{"id":20852,"date":"2026-05-14T11:55:31","date_gmt":"2026-05-14T11:55:31","guid":{"rendered":"https:\/\/any.run\/cybersecurity-blog\/?p=20852"},"modified":"2026-05-14T12:30:01","modified_gmt":"2026-05-14T12:30:01","slug":"agent-tesla-latam-enterprise","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/","title":{"rendered":"LATAM Under Siege: Agent Tesla&#8217;s 18-Month Credential Theft Campaign Against Chilean Enterprises"},"content":{"rendered":"\n<p><em><strong>Editor\u2019s note:<\/strong><\/em><em style=\"\"><b>\u00a0The analysis is authored by Moises Cerqueira, <\/b><\/em><strong><em>malware researcher &amp; threat hunter. You can\u00a0find Moises on <a href=\"https:\/\/www.linkedin.com\/in\/moises-cerqueira\/\">LinkedIn<\/a> and <a href=\"https:\/\/x.com\/0x_Olympus\">X<\/a>.<\/em><\/strong><\/p>\n\n\n\n<p>Credential&nbsp;theft&nbsp;malware rarely announces itself with ransomware-level noise. Instead, it&nbsp;operates&nbsp;like a silent siphon hidden inside everyday business workflows: invoices, payroll files, purchase orders, procurement requests. Agent Tesla campaigns are especially dangerous because they target the operational arteries of organizations, harvesting credentials that enable deeper compromise, business email compromise (BEC), financial fraud, cloud account takeover, and long-term espionage.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Key Takeaways&nbsp;<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Agent Tesla&nbsp;remains&nbsp;highly effective in LATAM due to cheap licensing and easy configuration combined with&nbsp;<strong>region-specific social engineering<\/strong>.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Multi-stage loaders using .NET Reactor 6.x and Process Hollowing&nbsp;<strong>evade most static detection tools<\/strong>.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Financial and procurement departments<\/strong>&nbsp;are high-priority targets through purchase order and payroll-themed lures.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Compromised legitimate infrastructure<\/strong>&nbsp;(e.g., Romanian FTP servers) complicates blocking and attribution.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Fileless execution and cleartext FTP exfiltration<\/strong>&nbsp;make dynamic sandbox analysis essential.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The campaign has&nbsp;maintained&nbsp;the same C2 infrastructure for at least 18 months,&nbsp;indicating&nbsp;<strong>sustained, professional operations<\/strong>.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Organizations can significantly improve defenses through&nbsp;<a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=agent-tesla-latam-enterprise&amp;utm_term=140526&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>interactive sandboxing<\/strong><\/a><strong>, targeted awareness training, and outbound FTP monitoring<\/strong>.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>This investigation reveals an active Agent Tesla campaign specifically targeting Chilean and broader LATAM enterprises through procurement-themed phishing lures. The malware chain combines social engineering, obfuscated loaders, process hollowing, fileless execution, and FTP-based credential exfiltration to evade traditional defenses.<\/p>\n\n\n\n<p><strong>For organizations, the business impact extends far beyond a single infected endpoint: stolen browser, VPN, email, and FTP credentials can become the entry point for supply chain compromise, lateral movement, and unauthorized access to sensitive corporate systems.<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Threat Overview: Agent Tesla in the LATAM Context&nbsp;<\/h2>\n\n\n\n<p>Latin America has become an increasingly attractive target for commodity malware operators. The combination of rapid digitalization, growing SME supply chains, and historically lower security maturity makes the region fertile ground for credential stealers. Among these,&nbsp;<a href=\"https:\/\/any.run\/malware-trends\/agenttesla\/\" target=\"_blank\" rel=\"noreferrer noopener\">Agent Tesla<\/a>&nbsp;consistently ranks as one of the most deployed families \u2014&nbsp;cheap&nbsp;to license, easy to configure, and devastatingly effective against organizations with limited email security controls.&nbsp;<\/p>\n\n\n\n<p>In March 2026, during routine threat hunting, we&nbsp;identified&nbsp;a malware sample delivered inside a RAR archive named&nbsp;<em>Orden de&nbsp;compra_pdf.uu<\/em>&nbsp;\u2014 Spanish for \u2018<em>purchase order<\/em>\u2019&nbsp;\u2014&nbsp;a social engineering lure specifically crafted for the Chilean and broader LATAM business environment. What followed was a multi-day investigation that uncovered not just a single sample, but a persistent infrastructure that has been quietly exfiltrating credentials from LATAM enterprises since at least mid-2024.&nbsp;<\/p>\n\n\n\n<p>Agent Tesla is a .NET-based keylogger and credential stealer, commercially sold as a \u2018Remote Administration Tool\u2019 since 2014. Despite its age, it&nbsp;remains&nbsp;highly active because operators can&nbsp;purchase&nbsp;access cheaply and configure it through a GUI without programming knowledge. Its primary capabilities include:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Credential theft<\/strong> \u2014 browsers (Chrome, Firefox, Edge), email clients (Outlook, Thunderbird), FTP clients;&nbsp;<\/li>\n\n\n\n<li><strong>Keylogging<\/strong> \u2014&nbsp;captures&nbsp;all keystrokes in real time;&nbsp;<\/li>\n\n\n\n<li><strong>Screenshot capture<\/strong> \u2014&nbsp;periodic&nbsp;desktop screenshots;<\/li>\n\n\n\n<li><strong>Clipboard monitoring<\/strong>&nbsp;\u2014&nbsp;intercepts copied passwords and crypto wallet addresses;&nbsp;<\/li>\n\n\n\n<li><strong>Exfiltration channels<\/strong>&nbsp;\u2014&nbsp;SMTP, FTP, HTTP, or Telegram bot API.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>In the LATAM context, Agent Tesla operators typically use spear-phishing lures themed around business documents: purchase orders, payment receipts, payroll files, and invoices. This campaign follows that pattern precisely, targeting the financial and procurement workflows of Chilean companies.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Business Impact: Why Agent Tesla Is a Serious Enterprise Threat&nbsp;<\/h2>\n\n\n\n<p>While Agent Tesla is often categorized as a \u201ccommodity stealer,\u201d the operational impact on organizations can be severe. In many environments, credential theft creates&nbsp;the conditions&nbsp;for larger and more expensive incidents.&nbsp;<\/p>\n\n\n\n<p><strong>Financial Fraud and Business Email Compromise<\/strong>&nbsp;<\/p>\n\n\n\n<p>The campaign specifically impersonates procurement and finance-related documents,&nbsp;indicating&nbsp;deliberate targeting of employees who routinely handle invoices, payment approvals, supplier communications, and payroll operations. Once email credentials are stolen, attackers can hijack ongoing financial conversations, redirect payments, or conduct BEC attacks that appear fully legitimate.&nbsp;&nbsp;<\/p>\n\n\n\n<p><strong>Supply Chain Exposure<\/strong>&nbsp;<\/p>\n\n\n\n<p>Compromised FTP, VPN, and email accounts may provide indirect access to suppliers,&nbsp;logistics&nbsp;providers, distributors, and partner organizations. This creates a multiplier effect where a single infection can propagate trust-based compromise across the wider business ecosystem.&nbsp;<\/p>\n\n\n\n<p><strong>Cloud and SaaS Account Takeover<\/strong>&nbsp;<\/p>\n\n\n\n<p>Modern browsers store credentials for cloud platforms, CRMs, collaboration tools, and internal portals. Theft of browser credential databases can therefore expose Microsoft 365, Google Workspace, Salesforce, SAP, and other critical business systems without the attacker needing to deploy ransomware or exploit vulnerabilities.&nbsp;<\/p>\n\n\n\n<p><strong>Long-Term Persistence and Espionage<\/strong>&nbsp;<\/p>\n\n\n\n<p>Agent Tesla\u2019s keylogging, clipboard interception, and screenshot functionality enable prolonged surveillance of employee activity. This allows operators to collect sensitive information gradually over time, including contracts, credentials, API keys, internal communications, and financial data.&nbsp;<\/p>\n\n\n\n<p><strong>Risk Summary:<\/strong>&nbsp;A single employee opening a convincing purchase order email can result in complete credential compromise across your organization&#8217;s digital tools. This campaign has&nbsp;operated&nbsp;undetected against LATAM businesses for over 18 months. The financial and operational cost of remediation significantly exceeds the cost of proactive prevention.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n<span class=\"highlight\">Close detection gaps <\/span>with ANY.RUN.<br>\nReduce security risk and breach impact.