{
	"id": "6b62e4f8-3bdf-4745-b2ea-81e0adf31de0",
	"created_at": "2026-04-06T00:22:32.767241Z",
	"updated_at": "2026-04-10T03:30:32.953472Z",
	"deleted_at": null,
	"sha1_hash": "ea48243ba70b03ea8efd037b30a7ff27b7c771ba",
	"title": "Agent Tesla: The Punches Keep Coming",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 353676,
	"plain_text": "Agent Tesla: The Punches Keep Coming\r\nArchived: 2026-04-05 20:37:11 UTC\r\nBy Nathaniel Raymond\r\nAgent Tesla has become a massively popular choice of malware for threat actors since its first appearance in 2014\r\nand for good reasons. This vetted Malware-as-a-Service, MaaS, owes its popularity to many attractive factors that\r\nCofense has broken down in a previous Strategic Analysis which include being an affordable malware service\r\noption, easy to use, having multiple capabilities at and during infection time, and being flexible in its exfiltration\r\nchoices. These features, coupled with Agent Tesla’s relatively long life, have led this malware family to become\r\nthe most widespread malware distributed in email campaigns seen by Cofense. This Strategic Analysis aims to\r\nanalyze this five-year historical trend in email campaigns delivering Agent Tesla to understand Agent Tesla’s\r\nrecent past trends better and get a glimpse of potential future trends. A quick overview of the trend analysis\r\nsuggests that Agent Tesla email campaigns continue to rise yearly, with Q3 and Q4 being notably higher in email\r\nvolume.  \r\nKey Points\r\nAgent Tesla is a popular MaaS that entices threat actors of varying skill degrees through attractive features\r\nsuch as being an affordable malware service with multiple capabilities to exfiltrate and steal users’ data. \r\nAgent Tesla has a long history, dating to its discovery in 2014. Since then, it has only become more popular\r\nevery year, with most campaigns in Q3 and Q4 of each year. \r\nAgent Tesla has had a massive surge during the height of the COVID-19 epidemic, that is potentially due\r\nto lockdowns and work-from-home mandates. The trend analysis suggests that Agent Tesla has only since\r\ngrown in popularity. \r\nRecap: What is Agent Tesla? \r\nBy now, Agent Tesla needs no introduction. However, a quick overview of Agent Tesla is that it is an affordable\r\nMaaS, written using the .NET framework, with multiple capabilities during and after the initial infection. Agent\r\nTesla can be considered a bit of a Swiss army knife. It can play multiple roles as a keylogger and an information\r\nstealer and utilizes some RAT-like monitoring functionalities. Agent Tesla can also download other malicious\r\nprograms after infection. These features, coupled with the malware’s ability to use many exfiltration methods such\r\nas FTP, SMTP, Web Panels, and even Telegram bots, make this malware an incredibly popular choice among\r\nthreat actors of varying skill levels. \r\nTrends: Yearly \r\nThe overall trends in Figure 1, agree that Agent Tesla has increased yearly, with 2021 having the most volume.\r\nThe 2021 volume increase was potentially due to mandatory stay-at-home mandates declared during the height of\r\nthe COVID-19 pandemic which made some users work from home. This was a challenge for many businesses as\r\nhttps://cofense.com/blog/agent-tesla-the-punches-keep-coming/\r\nPage 1 of 4\n\nemployees may not have been accustomed to working at home during this time. Although Agent Tesla increased in\r\n2021, this spike in volume was only one of many threats to increase in 2021, as the FBI (Federal Bureau of\r\nInvestigation) claimed a 400% increase in cyber-attacks seen during the pandemic. We witness that 2022 and 2023\r\nhave increased since 2019 and 2020 with 2023 being the most volume aside from 2021. We also note that if trends\r\ncontinue, this year may see Agent Tesla reaching volumes seen in 2021. \r\nFigure 1: Agent Tesla volumes by year.\r\nTrends: Quarterly \r\nWhile Agent Tesla or a delivery mechanism(s) that delivers Agent Tesla may potentially reach a user’s inbox at\r\nany time, Figure 2 suggests that Q3 and Q4 have the highest volume per year marking them as the time Agent\r\nTesla poses a higher chance, simply by volume. In 2024 and unlike other first quarters in the past five years, the\r\nfirst quarter of 2024 saw the most emails delivering Agent Tesla by volume. Not only has Q1 of 2024 beat\r\nprevious Q1 quarters, but it also has overshadowed many previous quarters in their respective years. This lends\r\ncredibility to the trends in Figure 1, which show that Agent Tesla volumes are projected to increase yearly. \r\nhttps://cofense.com/blog/agent-tesla-the-punches-keep-coming/\r\nPage 2 of 4\n\nFigure 2: Agent Tesla quarterly trends. \r\nReaching New Heights\r\nThanks to the detection improvements made at Cofense, we can see that not only did Q1 of 2024 have more\r\nvolume than most of the past quarters in the past 5 years, but also has been attributed to increasing weekly\r\nvolumes and averages. However, it is important to recognize that this observation in Q1 2024 does not necessarily\r\nindicate an increase in the distribution of Agent Tesla as a whole. Rather, it reflects the enhancements in our\r\ndetection capabilities, allowing us to identify a greater extent of the existing instances. \r\nFigure 3: Year-over-year average increase. \r\nhttps://cofense.com/blog/agent-tesla-the-punches-keep-coming/\r\nPage 3 of 4\n\nPutting It All Together \r\nWith enhanced detection capabilities made at Cofense increasing weekly averages and Q1 2024 numbers, 2024 is\r\nset to potentially repeat this trend again this year, thus following the increasing volume trend in Figure 1 which is\r\nattempting to potentially meet or exceed 2021 email volumes. Q3 through Q4 each year has the most potential that\r\nAgent Tesla will be delivered to a user’s inbox simply thanks to increased volumes versus Q1 or Q2 as shown in\r\nFigure 2.  \r\nSource: https://cofense.com/blog/agent-tesla-the-punches-keep-coming/\r\nhttps://cofense.com/blog/agent-tesla-the-punches-keep-coming/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://cofense.com/blog/agent-tesla-the-punches-keep-coming/"
	],
	"report_names": [
		"agent-tesla-the-punches-keep-coming"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434952,
	"ts_updated_at": 1775791832,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ea48243ba70b03ea8efd037b30a7ff27b7c771ba.pdf",
		"text": "https://archive.orkl.eu/ea48243ba70b03ea8efd037b30a7ff27b7c771ba.txt",
		"img": "https://archive.orkl.eu/ea48243ba70b03ea8efd037b30a7ff27b7c771ba.jpg"
	}
}