Agent Tesla

Also known as: AgenTesla, AgentTesla, Negasteal

According to Palo Alto Networks Unit 42, Agent Tesla is a widely used .NET-based (C#) commercial keylogger and information stealer whose leaked builders have made it easily obtainable for many threat actors. It can log keystrokes, capture clipboard contents, take screenshots, and harvest credentials or other valuable data from browsers, email clients and local files, then exfiltrate this information via HTTP(S), SMTP, FTP or Telegram channels. Unit 42’s analysis shows that OriginLogger is a direct evolution and variant of Agent Tesla, heavily reusing its code and configuration-handling techniques so that many Agent Tesla-focused detection rules still catch OriginLogger. This tight relationship positions Agent Tesla as the predecessor in a closely related family of .NET stealers, with OriginLogger continuing and expanding its functionality.

Linked Threat Actors

SWEED

C2 Infrastructure

Hosting/VPS 100%

Last 7 days

Jun 15, 2026

C2 Hosts: 1

Daily C2 host counts for the last 7 days
Date	C2 Hosts
Jun 15, 2026	1

Further Reading

PrivateLoader: the loader of the prevalent ruzki PPI service

PrivateLoader is a downloader malware family. It is used as part of a PPI service, to deliver payloads of multiple malware families.

Malware AV evasion - part 8. Encode payload via Z85 algorithm. C++ example.

﷽

cocomelonc.github.io

Foxit PDF “Flawed Design” Exploitation - Check Point Research

Check Point Research has identified an unusual pattern of behavior involving PDF exploitation, mainly targeting users of Foxit Reader. This exploit triggers security warnings that could deceive uns...

research.checkpoint.com

Sicurezza e trasparenza nei casinò online in Italia

Difesa e Sicurezza: la vostra fonte affidabile per la sicurezza online e la protezione dalle truffe dei casinò in Italia.

difesaesicurezza.com

DarkTortilla Malware Analysis

Learn how Secureworks CTU researchers have identified DarkTortilla samples delivering targeted malicious payloads, benign decoy documents, and executables.

secureworks.com

IPFS: A New Data Frontier or a New Cybercriminal Hideout? | Trend Micro (US)

In this article, we briefly detail what IPFS is and how it works at the user level, before providing up to date statistics about the current usage of IPFS by cybercriminals, especially for hosting ...

Negasteal Uses Hastebin for Fileless Delivery of Crysis Ransomware | Trend Micro (US)

We discovered a Negasteal variant that uses hastebin to filelessly deliver Crysis ransomware to the victim's system.

Agent Tesla Keylogger delivered using cybersquatting | Zscaler

Zscaler ThreatLabZ explores an attack chain, which uses cybersquatting to deliver a commercial keylogger, called AgentTesla — to steal confidential information.

Analysis of top non-HTTP/S threats | Zscaler Blog

In this article, Zscaler security research team dissect the custom protocols used in some of the most prevalent RATs seen in recent campaigns. Read more.

Il polo italiano della Cyber Security

Costruiamo un digitale sicuro, insieme. Sicurezza, Resilienza, Innovazione Tinexta Cyber è una delle principali realtà italiane nel campo della cybersecurity e della system integration, parte del G...

Il polo italiano della Cyber Security

Costruiamo un digitale sicuro, insieme. Sicurezza, Resilienza, Innovazione Tinexta Cyber è una delle principali realtà italiane nel campo della cybersecurity e della system integration, parte del G...

Il polo italiano della Cyber Security

Costruiamo un digitale sicuro, insieme. Sicurezza, Resilienza, Innovazione Tinexta Cyber è una delle principali realtà italiane nel campo della cybersecurity e della system integration, parte del G...

Il polo italiano della Cyber Security

Costruiamo un digitale sicuro, insieme. Sicurezza, Resilienza, Innovazione Tinexta Cyber è una delle principali realtà italiane nel campo della cybersecurity e della system integration, parte del G...