<\/span>\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=agent-tesla-latam-enterprise&#038;utm_term=140526&#038;utm_content=linktoenterprise#contact-sales\" rel=\"noopener\" target=\"_blank\">\nContact us\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>This article walks through the full investigation&nbsp;methodology, from&nbsp;initial&nbsp;triage to infrastructure correlation, and&nbsp;demonstrates&nbsp;how ANY.RUN\u2019s interactive sandbox and threat intelligence capabilities accelerated key phases of the analysis.&nbsp;&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/d4517cfe-1a82-4679-ae72-1bb777060a13\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=agent-tesla-latam-enterprise&amp;utm_term=140526&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">The full detonation session&nbsp;is publicly&nbsp;available in the sandbox<\/a>.&nbsp;&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Campaign Technical Analysis<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">1. Initial Triage: The Malicious RAR Archive&nbsp;<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Sample Identification&nbsp;<\/h4>\n\n\n\n<p>The investigation began with a RAR v5 archive&nbsp;submitted&nbsp;for analysis. Key static properties:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-318\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"3\"\n           data-rows=\"8\"\n           data-wpID=\"318\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bold wpdt-align-left wpdt-fs-000014\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:59.085963003264%;                    padding:10px;\n                    \"\n                    >\n                                        Attribute\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold wpdt-align-left wpdt-fs-000014\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:10.881392818281%;                    padding:10px;\n                    \"\n                    >\n                                        Value\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold wpdt-align-left wpdt-fs-000014\"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:30.032644178455%;                    padding:10px;\n                    \"\n                    >\n                                        Note\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Orden de\u00a0compra_pdf.uu\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        File name\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Social engineering lure\u00a0-\u00a0 purchase\u00a0order\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row even\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        RAR archive v5\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        File type\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Container for payload delivery\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        A7EEEAD9C868D9944ED1C1F113328F32\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        MD5\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row even\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        B50B3800B17AD7AD5C4483C0B6B24D1D151A9D10\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        SHA1\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C5\"\n                    data-col-index=\"2\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        948C8C69FE02EDA9231AEBFA5C626335307058AC74A5C3C40B346179A1BFC982\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        SHA256\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C6\"\n                    data-col-index=\"2\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row even\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        March 27, 2026\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Analysis date\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C7\"\n                    data-col-index=\"2\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        ANY.RUN sandbox detonation\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A8\"\n                    data-col-index=\"0\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        app.any.run\/tasks\/54d00d6d-e6d0-4f54-8907-a571a293127b\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B8\"\n                    data-col-index=\"1\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Full analysis\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C8\"\n                    data-col-index=\"2\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Interactive sandbox report\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-318'>\ntable#wpdtSimpleTable-318{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-318 td, table.wpdtSimpleTable318 th { white-space: normal !important; }\n.wpdt-fs-000014 { font-size: 14px !important;}\n.wpdt-fs-000012 { font-size: 12px !important;}\n<\/style>\n\n\n\n\n<p>The file extension .uu&nbsp;is a deliberate obfuscation tactic. While the file is&nbsp;actually a&nbsp;RAR archive, the unusual extension is intended to confuse automated scanners and reduce detection rates on email gateways that rely on extension-based filtering.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"533\" height=\"108\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image1.png\" alt=\"\" class=\"wp-image-20873\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image1.png 533w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image1-300x61.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image1-370x75.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image1-270x55.png 270w\" sizes=\"(max-width: 533px) 100vw, 533px\" \/><figcaption class=\"wp-element-caption\">.<em>zip archive with fake extension<\/em><\/figcaption><\/figure><\/div>\n\n\n<h4 class=\"wp-block-heading\">The Social Engineering Angle&nbsp;<\/h4>\n\n\n\n<p>The filename&nbsp;<em>Orden de&nbsp;compra_pdf.uu<\/em>&nbsp;translates to \u2018<em>Purchase order PDF<\/em>\u2019 in Spanish. This is a high-value lure for B2B environments: purchase orders are expected,&nbsp;frequently&nbsp;shared by email, and often opened without scrutiny by accounts payable and procurement personnel. The \u2018_pdf\u2019 substring creates a false sense of legitimacy, suggesting the recipient will open a PDF document.&nbsp;<\/p>\n\n\n\n<p>This social engineering pattern is consistent across the 80+ samples we&nbsp;identified&nbsp;communicating with the campaign\u2019s infrastructure&nbsp;&#8211;&nbsp; all&nbsp;impersonating financial or procurement documents in Spanish:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><em>N\u00f3mina&nbsp;de sueldos.pdf_008.exe&nbsp;\u2014&nbsp;<\/em>payroll;&nbsp;<\/li>\n\n\n\n<li>Comprobante&nbsp;de pago.pdf.exe&nbsp;\u2014&nbsp;payment receipt;&nbsp;<\/li>\n\n\n\n<li><em>Nomina_Sept2025_Confidencial.xlam<\/em>&nbsp;\u2014&nbsp;confidential payroll;&nbsp;<\/li>\n\n\n\n<li><em>Orden de Compra.xlam<\/em>&nbsp;\u2014&nbsp;purchase order (macro-enabled spreadsheet);&nbsp;<\/li>\n\n\n\n<li><em>OC 20240814.xlam \/ OC 20240813.xlam<\/em>&nbsp;\u2014&nbsp;dated order confirmations.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2. Kill Chain Analysis&nbsp;<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Stage 1 \u2014 JScript Encoded Dropper&nbsp;<\/h4>\n\n\n\n<p>WinRAR extracts the archive to reveal Orden de compra_pdf.jse \u2014&nbsp;a&nbsp;JScript Encoded Script (Microsoft Script Encoder format). This encoding is not&nbsp;true&nbsp;encryption, but&nbsp;is highly effective at bypassing signature-based AV detection and preventing casual inspection. The file is executed via Windows Script Host (wscript.exe).&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nTurn suspicious attachments into <span class=\"highlight\">actionable intelligence.<\/span><br>\nInvestigate phishing safely with <span class=\"highlight\">ANY.RUN Sandbox.<\/span>\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=agent-tesla-latam-enterprise&#038;utm_term=140526&#038;utm_content=linktoregistration#register\" rel=\"noopener\" target=\"_blank\">\nRegister now\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>The .jse&nbsp;dropper performs several actions in sequence:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Downloads a decoy PDF<\/strong>&nbsp;from a remote server and opens it to distract the victim while infection&nbsp;proceeds&nbsp;silently in the background.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Drops multiple PowerShell stager scripts<\/strong>&nbsp;to C:\\Temp\\ with randomized names (AYRMWWFH.ps1, Z2KBLYG5.ps1, ELHYLTLT.ps1).&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Invokes PowerShell with execution policy bypass<\/strong>&nbsp;\u2014&nbsp; -ExecutionPolicy&nbsp;Bypass-&nbsp; to&nbsp;run the stagers without triggering security warnings.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Modifies registry keys<\/strong>&nbsp;for persistence.