{
	"id": "2ad15152-433e-4a71-b40b-ae21091d3810",
	"created_at": "2026-04-06T00:14:33.62439Z",
	"updated_at": "2026-04-10T13:13:06.285631Z",
	"deleted_at": null,
	"sha1_hash": "d77e576f14c673a6db53ec950620c27330f497b0",
	"title": "Unmasking Agent Tesla: A Deep Dive into a Multi-Stage Campaign | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 52631,
	"plain_text": "Unmasking Agent Tesla: A Deep Dive into a Multi-Stage Campaign\r\n| FortiGuard Labs\r\nBy Ariel Davidpur\r\nPublished: 2026-02-25 · Archived: 2026-04-05 12:56:05 UTC\r\nAffected Platforms: Microsoft Windows\r\nImpacted Users: Windows Users\r\nImpact: Sensitive information stealing and keylogging\r\nSeverity Level: High\r\nBackground\r\nAgent Tesla remains one of the most persistent threats in the cyber landscape today. It allows even low-skilled\r\nthreat actors to harvest sensitive data through a highly sophisticated delivery pipeline. This research blog breaks\r\ndown a recent multi-stage infection chain that utilizes a blend of phishing, obfuscated and encrypted scripts, and\r\nadvanced in-memory execution and evasion techniques.\r\nInfection Chain\r\nEmail \u003e RAR attachment \u003e JScript loader (.jse) \u003e PowerShell (downloaded) \u003e PowerShell (in-memory execution)\r\n\u003e .NET loader (in-memory) \u003e .NET Agent Tesla payload (in-memory)\r\nStage 1: The Initial Hook – A Classic Phishing Play\r\nThe campaign begins with a deceptive, business-themed phishing email.\r\nThe Lure: Attackers use subject lines such as \"New purchase order PO0172\" to create a sense of\r\nurgency.\r\nStage 2: Script-Based Evasion and Encrypted Payloads\r\nOnce the victim executes the JSE file, it triggers a sequence of script-based evasion tactics.\r\nThe External Fetch: The script contacts the file-hosting service catbox[.]moe to download a secondary,\r\nencrypted PowerShell (.ps1) script.\r\nStage 3: In-Memory Execution via Process Hollowing\r\nFollowing the initial script-based evasion, the malware transitions into its most stealthy phase: Process\r\nHollowing.\r\nhttps://www.fortinet.com/blog/threat-research/unmasking-agent-tesla-deep-dive-into-multi-stage-campaign\r\nPage 1 of 4\n\nThe Target Process: The second-stage PowerShell script targets a legitimate system utility, specifically\r\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Aspnet_compiler.exe.\r\nThe Injection: The script contains two Base64-encoded assemblies (identifiable by the MZ header). It\r\nlaunches the legitimate process in a suspended state, \"hollows out\" its memory, and replaces it with the\r\nmalicious Agent Tesla code.\r\nStealthy Execution: This allows the malware to run under the guise of a trusted Windows process, making\r\nit difficult for basic security tools to identify the malicious activity.\r\nStage 4: Anti-Analysis—The Final \"Sanity Checks\"\r\nOnce the malicious code is loaded into the hollowed process, it performs a series of defensive checks to ensure the\r\nenvironment is safe for data exfiltration.\r\nVirtualization Probing: The malware queries WMI to identify if the manufacturer is \"VMware,\"\r\n\"VirtualBox,\" or \"Microsoft Corporation\" (Hyper-V).\r\nEvasion Trigger: If these environment checks fail (indicating a researcher’s VM or a sandbox), the\r\nmalware may cease operations to prevent further analysis of its C2 capabilities.\r\nStage 5: Data Theft and Exfiltration\r\nOnce firmly established, Agent Tesla begins its primary mission: harvesting sensitive data.\r\nCredential Harvesting: It systematically extracts browser cookies, including hostnames, expiry dates, and\r\nsecurity flags.\r\nConclusion\r\nAgent Tesla remains a cornerstone of the modern cyber-threat landscape, not because it is revolutionary, but\r\nbecause it is exceptionally adaptable. Operating under a \"Malware-as-a-Service\" model, it allows even low-skilled\r\nactors to deploy a highly sophisticated, multi-stage infection pipeline that rivals the complexity of advanced\r\npersistent threats.