{ "id": "fcd00ec0-a20f-4872-aba8-e2012b880ce6", "created_at": "2026-04-06T00:08:56.967242Z", "updated_at": "2026-04-10T03:36:48.458999Z", "deleted_at": null, "sha1_hash": "f44fcab8f7cdf80d6ec134f102fb873311efacb2", "title": "Agent Tesla Keylogger delivered using cybersquatting | Zscaler", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 716977, "plain_text": "Agent Tesla Keylogger delivered using cybersquatting | Zscaler\r\nBy Deepen Desai\r\nPublished: 2016-08-25 · Archived: 2026-04-02 10:38:46 UTC\r\nIntroduction\r\nZscaler ThreatLabZ recently came across an attack chain in which cybersquatting was being used to deliver a\r\ncommercial keylogger, called “AgentTesla,” with an intent to steal confidential information. The keylogger\r\npayload was configured to relay the stolen information back to the cyber-squatted domain, which had been\r\nregistered two months prior to the attack.\r\nThe malicious domain in this case was “diodetechs[.]com” trying to imitate diodetech[.]com, which belongs to a\r\nlegitimate consulting firm that offers a variety of services to global enterprises. We notified Diode technologies\r\nabout the attack earlier this month and the offending domain has been suspended.\r\nAgentTesla keylogger\r\nAgentTesla is an advanced keylogger with features like clipboard logging, screen keylogging, screen capturing,\r\nand extracting stored passwords from different web browsers. It is written in .NET and supports all versions of the\r\nWindows operating system. In this blog, we will analyze the AgentTesla payload that was used in the attacks\r\ninvolving cyber-squatted domain ‘diodetechs[.]com’. \r\nhttps://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting\r\nPage 1 of 7\n\nFigure 1: Subscription packages of AgentTesla keylogger\r\nThe Infection cycle\r\nThe infection cycle typically starts with a malicious office document that arrives as an e-mail attachment.\r\nThe document uses the social engineering tactics covered here to lure the user into running the embedded macro,\r\nwhich will download and install the malware executable. The malware executable is the AgentTesla keylogger that\r\nwas hosted at the following location:\r\ndiodetechs[.]com/bless/cc.exe [cyber-squatted domain]\r\nMD5 - e4117e6974363cac8b37e5e3ff5d07a6\r\nhttps://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting\r\nPage 2 of 7\n\nFigure 2: AgentTesla configuration panel\r\nInstallation\r\nThe AgentTesla payload gets downloaded and executed from location “%temp%\\cc.exe”. It makes a copy of itself\r\nas “JavaUpdtr.exe” in the “%Application Data%\\Java\\” directory, pretending to be a Java updater. It also creates\r\nthe following registry entry to remain persistent upon system reboot:\r\nHKEY_USERS\\Software\\Microsoft\\Windows\\CurrentVersion\\Run @ Java Updtr\r\nThe installer then starts a new process ‘MSBuild.exe’ in suspended mode, injects itself into this new process\r\nbefore resuming execution. This is where the keylogging, screen capturing, and other information collection\r\nmodules are started. The author leveraged legitimate password recovery tools like IEPasswordDump and\r\nMailPassView to steal user credentials from Internet Explorer \u0026 Microsoft Outlook. \r\nhttps://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting\r\nPage 3 of 7\n\nFigure 3: Embedded IEPasswordDump utility\r\nThe logged keystroke information is saved at “%temp%\\log.tmp” in plain-text and the screenshots are saved in the\r\nfolder “%appdata%\\ScreenShot\\.” The information collected from the victim’s machine is relayed to the remote\r\nC\u0026C server every 20 minutes. \r\nBot configuration\r\nThe configuration file contains a full list of modules that were configured by the attacker. This version has\r\nmultiple modules, including keylogging, screenshot capturing, password stealing, etc., enabled as shown below:\r\nhttps://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting\r\nPage 4 of 7\n\nFigure 4: AgentTesla bot configuration\r\nModule information\r\nWhat follows is a brief overview of the modules that are supported by this payload.\r\nUSB Spreader – Capable of spreading through USB drives\r\nMelt – Capable of uninstalling itself from the victim’s machine\r\nWebcam – Capable of taking screenshots through the victim machine’s webcam\r\nScreenShot – Capable of taking screenshots capturing user activity\r\nKeylogger –  Capable of logging keystrokes from traditional as well as virtual keyboard; it can also log data from\r\nthe clipboard\r\nPassword stealing – Capable of stealing stored password from various applications, like Chrome, Opera, Yandex,\r\nFirefox, IE, SeaMonkey, Comodo, Chromium, dyndns, Filezilla, FlashFXP, Outlook, Netscape, and others\r\nAnti-Analysis – Capable of terminating multiple antivirus, security, and analysis programs running on the victim\r\nmachine; it is also capable of detecting popular sandboxes and virtual environments \r\nAdditionally, AgentTesla is capable of disabling UAC, Taskmgr, CMD, Run, Control Panel, Regedit,\r\nSystemRestore, etc., on a victim’s machine.\r\nFigure 5: AgentTesla disabling system features\r\nNetwork activity\r\nThe payloads that we analyzed were all connecting to agenttesla[.]com upon successful installation to check for\r\nkeylogger software update as seen below: \r\nhttps://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting\r\nPage 5 of 7\n\nFigure 6: AgentTesla C\u0026C activity\r\nThe malware then starts sending collected information and screenshots to the remote server.\r\nFormat of data it sends\r\ntype={0}\u0026hwid={1}\u0026time={2}\u0026pcname={3}\u0026logdata={4}\u0026screen={5}\u0026ipadd={6}\u0026wbscreen=\r\n{7}\u0026client={8}\u0026link={9}\u0026username={10}\u0026password={11}\u0026screen_name={12}\u0026site_username={13}\r\nCommand Description\r\nwebcam Send images collected via webcam to C\u0026C server\r\nscreenshots Send screenshots to C\u0026C\r\nkeylog Send keystroke logs to C\u0026C\r\nupdate Update keylogger binary\r\ninfo Send victim’s machine information to C\u0026C\r\nuninstall Uninstall binary\r\nhttps://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting\r\nPage 6 of 7\n\npasswords Send stolen password to C\u0026C\r\nConclusion\r\nOur investigation of this attack chain started with the keylogger payload getting flagged in the cloud sandbox for\r\nan enterprise customer. Further analysis revealed usage of cybersquatting for delivering the malware executable.\r\nThe malicious domain was registered on the same day that the malicious documents, which were claiming to be\r\n“Purchase Orders,” were modified for the attack.\r\nZscaler ThreatLabZ will continue to monitor and ensure coverage against these malware payloads.\r\nBlog by: Abhaykant Yadav, Deepen Desai\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting\r\nhttps://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting" ], "report_names": [ "agent-tesla-keylogger-delivered-using-cybersquatting" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434136, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f44fcab8f7cdf80d6ec134f102fb873311efacb2.pdf", "text": "https://archive.orkl.eu/f44fcab8f7cdf80d6ec134f102fb873311efacb2.txt", "img": "https://archive.orkl.eu/f44fcab8f7cdf80d6ec134f102fb873311efacb2.jpg" } }