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>All PowerShell stager scripts dropped during the campaign share the same SHA256 hash (96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7), confirming use of a standardized stager template across the campaign.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"520\" height=\"428\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image2-1.png\" alt=\"\" class=\"wp-image-20876\" style=\"width:650px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image2-1.png 520w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image2-1-300x247.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image2-1-370x305.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image2-1-270x222.png 270w\" sizes=\"(max-width: 520px) 100vw, 520px\" \/><figcaption class=\"wp-element-caption\"><em>Stage 1 processes visible in the sandbox<\/em><\/figcaption><\/figure><\/div>\n\n\n<h4 class=\"wp-block-heading\">Stage 2 \u2014 PowerShell Stager&nbsp;<\/h4>\n\n\n\n<p>The PowerShell stager loads ALTERNATE.dll&nbsp;\u2014&nbsp;the Agent Tesla loader&nbsp;\u2014&nbsp;and&nbsp;injects it into a legitimate Microsoft binary. The choice of injection target is deliberate: aspnet_compiler.exe is a trusted .NET Framework&nbsp;component, and its network activity is rarely flagged by endpoint security tools.&nbsp;<\/p>\n\n\n\n<p>The stager implements a Process Hollowing injection sequence:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>1. Locate aspnet_compiler.exe on disk \n\n2. Spawn a suspended process instance \n\n3. VirtualAllocEx() \u2192 allocate memory in target process \n\n4. WriteProcessMemory() \u2192 write ALTERNATE.dll payload \n\n5. GetProcAddress() \u2192 resolve entry point dynamically \n\n6. Resume execution \u2192 Agent Tesla runs inside trusted process <\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Stage 3 \u2014&nbsp;ALTERNATE.dll: The Protected Loader&nbsp;<\/h4>\n\n\n\n<p>The DLL is named&nbsp;<em>ALTERNATE.dll&nbsp;<\/em>internally (with a matching&nbsp;<em>ALTERNATE.pdb<\/em>&nbsp;debug path left in the binary). Static analysis with Detect-It-Easy reveals a sophisticated protection stack:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-319\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"3\"\n           data-rows=\"10\"\n           data-wpID=\"319\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bold wpdt-fs-000014\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:30.906148867314%;                    padding:10px;\n                    \"\n                    >\n                                        Value\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold wpdt-fs-000014\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:16.181229773463%;                    padding:10px;\n                    \"\n                    >\n                                        Property\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold wpdt-fs-000014\"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:52.912621359223%;                    padding:10px;\n                    \"\n                    >\n                                        Details\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        PE32 .NET Assembly (x86)\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Format\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        CLR v4.0.30319 \/ .NET 4.5.1\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row even\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        .NET Reactor 6.x\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Protection\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Commercial .NET protection framework\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Control Flow Obfuscation\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Protection\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Scrambles IL execution graph with fake branches\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row even\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Calls Encryption\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Protection\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C5\"\n                    data-col-index=\"2\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Replaces method calls with encrypted delegates\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Virtualization\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Protection\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C6\"\n                    data-col-index=\"2\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Converts methods to custom VM bytecode\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row even\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Anti-ILDASM\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Protection\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C7\"\n                    data-col-index=\"2\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Breaks\u00a0dnSpy\/ILSpy\u00a0decompilation\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A8\"\n                    data-col-index=\"0\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Math Mutations\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B8\"\n                    data-col-index=\"1\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Protection\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C8\"\n                    data-col-index=\"2\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Replaces constants with equivalent expressions\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row even\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A9\"\n                    data-col-index=\"0\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Fake .cctor\u00a0names\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B9\"\n                    data-col-index=\"1\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Protection\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C9\"\n                    data-col-index=\"2\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Poisons metadata to confuse\u00a0decompilers\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A10\"\n                    data-col-index=\"0\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        2066 (forged)\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B10\"\n                    data-col-index=\"1\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        PE Timestamp\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C10\"\n                    data-col-index=\"2\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Anti-forensic timestamp manipulation\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-319'>\ntable#wpdtSimpleTable-319{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-319 td, table.wpdtSimpleTable319 th { white-space: normal !important; }\n.wpdt-fs-000014 { font-size: 14px !important;}\n.wpdt-fs-000012 { font-size: 12px !important;}\n<\/style>\n\n\n\n\n<p>The use of&nbsp;<strong>.NET Reactor 6.x<\/strong>&nbsp;explains why standard tools like de4dot fail without&nbsp;additional&nbsp;flags. The correct tool for this protection version is&nbsp;<strong>NETReactorSlayer<\/strong>:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Recommended approach: \nNETReactorSlayer.CLI.exe --no-pause ALTERNATE.dll \n\n# Alternative with de4dot (force detector): \nde4dot.exe ALTERNATE.dll --det reactor <\/code><\/pre>\n\n\n\n<p>Partial&nbsp;deobfuscation&nbsp;via&nbsp;NETReactorSlayer&nbsp;reduced the binary from 79,872 \u2192 42,496 bytes (a 46.8% reduction), confirming that&nbsp;nearly half&nbsp;the original file consisted purely of protection scaffolding. Post-deobfuscation&nbsp;entropy dropped from 6.0 \u2192 5.86, and previously hidden IL structures became accessible for analysis.&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Internal Architecture (Post-Deobfuscation)&nbsp;<\/h4>\n\n\n\n<p>Analysis of the partially&nbsp;deobfuscated&nbsp;binary (<em>alternate_Slayed.dll<\/em>) reveals the loader\u2019s true internal architecture. Method names&nbsp;remain&nbsp;obfuscated (<em>smethod_10, Delegate10, Struct10<\/em>) \u2014 a&nbsp;pattern consistent with automated obfuscation frameworks \u2014 but&nbsp;the functional structure is now recoverable.