Agent Tesla is a .Net-based Remote Access Trojan (RAT) and data stealer commonly used for gaining initial access in Malware-As-A-Service (MaaS) operations. In this criminal model, threat actors known as initial access brokers (IABs) offer their expertise in exploiting corporate networks to affiliated criminal groups. As a first-stage malware, Agent Tesla enables remote access to a compromised system, which is then used to download more advanced second-stage tools, including ransomware.
First appearing in 2014, Agent Tesla saw a significant increase in use during the 2020s, particularly in COVID-19 PPE-themed phishing campaigns. It delivers emails with attached .zip, .gz, .cab, .msi, and .img files, as well as Microsoft Office documents containing malicious Visual Basic for Applications (VBA) macros to compromise victim systems. Agent Tesla phishing campaigns are known for accurately mimicking the communication style and visual templates of legitimate companies, including their logos and fonts.
Although Agent Tesla’s second-stage capabilities are not as advanced as some other malware families, it can effectively steal a wide range of sensitive information. It also offers an easy-to-use interface for attackers to monitor the attack process and download stolen data, making it a popular choice for IABs.