\r\nAs this analysis demonstrates, the true danger lies in its evasive delivery. From the initial obfuscated JSE loader to\r\nthe reflective loading of .NET assemblies and process hollowing of legitimate Windows utilities, Agent Tesla is\r\ndesigned to stay invisible. Its extensive anti-analysis checks further ensure that it only reveals its true nature when\r\nit’s certain it isn't being watched.\r\nFortinet Protections\r\nFortiMail detects and blocks phishing emails and strips malicious attachments (RAR/JSE). In addition, real-time\r\nanti-phishing protection provided by FortiSandbox, embedded across Fortinet’s FortiMail, web filtering, and\r\nantivirus solutions, enables advanced detection of both known and unknown phishing attempts. The FortiPhish\r\nphishing simulation service further supports user resilience by actively training and testing end users against real-https://www.fortinet.com/blog/threat-research/unmasking-agent-tesla-deep-dive-into-multi-stage-campaign\r\nPage 2 of 4\n\nworld phishing techniques, including impersonation, Business Email Compromise (BEC), and ransomware\r\ndelivery.\r\nFortiEDR detects and stops Process Hollowing and memory-based attacks in real-time, and FortiGate performs\r\ninline blocking of malicious downloads at the network edge.\r\nThe FortiGuard CDR (Content Disarm and Reconstruction) service, available on both FortiGate and FortiMail,\r\ncan neutralize malicious content embedded in documents by removing active code while preserving document\r\nusability.\r\nThe FortiGuard IP Reputation and Anti-Botnet Security Service proactively blocks infrastructure associated with\r\nthis campaign by correlating malicious IP intelligence collected from Fortinet’s global sensor network, CERT\r\ncollaborations, MITRE, trusted industry partners, and other intelligence sources.\r\nOrganizations seeking to strengthen foundational security awareness may also consider completing Fortinet\r\nCertified Fundamentals (FCF) training in Cybersecurity.\r\nIf you believe this or any other cybersecurity threat has impacted your organization, contact our Global\r\nFortiGuard Incident Response Team for assistance.\r\nIndicators of Compromise (IOCs)\r\nIndicator\r\nType\r\nValue\r\nSHA256\r\nHashes\r\nCc2b26bbcbaa2d0593e15a45734fe3fd940451fc7290d49bc841c496b906a9c1 - PO0172.jse\r\n83F9C6A3978D926F2C0155E22008C1BCE6510B321031598509A2937ADD2D5A54 - First\r\nencrypted PS1\r\n30713C4BFC813848B3EC28EB227D2E439BE0E07C77237498553FD5DFA745F278 - stage\r\n2 PS1\r\nB133D75DE5010C3A5005606A8E682A08C413364A3921DFBDFBFDDE811A866E88 -\r\nAgent Tesla\r\nDownload\r\nURL\r\nhxxps://files[.]catbox[.]moe/2x0j75[.]ps1\r\nC2 Mail\r\nServer\r\nmail[.]taikei-rmc-co[.]biz\r\nTTPs:\r\nInitial Access: Phishing: Spearphishing Attachment (T1566.001)\r\nhttps://www.fortinet.com/blog/threat-research/unmasking-agent-tesla-deep-dive-into-multi-stage-campaign\r\nPage 3 of 4\n\nExecution: Command and Scripting Interpreter: PowerShell \u0026 JavaScript (T1059.001, T1059.007)\r\nDefense Evasion: Process Injection: Process Hollowing \u0026 Reflective Code Loading (T1055.012, T1620)\r\nDefense Evasion \u0026 Discovery: Virtualization/Sandbox Evasion: System Checks (T1497.001)\r\nCredential Access: Steal Web Session Cookie \u0026 Credentials from Password Stores (T1539, T1555.003)\r\nCollection: Data from Local System (T1005)\r\nExfiltration: Exfiltration Over Alternative Protocol: SMTP (T1048.003)\r\nSource: https://www.fortinet.com/blog/threat-research/unmasking-agent-tesla-deep-dive-into-multi-stage-campaign\r\nhttps://www.fortinet.com/blog/threat-research/unmasking-agent-tesla-deep-dive-into-multi-stage-campaign\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/unmasking-agent-tesla-deep-dive-into-multi-stage-campaign"
	],
	"report_names": [
		"unmasking-agent-tesla-deep-dive-into-multi-stage-campaign"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434473,
	"ts_updated_at": 1775826786,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d77e576f14c673a6db53ec950620c27330f497b0.pdf",
		"text": "https://archive.orkl.eu/d77e576f14c673a6db53ec950620c27330f497b0.txt",
		"img": "https://archive.orkl.eu/d77e576f14c673a6db53ec950620c27330f497b0.jpg"
	}
}