&nbsp;<\/p>\n\n\n\n<p>The loader implements a&nbsp;<strong>Read \u2192 Decrypt \u2192 Decompress \u2192 Execute<\/strong>&nbsp;pipeline:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#091;ALTERNATE.dll Loader] \n        \u2193 \n1. Read encrypted blob from embedded resource \n        \u2193 \n2. Decrypt  \u2192  RijndaelManaged (AES-256) + CryptoStream \n\n                   Key: hardcoded hex constant \n\n                   IV:  prepended to blob (first 16 bytes) \n        \u2193 \n3. Decompress  \u2192  System.IO.Compression (DeflateStream) \n        \u2193 \n4. Load  \u2192  Reflection (Assembly.Load from byte array) \n\n               ResolveMethod \/ GetMethod \/ CreateInstance \n        \u2193 \n\n5. Invoke  \u2192  DynamicMethod \/ CreateDelegate \n\n        \u2193 \n6. Execute  \u2192  Agent Tesla payload runs entirely in memory <\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Encryption Layer<\/h4>\n\n\n\n<p>The loader uses <strong>RijndaelManaged<\/strong> (the .NET implementation of AES) with CryptoStream and explicit set_IV calls, confirming AES-CBC mode with a hardcoded key and a prepended IV. Four 256-bit (32-byte) key candidates were identified in the deobfuscated binary:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>D5B7247C497788CF0031CEB06E3DF77A45FEF59F1E49633DC7159816D64759B5 \n\nC61B1941CF756EB7551F7C661743802362728B785ADC22E860D269713DFB01A6 \n\nC356AFF1A01C2B0DA472E584C8E3C8F875B9A24280435D42836A77B19F5A8C18 \n\nF1C3EBE78BD8C38559BF3CFCC9A9FA37D221E31780774A3787E26160A61F5348 <\/code><\/pre>\n\n\n\n<p>The encrypted payload blob is&nbsp;located&nbsp;at offset&nbsp;<em>0x4600<\/em>&nbsp;in the&nbsp;deobfuscated&nbsp;binary (relocated&nbsp;from&nbsp;<em>0x12000<\/em>&nbsp;in the original), measures&nbsp;<strong>2,560 bytes<\/strong>, and&nbsp;retains&nbsp;maximum entropy of&nbsp;<strong>7.93 \/ 8.0,&nbsp;<\/strong>confirming the AES encryption survived&nbsp;deobfuscation&nbsp;intact.&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Dynamic Execution via Reflection<\/h4>\n\n\n\n<p>The loader avoids static linking of the final payload by using <strong>.NET Reflection<\/strong> to load and invoke Agent Tesla entirely from a byte array in memory. The relevant APIs observed post-deobfuscation:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-320\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"3\"\n           data-rows=\"5\"\n           data-wpID=\"320\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bold wpdt-fs-000014\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:34.1642228739%;                    padding:10px;\n                    \"\n                    >\n                                        API\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold wpdt-fs-000014\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:14.66275659824%;                    padding:10px;\n                    \"\n                    >\n                                        Category\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold wpdt-fs-000014\"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:51.173020527859%;                    padding:10px;\n                    \"\n                    >\n                                        Role\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        DynamicMethod\u00a0\/\u00a0CreateDelegate\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Reflection API\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Runtime method generation and invocation\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row even\" >\n                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        ResolveMethod\u00a0\/\u00a0GetMethod\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Reflection API\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Dynamic method resolution without static references\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        CreateInstance\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Reflection API\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Object instantiation from decrypted assembly\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row even\" >\n                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Assembly.Load\u00a0(byte[])\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Reflection API\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"C5\"\n                    data-col-index=\"2\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Loads Agent Tesla PE from memory\u00a0-\u00a0 no\u00a0disk\u00a0write\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-320'>\ntable#wpdtSimpleTable-320{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-320 td, table.wpdtSimpleTable320 th { white-space: normal !important; }\n.wpdt-fs-000014 { font-size: 14px !important;}\n.wpdt-fs-000012 { font-size: 12px !important;}\n<\/style>\n\n\n\n\n<h4 class=\"wp-block-heading\">Process Hollowing&nbsp;\u2014&nbsp;Full&nbsp;Win32 API Map&nbsp;<\/h4>\n\n\n\n<p>The&nbsp;deobfuscated&nbsp;binary exposes the complete Process Hollowing implementation as UTF-16 P\/Invoke strings. The API sequence is a textbook&nbsp;<strong>32-bit hollowing<\/strong>&nbsp;with Wow64 support for 32\u219264-bit environments:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-321\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"3\"\n           data-rows=\"11\"\n           data-wpID=\"321\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bold wpdt-fs-000014\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:37.610619469027%;                    padding:10px;\n                    \"\n                    >\n                                        API + Offset\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold wpdt-fs-000014\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:14.749262536873%;                    padding:10px;\n                    \"\n                    >\n                                        Library\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold wpdt-fs-000014\"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:47.6401179941%;                    padding:10px;\n                    \"\n                    >\n                                        Function\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        CreateProcessA\u00a0@ 0x8EC4\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Win32 \/ kernel32\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Spawns aspnet_compiler.exe in suspended state\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row even\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        ZwUnmapViewOfSection\u00a0@ 0x8E9A\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        ntdll                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Unmaps\u00a0original executable from target memory\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        VirtualAllocEx\u00a0@ 0x8E26\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Win32 \/ kernel32\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Allocates RWX memory in target process\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row even\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        WriteProcessMemory\u00a0@ 0x8E44\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Win32 \/ kernel32\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C5\"\n                    data-col-index=\"2\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Writes Agent Tesla PE headers and sections\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        ReadProcessMemory\u00a0@ 0x8E6A\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Win32 \/ kernel32\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C6\"\n                    data-col-index=\"2\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Verifies write integrity\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row even\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        GetThreadContext\u00a0@ 0x8DE2\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Win32 \/ kernel32\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C7\"\n                    data-col-index=\"2\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Reads EIP\/EBX from suspended thread\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A8\"\n                    data-col-index=\"0\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        SetThreadContext\u00a0@ 0x8D94\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B8\"\n                    data-col-index=\"1\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Win32 \/ kernel32\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C8\"\n                    data-col-index=\"2\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Redirects EIP to Agent Tesla entry point\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row even\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A9\"\n                    data-col-index=\"0\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Wow64GetThreadContext @ 0x8DD8\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B9\"\n                    data-col-index=\"1\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Win32 \/ kernel32\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C9\"\n                    data-col-index=\"2\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        32\u219264-bit context read\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A10\"\n                    data-col-index=\"0\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Wow64SetThreadContext @ 