – although these IPs are only\r\nhttps://www.bitsight.com/blog/data-insights-agenttesla-and-originlogger-victims\r\nPage 4 of 7\n\nOriginLogger victims since IP grabbing functionality was not available in AgentTesla (older versions). The\r\navailable visibility over infected systems suggests that the most targeted country is by far the United States,\r\nfollowed by China and Germany.\r\nFig. 3 - Geographic distribution of victims (38% of observed victims).\r\nWhen looking at the types of data exfiltrated by AgentTesla, passwords were the most commonly collected, with\r\nalmost all campaigns aiming to harvest it, as figure 4 shows.\r\nFig. 4 - Types of data most collected by percentage of active AgentTesla exfiltration accounts.\r\nFigure 5 depicts a word cloud of the top domains for stolen credentials. The results are consistent with\r\nexpectations given the geographical distribution of infections since the majority are from US companies, some are\r\nChinese, such as qq.com and 163.com, and there are also Russian, Turkish and Greek companies, including\r\ngovernment entities.\r\nhttps://www.bitsight.com/blog/data-insights-agenttesla-and-originlogger-victims\r\nPage 5 of 7\n\nFig. 5 - Top domains by number of victim\r\nHowever, this domain data reveals more the nationality of the victims rather than the country where their\r\ncomputer is connected from. When we look at the most common country top level domains (ccTLD), this data\r\npoint presents a view (Fig. 6) quite different from the world map view of victims location (Fig. 3), where it\r\nsuggests that most victims have most likely ties with European countries (Turkey, Italy, Russia, Poland, Greece,\r\nRomania, Germany and Spain)\r\nFig. 6 - Top ccTLDs by percentage of victims with at least 1 credential with ccTLD.\r\nWhen all the mentioned data, also referred to as “logs” in the cybercriminal world, is collected by a financially\r\nmotivated threat actor, it’s either exploited or sold for further exploitation. For direct exploitation, threat actors\r\ngenerally use authentication information (cookie or password credentials) to transfer money, cryptocurrencies or\r\nany other valuable asset from the victims’ accounts to their own. Beyond direct exploitation, these actors use the\r\nhttps://www.bitsight.com/blog/data-insights-agenttesla-and-originlogger-victims\r\nPage 6 of 7\n\nacquired data for other profit-driven schemes, such as ransomware attacks – often resulting in data breaches, as in\r\nthe Uber’s case – and business email compromise (BEC) attacks. The latter involves cybercriminals manipulating\r\nor impersonating trusted individuals within a company via email to deceive employees into taking actions that\r\ncompromise security or financial integrity. For instance, the threat actor intercepts an email between two parties\r\ninvolved in a transaction and modifies financial documents to direct funds to their bank accounts. As a matter of\r\nfact, AgentTesla malware has been utilized by a syndicate of Nigerian fraudsters to reroute financial transactions\r\nfrom corporate organizations, including oil and gas companies in South East Asia, the Middle East and North\r\nAfrica.\r\nIn conclusion, AgentTesla, a Windows malware operating under a Malware as a Service model, has proven to be a\r\npersistent threat since 2014. Its rebranding as OriginLogger and widespread campaigns highlight its adaptability\r\nand pervasiveness. Recent data analysis reveals thousands of victims, primarily in the United States, China, and\r\nGermany, with vast amounts of credentials exfiltrated. The stolen data not only poses a direct financial threat but\r\nalso fuels ransomware and business email compromise attacks. In the landscape of evolving cyber threats, while\r\naddressing the threat posed by malware as a service models is an important part of securing digital environments,\r\nit's also important to complement efforts against these specific threats with a comprehensive cybersecurity\r\nstrategy. This strategy should encompass a multi-layered defense approach, proactive threat detection, employee\r\nawareness programs, and continuous adaptation to effectively be defended against a spectrum of cyber risks.\r\nFile/Memory detection rules (YARA):\r\nhttps://github.com/kevoreilly/CAPEv2/blob/master/data/yara/CAPE/AgentTesla.yar\r\nSamples: https://bazaar.abuse.ch/browse/signature/AgentTesla/\r\nSource: https://www.bitsight.com/blog/data-insights-agenttesla-and-originlogger-victims\r\nhttps://www.bitsight.com/blog/data-insights-agenttesla-and-originlogger-victims\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bitsight.com/blog/data-insights-agenttesla-and-originlogger-victims"
	],
	"report_names": [
		"data-insights-agenttesla-and-originlogger-victims"
	],
	"threat_actors": [],
	"ts_created_at": 1775434524,
	"ts_updated_at": 1775791288,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cfb263652e44af5a6ccc150117a9e79a1aff3ede.pdf",
		"text": "https://archive.orkl.eu/cfb263652e44af5a6ccc150117a9e79a1aff3ede.txt",
		"img": "https://archive.orkl.eu/cfb263652e44af5a6ccc150117a9e79a1aff3ede.jpg"
	}
}