Listen to this Post
Introduction
Cybercriminals continue to refine their tactics, relying less on complex exploits and more on stealthy execution methods that bypass traditional security defenses. One of the latest examples comes from a newly observed phishing campaign distributing the well-known credential-stealing malware Agent Tesla. Security researchers have discovered that this campaign uses advanced techniques such as multi-stage payload delivery, encrypted scripts, in-memory execution, and process hollowing to remain hidden from antivirus software and sandbox environments.
Instead of relying on obvious malware files, the attackers combine social engineering with layered scripting mechanisms that quietly load malicious code directly into system memory. This approach significantly reduces the chances of detection and makes forensic analysis more difficult. Even more concerning is that Agent Tesla continues to operate under a Malware-as-a-Service (MaaS) model, allowing inexperienced attackers to deploy sophisticated campaigns with minimal technical knowledge.
The new campaign demonstrates how modern cyber threats are evolving toward stealth, automation, and scalability, posing serious challenges for enterprise security teams.
A Phishing Email That Starts the Infection
The attack begins with a carefully crafted phishing email disguised as a legitimate business communication. The email typically contains subject lines such as “New purchase order PO0172”, which creates urgency and encourages the recipient to open the attached file.
Inside the email is a compressed archive named PO0172.rar. This archive hides the first malicious component of the attack chain.
Unlike typical malware attachments that contain executable files like .exe or .bat, the archive contains an encoded JScript file named PO0172.jse. Because this file type is less commonly blocked by email security filters, it increases the chances that the malicious attachment will pass through gateway defenses.
Once the victim opens and executes the file, the JScript begins the next stage of the infection process.
The JScript Loader Downloads the Next Payload
The JScript file functions as a downloader rather than the final payload. Its main purpose is to connect to an external file-hosting service and retrieve additional malicious code.
The script contacts catbox[.]moe, a public file-hosting platform, and downloads an encrypted PowerShell script (.ps1).
This design provides multiple advantages for attackers. By storing the payload remotely, they can update or replace the malicious code without changing the phishing email. It also reduces the amount of suspicious content inside the initial attachment.
After the download completes, the PowerShell script becomes responsible for decrypting and launching the next stage of the attack.
Encryption and In-Memory Execution
The downloaded PowerShell script includes a custom decryption routine that uses AES encryption in CBC mode with PKCS7 padding. This encryption protects the malicious payload from security scanning tools that attempt to analyze scripts before execution.
Once the script decrypts the payload, it does not write the malware to disk.
Instead, the decrypted code is executed directly in system memory, leaving no readable files behind. This technique significantly reduces the chance that antivirus software will detect the attack, since many security tools focus primarily on scanning files stored on disk.
The infection process follows a carefully designed multi-stage chain:
Email → RAR attachment → JSE loader → PowerShell downloader → In-memory PowerShell → .NET loader → In-memory Agent Tesla payload
Each stage serves as a layer of obfuscation and stealth.
Process Hollowing for Stealth Execution
One of the most sophisticated parts of the attack involves a technique called process hollowing.
During this stage, the PowerShell script launches a legitimate Windows utility:
C:WindowsMicrosoft.NETFrameworkv4.0.30319Aspnet_compiler.exe
However, the program is started in a suspended state. This allows the malware to manipulate the process before it begins normal execution.
The attacker then removes the program’s original code from memory and replaces it with the malicious Agent Tesla payload.
From the operating system’s perspective, the process still appears to be the legitimate Microsoft utility. But internally, it is running malicious code.
This disguise helps the malware evade detection because many security systems trust signed Windows binaries and may not inspect their memory contents.
Anti-Analysis Techniques
Before activating its data-stealing capabilities, Agent Tesla performs a series of checks designed to detect security research environments.
The malware queries Windows Management Instrumentation (WMI) to determine whether the system is running inside a virtual machine environment such as VMware, VirtualBox, or Hyper-V.
It also scans for specific DLL files associated with antivirus software and sandbox analysis tools.
If the malware detects indicators of a virtual environment or security software, it may stop executing altogether. This tactic prevents researchers from observing the malware’s behavior or capturing its command-and-control communication.
These anti-analysis measures are increasingly common in modern malware campaigns.
Data Theft and Exfiltration
Once Agent Tesla confirms that it is operating on a real victim system, it begins collecting sensitive information.
The malware is designed primarily as a credential-stealing tool. It gathers a wide range of data, including:
• Browser cookies
• Saved login credentials
• System information
• Email contacts and personal data
The collected information is compiled into text files and prepared for exfiltration.