0x8D8A\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B10\"\n                    data-col-index=\"1\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Win32 \/ kernel32\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C10\"\n                    data-col-index=\"2\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        32\u219264-bit context\u00a0write\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row even\" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A11\"\n                    data-col-index=\"0\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        ResumeThread\u00a0@ 0x8D70\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B11\"\n                    data-col-index=\"1\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Win32 \/ kernel32\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C11\"\n                    data-col-index=\"2\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Resumes thread\u00a0-\u00a0 Agent\u00a0Tesla begins executing\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-321'>\ntable#wpdtSimpleTable-321{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-321 td, table.wpdtSimpleTable321 th { white-space: normal !important; }\n.wpdt-fs-000014 { font-size: 14px !important;}\n.wpdt-fs-000012 { font-size: 12px !important;}\n<\/style>\n\n\n\n\n<p>The hollower&nbsp;contains&nbsp;hardcoded error strings \u2014<em>&#8220;Failed to allocate memory&#8221;, &#8220;Failed to&nbsp;unmap&nbsp;section&#8221;, &#8220;Failed to update PEB&#8221;\u2014&nbsp;<\/em>suggesting it was built from a reusable hollowing template with debug output preserved, a common trait in commodity malware kits.&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Execution Control Flags&nbsp;<\/h4>\n\n\n\n<p>Three internal execution control strings were&nbsp;recovered&nbsp;post-deobfuscation: ALTERNATE, EXECUTE, and LAUNCH. These&nbsp;likely govern&nbsp;different execution paths within the loader \u2014&nbsp;for&nbsp;example, switching between in-process shellcode execution and remote process hollowing depending on runtime conditions such as privilege level or AV detection.&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Stage 4 \u2014 Agent Tesla Deployed In-Memory&nbsp;<\/h4>\n\n\n\n<p>The Agent Tesla payload is stored as a 2,560-byte AES-encrypted and deflate-compressed blob embedded in the loader\u2019s&nbsp;<em>.text<\/em>&nbsp;section.&nbsp;The double-layering&nbsp;\u2014&nbsp;compressed&nbsp;and then encrypted \u2014&nbsp;ensures&nbsp;the payload has no recognizable structure at rest and defeats both signature and entropy-based detection.&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-322\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"3\"\n           data-rows=\"8\"\n           data-wpID=\"322\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bold wpdt-fs-000014\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:40.494590417311%;                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tValue                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold wpdt-fs-000014\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:15.919629057187%;                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tField                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold wpdt-fs-000014\"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:43.585780525502%;                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tNotes                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\t0x4600 \u2013 0x5000\t\t\t\t(deobfuscated)                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tLocation                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tRelocated\t\t\t\tfrom 0x12000 in original binary                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row even\" >\n                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\t2,560 bytes                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tSize                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tEncrypted + compressed\t\t\t\tpayload                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\t7.93 \/ 8.0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tEntropy                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tMaximum -  AES encryption\t\t\t\tconfirmed                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row even\" >\n                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\t256 \/ 256                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tUnique bytes                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"C5\"\n                    data-col-index=\"2\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tFully uniform distribution                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tRijndaelManaged (AES-256\t\t\t\tCBC)                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tCipher                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"C6\"\n                    data-col-index=\"2\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tConfirmed\t\t\t\tvia CryptoStream + set_IV calls                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row even\" >\n                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tf87d105625dbc96f63d5b4b81dce4c39                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tIV candidate                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"C7\"\n                    data-col-index=\"2\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tFirst 16 bytes of blob                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row odd\" >\n                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"A8\"\n                    data-col-index=\"0\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tDeflateStream                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"B8\"\n                    data-col-index=\"1\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tCompression                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000012 wpdt-align-left\"\n                                            data-cell-id=\"C8\"\n                    data-col-index=\"2\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tApplied before encryption                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-322'>\ntable#wpdtSimpleTable-322{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-322 td, table.wpdtSimpleTable322 th { white-space: normal !important; }\n.wpdt-fs-000014 { font-size: 14px !important;}\n.wpdt-fs-000012 { font-size: 12px !important;}\n<\/style>\n\n\n\n\n<p>At runtime, the loader decrypts the blob using the hardcoded key and embedded IV, decompresses the result with <em>DeflateStream<\/em>, then uses <em>Assembly.Load()<\/em> to instantiate Agent Tesla directly from the resulting byte array in memory. <strong>No file is written to disk at any stage from this point forward<\/strong> \u2014 the execution is entirely fileless.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">3. Payload Analysis: Agent Tesla Unpacked<\/h3>\n\n\n\n<p>Memory dumps captured during sandbox execution allowed recovery of the <strong>fully decrypted Agent Tesla payload<\/strong> \u2014 the binary that runs inside the hollowed <em>aspnet_compiler.exe<\/em> process. Static analysis of this dump (270,336 bytes, SHA256: 43d09743a69c9afa7156bf4e2bf7423b3d5f5ad7d54c4c3fb8a698d526778057) reveals the complete capability set and hardcoded configuration of this Agent Tesla instance.