Agent Tesla is a highly prevalent, commercially available Information Stealer (InfoStealer) and advanced Keylogger written in .NET. It is sold openly on underground forums under a Malware-as-a-Service (MaaS) model, making it accessible to low-skill threat actors. It is designed to comprehensively harvest sensitive data from infected machines, focusing heavily on corporate email credentials, web browser data, and capturing user keystrokes.
Infection Vector and Technical Capabilities
Agent Tesla is overwhelmingly distributed via targeted phishing and broad malspam campaigns. The emails typically contain malicious ZIP files, ISO images, or weaponized Office documents (using equation editor exploits or macros) that execute the initial dropper.
Once active, it operates as a stealthy data vacuum:
Extensive Credential Harvesting: Agent Tesla targets dozens of specific applications. It decrypts and steals saved passwords from web browsers (Chrome, Edge, Firefox), email clients (Outlook, Thunderbird), FTP clients, and VPN software.
Surveillance (Keylogging & Screen Capture): It features a robust keylogger that captures every keystroke. It also routinely takes covert screenshots of the victim's desktop, compiling all this data into hidden, encrypted log files.
Diverse Exfiltration Methods: To evade network detection, Agent Tesla supports multiple exfiltration channels. It can send the stolen data back to the attacker via traditional SMTP (email), upload it to a compromised FTP server, or increasingly, abuse the legitimate Telegram API or Discord webhooks to exfiltrate data through trusted encrypted channels.
Threat Assessment
An Agent Tesla infection is a severe data privacy and security breach. The theft of valid corporate email credentials leads directly to catastrophic Business Email Compromise (BEC) fraud, while stolen VPN credentials provide attackers with direct access to the internal network.
Incident Response and Remediation
Mandatory Credential Reset: Assume all passwords typed or saved on the infected machine are compromised. Immediately force a password reset for the user's Active Directory account, corporate email, VPN access, and any relevant third-party services.
MFA Enforcement: Ensure strict Multi-Factor Authentication (MFA) is enforced across all corporate portals to mitigate the risk of stolen passwords being reused.
Egress Traffic Analysis: Because Agent Tesla often uses Telegram or SMTP for exfiltration, review firewall logs for anomalous outbound connections from the endpoint. Block unauthorized use of the Telegram API or non-standard SMTP traffic.
Known aliases
Threat reports may refer to this family under multiple names:
Public indicators drawn from CISA advisories and vendor reporting. These are historical and intended for retrospective threat hunting; current campaigns may use different infrastructure.
Loaders like GuLoader and Snake Keylogger droppers
Network indicators
SMTP to attacker-controlled mailbox (often a free webmail account)
FTP uploads to compromised legitimate hosts
Telegram Bot API calls to api.telegram.org
Persistence mechanisms
Copy to %APPDATA% with randomized filename
Run key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Scheduled task with hidden window
Detection Guidance
Detection ideas drawn from public reporting. Tune to your environment before deploying.
YARA rule AgentTesla_Stealer from public repos
Network rule for SMTP authentication from non-mail-server hosts
EDR rule for RegAsm.exe or AppLaunch.exe with no parent IDE process
Generated Detections (Boilerplate)
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.