Instead of using traditional command-and-control servers, this campaign sends the stolen data via SMTP email to a remote server:
mail[.]taikei-rmc-co[.]biz
Using email as a data-exfiltration method can make detection more difficult, since email traffic is common in most corporate networks.
Indicators of Compromise (IOCs)
Security researchers identified several technical indicators associated with this campaign.
SHA256 Hashes:
• Cc2b26bbcbaa2d0593e15a45734fe3fd940451fc7290d49bc841c496b906a9c1 – PO0172.jse
• 83F9C6A3978D926F2C0155E22008C1BCE6510B321031598509A2937ADD2D5A54 – First encrypted PS1
• 30713C4BFC813848B3EC28EB227D2E439BE0E07C77237498553FD5DFA745F278 – Stage 2 PS1
• B133D75DE5010C3A5005606A8E682A08C413364A3921DFBDFBFDDE811A866E88 – Agent Tesla payload
Download URL:
hxxps://files[.]catbox[.]moe/2x0j75[.]ps1
Command and Control Mail Server:
mail[.]taikei-rmc-co[.]biz
Organizations can use these indicators to detect potential infections or block malicious communications.
What Undercode Say:
The latest Agent Tesla campaign illustrates a significant shift in how modern malware operations function. Instead of relying on new software vulnerabilities, attackers increasingly focus on blending legitimate tools, scripting environments, and memory-based execution to remain invisible.
This strategy works because most enterprise security systems were originally designed to detect files, not memory behavior. When malware never writes a payload to disk, traditional antivirus scanning becomes far less effective.
Another important aspect is the layered execution chain used in this campaign. Each stage of the infection appears relatively harmless when viewed independently. A compressed archive, a script file, a PowerShell command, and a legitimate Windows utility are all common elements in everyday IT environments. However, when combined sequentially, they form a powerful stealth delivery mechanism.
The continued popularity of Agent Tesla also highlights the impact of the Malware-as-a-Service ecosystem. Attack kits are now sold or rented in underground forums, meaning attackers no longer need deep technical skills. A phishing kit combined with a MaaS subscription can allow almost anyone to launch large-scale campaigns.
This democratization of cybercrime dramatically increases the number of attacks happening worldwide.
Another critical observation is the use of public hosting services like catbox[.]moe to distribute payloads. Because these services are legitimate and widely used, blocking them entirely may disrupt normal business operations. Threat actors exploit this trust to hide malicious downloads within legitimate traffic patterns.
The campaign also demonstrates how PowerShell remains a favorite tool for attackers. PowerShell is powerful, flexible, and deeply integrated into Windows systems. Security teams often struggle to distinguish between legitimate administrative scripts and malicious commands.
Process hollowing further complicates detection. By injecting malicious code into a trusted Microsoft binary, attackers effectively disguise the malware’s execution identity. Many security monitoring systems rely on process names or digital signatures to assess risk, and this technique bypasses those checks.
The anti-analysis features are also noteworthy. Virtual machine detection is designed specifically to defeat malware research environments. When malware refuses to run inside sandboxes, analysts lose visibility into its behavior, which slows down threat intelligence and detection development.
From a defensive perspective, the campaign reinforces the importance of behavior-based detection rather than file-based scanning alone. Monitoring unusual PowerShell activity, suspicious process injection, and abnormal network behavior can reveal attacks that traditional antivirus misses.
Another defense strategy involves email security awareness. Even the most sophisticated malware campaign still relies on a human victim opening a malicious attachment. Training employees to recognize suspicious purchase orders, invoices, or unexpected documents can dramatically reduce infection rates.
Organizations should also deploy endpoint detection and response (EDR) systems capable of monitoring memory activity and detecting process injection attempts.
Agent Tesla has existed for years, yet it continues to evolve and remain widely used. This persistence proves that cybercriminals do not necessarily need new malware to succeed. Instead, they simply refine delivery techniques and combine existing tools in more stealthy ways.
In the coming years, the biggest challenge for security teams will be adapting to threats that live almost entirely in memory, leaving minimal forensic evidence behind.
Fact Checker Results
✅ Agent Tesla is a well-known credential-stealing malware widely used in phishing campaigns.
✅ Process hollowing and in-memory execution are documented techniques used to evade antivirus detection.
❌ The specific campaign details may vary over time as attackers frequently update infrastructure and payload delivery methods.
Prediction
🔮 Memory-only malware execution will become one of the most dominant attack techniques in enterprise breaches.
🔮 Malware-as-a-Service platforms will continue lowering the barrier for cybercriminals worldwide.
🔮 Future security tools will increasingly rely on behavioral AI detection instead of traditional signature scanning.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.medium.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