<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-323\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"3\"\n           data-rows=\"7\"\n           data-wpID=\"323\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bold wpdt-fs-000014\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:56.152125279642%;                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tValue                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold wpdt-fs-000014\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:12.192393736018%;                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tField                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold wpdt-fs-000014\"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:31.65548098434%;                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tNotes                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\t270,336 bytes                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tSize                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tFull unpacked .NET assembly                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\t43d09743a69c9afa7156bf4e2bf7423b3d5f5ad7d54c4c3fb8a698d526778057                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tSHA256                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tDecrypted payload in memory                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\t78ba57f4a164bedc26204296ea09bb8f                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tMD5                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tDecrypted payload                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\t2024-04-23 20:27 UTC                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tPE Timestamp                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C5\"\n                    data-col-index=\"2\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tCompile\t\t\t\tdate -  not forged in this stage                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tPE32 .NET EXE (GUI)                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tFormat                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C6\"\n                    data-col-index=\"2\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tx86, CLR, 3 sections                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\t4.64 \/ 8.0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tEntropy                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C7\"\n                    data-col-index=\"2\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tLow - \t\t\t\tplaintext IL, no remaining encryption                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-323'>\ntable#wpdtSimpleTable-323{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-323 td, table.wpdtSimpleTable323 th { white-space: normal !important; }\n.wpdt-fs-000014 { font-size: 14px !important;}\n.wpdt-fs-000012 { font-size: 12px !important;}\n<\/style>\n\n\n\n\n<h4 class=\"wp-block-heading\"><br>Hardcoded Configuration<\/h4>\n\n\n\n<p>With the payload decrypted, the <strong>complete operator configuration is visible in plaintext<\/strong> \u2014 the same values that were hidden behind AES-256 in the loader stage:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-324\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"3\"\n           data-rows=\"9\"\n           data-wpID=\"324\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bold wpdt-fs-000014\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:40.579710144928%;                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tValue                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold wpdt-fs-000014\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:17.523056653491%;                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tField                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold wpdt-fs-000014\"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:41.897233201581%;                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tNotes                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tftp:\/\/ftp.horeca-bucuresti.ro                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tFTP URL                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tC2 exfiltration endpoint - \t\t\t\thardcoded                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tamericas2@horeca-bucuresti.ro                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tFTP Username                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tOperator drop account - \t\t\t\thardcoded                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tH*TE9iL;x61m                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tFTP Password                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\t[REDACTED\t\t\t\tin publication] -  plaintext in payload                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\thttp:\/\/ip-api.com\/line\/?fields=hosting                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tFingerprint URL                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C5\"\n                    data-col-index=\"2\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tPre-exfil\t\t\t\thosting check -  hardcoded                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\troSkM \/ roSkM.exe                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tMutex \/ EXE name                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C6\"\n                    data-col-index=\"2\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tCampaign instance\t\t\t\tidentifier                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\thdfzpysvpzimorhk                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tSecondary mutex                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C7\"\n                    data-col-index=\"2\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tAnti-re-infection mutex                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A8\"\n                    data-col-index=\"0\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tHnJnO                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B8\"\n                    data-col-index=\"1\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tCampaign tag                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C8\"\n                    data-col-index=\"2\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tInstance\/build identifier                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A9\"\n                    data-col-index=\"0\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\t7bcd610d-7af6-4dc2-875b-dc4fec91463c.exe                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B9\"\n                    data-col-index=\"1\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tPersistence name                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C9\"\n                    data-col-index=\"2\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tGUID\t\t\t\tfilename used for autorun copy                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-324'>\ntable#wpdtSimpleTable-324{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-324 td, table.wpdtSimpleTable324 th { white-space: normal !important; }\n.wpdt-fs-000014 { font-size: 14px !important;}\n.wpdt-fs-000012 { font-size: 12px !important;}\n<\/style>\n\n\n\n\n<p><br>The FTP password recovered from the memory dump matches exactly the credentials captured in cleartext by ANY.RUN during the dynamic analysis phase, providing cross-validation between static payload analysis and live network capture.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"718\" height=\"553\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image3.png\" alt=\"\" class=\"wp-image-20894\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image3.png 718w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image3-300x231.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image3-370x285.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image3-270x208.png 270w\" sizes=\"(max-width: 718px) 100vw, 718px\" \/><figcaption class=\"wp-element-caption\">Exfiltrated password in the sandbox analysis<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"927\" height=\"367\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image4.png\" alt=\"\" class=\"wp-image-20897\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image4.png 927w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image4-300x119.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image4-768x304.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image4-370x146.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image4-270x107.