{
  "family": "agenttesla",
  "sample_count": 43,
  "category": "infostealer",
  "description": "AgentTesla is a prolific commodity information-stealer and keylogger written in .NET, in continuous development since 2014. It harvests credentials from over 70 applications including browsers, email clients, FTP clients, and VPN software, and exfiltrates data via email, FTP, or HTTP. AgentTesla is one of the most commonly observed malware families in business email compromise campaigns, typically delivered through phishing with malicious Office attachments or archive files.",
  "cta": "If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance.",
  "aliases": [
    "aitesla",
    "negasteal"
  ],
  "enrichment_level": "hand-curated",
  "faq": [
    {
      "@type": "Question",
      "name": "What is Agenttesla?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "AgentTesla is a prolific commodity information-stealer and keylogger written in .NET, in continuous development since 2014. It harvests credentials from over 70 applications including browsers, email clients, FTP clients, and VPN software, and exfiltrates data via email, FTP, or HTTP. AgentTesla is one of the most commonly observed malware families in business email compromise campaigns, typically delivered through phishing with malicious Office attachments or archive files."
      }
    },
    {
      "@type": "Question",
      "name": "How does Agenttesla spread?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Agent Tesla is delivered primarily through phishing emails carrying weaponized Office documents, ISO images, or compressed archives, often using malicious macros or exploits to drop the payload."
      }
    },
    {
      "@type": "Question",
      "name": "What are the signs of an Agenttesla infection?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Common signs include unexpected outbound SMTP, FTP, or Telegram traffic for credential exfiltration, browser password-manager prompts, and antivirus alerts referencing Agent Tesla or Negasteal."
      }
    },
    {
      "@type": "Question",
      "name": "What should I do if I think I have Agenttesla on my system?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance."
      }
    }
  ],
  "faq_count": 4,
  "mitre_attack": [
    "T1566.001",
    "T1056.001",
    "T1071.001",
    "T1555.003"
  ],
  "cisa_advisory": null,
  "last_updated": "2026-05-27"
}