AgentTesla is a prolific commodity information-stealer and keylogger written in .NET, in continuous development since 2014. It harvests credentials from over 70 applications including browsers, email clients, FTP clients, and VPN software, and exfiltrates data via email, FTP, or HTTP. AgentTesla is one of the most commonly observed malware families in business email compromise campaigns, typically delivered through phishing with malicious Office attachments or archive files.
This family has been observed using the following ATT&CK techniques: T1566.001 T1056.001 T1071.001 T1555.003
AgentTesla is a prolific commodity information-stealer and keylogger written in .NET, in continuous development since 2014. It harvests credentials from over 70 applications including browsers, email clients, FTP clients, and VPN software, and exfiltrates data via email, FTP, or HTTP. AgentTesla is one of the most commonly observed malware families in business email compromise campaigns, typically delivered through phishing with malicious Office attachments or archive files.
Agent Tesla is delivered primarily through phishing emails carrying weaponized Office documents, ISO images, or compressed archives, often using malicious macros or exploits to drop the payload.
Common signs include unexpected outbound SMTP, FTP, or Telegram traffic for credential exfiltration, browser password-manager prompts, and antivirus alerts referencing Agent Tesla or Negasteal.
If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance.
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/agenttesla.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families extracted from the EMBER 2018 benchmark. The catalog is also published on Hugging Face and Kaggle.