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image4-740x293.png 740w\" sizes=\"(max-width: 927px) 100vw, 927px\" \/><figcaption class=\"wp-element-caption\">Exfiltrated data in payload analysis<\/figcaption><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\"><br>Credential Theft Capabilities<\/h4>\n\n\n\n<p>The unpacked payload targets <strong>over 80 applications<\/strong> across six categories, representing one of the broadest credential theft surface areas among commodity stealers:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-325\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"3\"\n           data-rows=\"7\"\n           data-wpID=\"325\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bold wpdt-fs-000013\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:7.9497907949791%;                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tCategory                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold wpdt-fs-000013\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:79.31858936043%;                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tApplications                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold wpdt-fs-000013\"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:12.731619844591%;                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tMethod                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000011\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tBrowsers (28+)                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000010\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Chrome, Firefox, Edge, Brave, \nOpera, Vivaldi, Yandex, 360Chrome, \nIceDragon, Waterfox, PaleMoon, SeaMonkey, \nQQ Browser, Coccoc, Comodo Dragon, \nEpic Privacy, Citrio, Amigo, Orbitum, \nSputnik, CentBrowser, Chedot, 7Star, Torch, \nElements, UC Browser, BlackHawk, Iridium                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tProfile\t\t\t\tdirs + SQLite Login Data                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000011\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tEmail clients (21+)                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000010\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tOutlook\t\t\t\t(2003\u201319), Thunderbird, Foxmail, Mailbird, The Bat!, Postbox,\t\t\t\tIncrediMail, Eudora, Becky!, ClawsMail, PocoMail, SeaMonkey Mail,\t\t\t\tOpera Mail, Falkon, Flock, K-Meleon, IceCat, PaleMoon, eM Client,\t\t\t\tWindows Mail App, Trillian                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tRegistry + profile files                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000011\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tFTP clients (9)                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000010\"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tFileZilla,\t\t\t\tWinSCP, CoreFTP, FTPGetter, SmartFTP, FTP Navigator, WS_FTP,\t\t\t\tFtpCommander, FlashFXP                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tConfig files + registry                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000011\"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tVPN clients (5)                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000010\"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tNordVPN,\t\t\t\tOpenVPN, Private Internet Access, DynDNS, Paltalk                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"C5\"\n                    data-col-index=\"2\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tConfig + credential files                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000011\"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tVNC servers (13)                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000010\"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tRealVNC 3.x\/4.x, TightVNC\t\t\t\t(ControlPassword), TigerVNC, UltraVNC                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"C6\"\n                    data-col-index=\"2\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tRegistry keys                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000011\"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tMessaging (8+)                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000010\"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tDiscord\t\t\t\t(OAuth token via regex), Pidgin, Trillian, Psi\/Psi+, Paltalk,\t\t\t\tJDownloader 2.0, MysqlWorkbench                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-fs-000011\"\n                                            data-cell-id=\"C7\"\n                    data-col-index=\"2\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tProfile + config files                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-325'>\ntable#wpdtSimpleTable-325{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-325 td, table.wpdtSimpleTable325 th { white-space: normal !important; }\n.wpdt-fs-000013 { font-size: 13px !important;}\n.wpdt-fs-000011 { font-size: 11px !important;}\n.wpdt-fs-000010 { font-size: 10px !important;}\n<\/style>\n\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"934\" height=\"458\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image5-1.png\" alt=\"\" class=\"wp-image-20907\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image5-1.png 934w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image5-1-300x147.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image5-1-768x377.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image5-1-370x181.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image5-1-270x132.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image5-1-740x363.png 740w\" sizes=\"(max-width: 934px) 100vw, 934px\" \/><figcaption class=\"wp-element-caption\">Apps targeted by Agent Tesla<\/figcaption><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">Keylogger<\/h4>\n\n\n\n<p>The payload implements a full <strong>system-wide keylogger<\/strong> via Windows hook APIs. 26 special keys are mapped to labeled tokens for inclusion in keylog reports:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>{ALT+F4}  {ALT+TAB}  {BACK}  {CAPSLOCK}  {CTRL}  {DEL}\n{END}  {ENTER}  {ESC}  {F10}  {F11}  {F12}\n{HOME}  {Insert}  {KEYDOWN}  {KEYLEFT}  {KEYRIGHT}  {KEYUP}\n{NumLock}  {PageDown}  {PageUp}  {TAB}  {Win}\n \nKeylogger interval: configurable via KeyloggerInterval field\nOutput field:       KeylogText (appended per session)<\/code><\/pre>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"159\" height=\"512\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image7-1.png\" alt=\"\" class=\"wp-image-20913\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image7-1.png 159w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image7-1-93x300.png 93w\" sizes=\"(max-width: 159px) 100vw, 159px\" \/><\/figure><\/div>\n\n\n<h4 class=\"wp-block-heading\">Additional Capabilities<\/h4>\n\n\n\n<p><strong><em>Clipboard Monitoring<\/em><\/strong><br>Agent Tesla registers a <em>SetClipboardViewer \/ ChangeClipboardChain<\/em> hook to intercept clipboard content in real time. Captured data is tagged with <em>&lt;br&gt;&lt;hr&gt;Copied Text: &lt;br&gt;<\/em>and appended to the exfiltration report. This is particularly effective for capturing copied passwords, API keys, and cryptocurrency wallet addresses.<\/p>\n\n\n\n<p><em><strong>Screenshot Capture<\/strong><\/em><br>A configurable screenshot module captures periodic desktop images. The interval is controlled by the <em>KeyloggerInterval<\/em> setting. Screenshots are base64-encoded and included in the HTML exfiltration report alongside stolen credentials.<\/p>\n\n\n\n<p><em><strong>Persistence Mechanisms<\/strong><\/em><\/p>\n\n\n\n<p>The payload supports multiple persistence methods, selectable at build time:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Registry Run key<\/strong> \u2014 HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run[StartupRegName];<\/li>\n\n\n\n<li><strong>Startup folder<\/strong> \u2014 copies itself to %APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ ;<\/li>\n\n\n\n<li><strong>Task Scheduler<\/strong> \u2014 creates a scheduled task for persistence without registry artifacts;<\/li>\n\n\n\n<li><strong>GUID-named copy<\/strong> \u2014 drops as 7bcd610d-7af6-4dc2-875b-dc4fec91463c.exe to blend with system files.<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"619\" height=\"134\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image8.png\" alt=\"\" class=\"wp-image-20918\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image8.png 619w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image8-300x65.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image8-370x80.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image8-270x58.png 270w\" sizes=\"(max-width: 619px) 100vw, 619px\" \/><figcaption class=\"wp-element-caption\">Other evasion methods<\/figcaption><\/figure><\/div>\n\n\n<p><em><strong>Anti-Analysis \/ Anti-VM<\/strong><\/em><\/p>\n\n\n\n<p>The payload performs environment checks before proceeding, scanning for indicators of analysis environments:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-326\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"3\"\n           data-rows=\"6\"\n           data-wpID=\"326\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bold wpdt-fs-000014\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:33.092224231465%;                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tIndicator                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold wpdt-fs-000014\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:26.582278481013%;                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tMethod                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold wpdt-fs-000014\"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:40.325497287523%;                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tTarget                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tVMware \/ vmware                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tProcess\/file check                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tVMware guest detection                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tVirtualBox                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tRegistry\/file check                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tVirtualBox guest detection                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tSbieDll.dll                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tDLL presence check                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tSandboxie sandbox detection                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tcmdvrt32.dll                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tDLL presence check                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C5\"\n                    data-col-index=\"2\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tComodo sandbox detection                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tSxIn.dll \/ Sf2.dll \/\t\t\t\tsnxhk.dll                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tDLL presence check                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C6\"\n                    data-col-index=\"2\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tAvast\/Sophos sandbox\t\t\t\tdetection                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-326'>\ntable#wpdtSimpleTable-326{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-326 td, table.wpdtSimpleTable326 th { white-space: normal !important; }\n.wpdt-fs-000014 { font-size: 14px !important;}\n.wpdt-fs-000012 { font-size: 12px !important;}\n<\/style>\n\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"930\" height=\"84\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image9-1.png\" alt=\"\" class=\"wp-image-20923\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image9-1.png 930w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image9-1-300x27.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image9-1-768x69.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image9-1-370x33.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image9-1-270x24.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image9-1-740x67.png 740w\" sizes=\"(max-width: 930px) 100vw, 930px\" \/><figcaption class=\"wp-element-caption\">Malware detects sandbox environments<\/figcaption><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">Exfiltration Report Format<\/h4>\n\n\n\n<p>The HTML report generated by Agent Tesla and uploaded to the FTP drop server follows a fixed template, reconstructed from the payload strings. The format observed in the ANY.RUN network capture matches exactly:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Time: &#091;MM\/dd\/yyyy HH:mm:ss]\nUser Name: &#091;Windows username]\nComputer Name: &#091;hostname]\nOSFullName: &#091;Windows edition]\nCPU: &#091;processor model from WMI Win32_Processor]\nRAM: &#091;available RAM in MB]\n&lt;hr&gt;\nHost: &#091;URL where credentials were stolen from]\nUsername: &#091;stolen username]\nPassword: &#091;stolen password]\nApplication: &#091;browser\/client name]\n&lt;hr&gt;\n&#091;...additional credential blocks...]\n&lt;hr&gt;Copied Text: &#091;clipboard contents]<\/code><\/pre>\n\n\n\n<p>This template is hardcoded in the payload and has remained consistent across multiple Agent Tesla v3 builds observed in LATAM campaigns. The \u2018Time:\u2019 field uses MM\/dd\/yyyy format, which combined with the Spanish-language lures, suggests the operator targets both English and Spanish-speaking environments.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"722\" height=\"248\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image10.png\" alt=\"\" class=\"wp-image-20929\" style=\"width:650px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image10.png 722w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image10-300x103.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image10-370x127.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image10-270x93.png 270w\" sizes=\"(max-width: 722px) 100vw, 722px\" \/><figcaption class=\"wp-element-caption\">Exfiltration report in the sandbox<\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">4. Dynamic Analysis: Behavioral Confirmation<\/h3>\n\n\n\n<p>Detonating the full infection chain in ANY.RUN\u2019s <a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=agent-tesla-latam-enterprise&amp;utm_term=140526&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">Interactive Sandbox<\/a> provided behavioral confirmation of the attack and captured artifacts that static analysis alone could not reveal.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Process tree<\/h4>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"666\" height=\"239\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image11-1.png\" alt=\"\" class=\"wp-image-20930\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image11-1.png 666w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image11-1-300x108.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image11-1-370x133.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image11-1-270x97.png 270w\" sizes=\"(max-width: 666px) 100vw, 666px\" \/><figcaption class=\"wp-element-caption\">Agent Tesla process chain<\/figcaption><\/figure>\n\n\n\n<p>The full process execution chain observed in the sandbox:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>WinRAR.exe<\/strong> (PID 8100) \u2192 extracts .jse dropper;<\/li>\n\n\n\n<li><strong>wscript.exe<\/strong> (PID 2392) \u2192 executes .jse, drops PS1 stagers, downloads decoy PDF;<\/li>\n\n\n\n<li><strong>powershell.exe<\/strong> (\u00d74: PIDs 4600, 6116, 6240, 6412) \u2192 stager execution with bypass;<\/li>\n\n\n\n<li><strong>aspnet_compiler.exe<\/strong> (PID 7720) \u2192 hollowed process &#8211; executes Agent Tesla payload.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Pre-Exfiltration: Victim Fingerprinting<\/h4>\n\n\n\n<p>Before exfiltrating stolen data, Agent Tesla performs a <strong>geolocation and hosting provider check<\/strong> via <em>ip-api[.]com<\/em>. This common stealer pattern verifies the victim is not running inside a sandbox or corporate proxy before proceeding with exfiltration:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>GET http:\/\/ip-api.com\/line\/?fields=hosting HTTP\/1.1\nHost: ip-api.com\n \n\u2192 Response: false  (victim is not a hosting provider)\n\u2192 Agent Tesla proceeds with exfiltration<\/code><\/pre>\n\n\n\n<p>ANY.RUN flagged this request with the Suricata rule: &#8220;ET MALWARE Common Stealer Behavior \u2014 Source IP Associated with Hosting Provider Check via ip-api.com&#8221;, confirming the pre-exfiltration fingerprinting behavior.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"615\" height=\"330\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image12-1.png\" alt=\"\" class=\"wp-image-20933\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image12-1.png 615w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image12-1-300x161.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image12-1-370x199.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image12-1-270x145.png 270w\" sizes=\"(max-width: 615px) 100vw, 615px\" \/><figcaption class=\"wp-element-caption\">Suricata rule triggered by possible fingerprinting<\/figcaption><\/figure><\/div>\n\n\n<h4 class=\"wp-block-heading\">Credential Theft<\/h4>\n\n\n\n<p>The sandbox confirmed active credential theft from web browsers. The behavioral indicators observed:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Accesses Chrome and Firefox browser profile directories and credential store databases;<\/li>\n\n\n\n<li>Reads saved password and autofill data;<\/li>\n\n\n\n<li>Formats captured credentials as HTML report for exfiltration;<\/li>\n\n\n\n<li>Collects system fingerprint: hostname, username, OS version, CPU model, RAM. <\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">FTP Exfiltration<\/h4>\n\n\n\n<p>The most critical finding from dynamic analysis was the capture of <strong>cleartext FTP credentials and exfiltration traffic<\/strong>. FTP operates without transport encryption by default, making the full authentication handshake and data transfer visible in the network capture:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>220 Welcome to Pure-FTPd &#091;privsep] &#091;TLS]\n331 User americas2@horeca-bucuresti.ro OK. Password required\nUSER americas2@horeca-bucuresti.ro\nPASS &#091;REDACTED]\n230 OK. Current restricted directory is \/\nSTOR PW_admin-DESKTOP-JGLLJLD_2026_03_27_17_19_15.html\n226 File successfully transferred (3.79 KB\/s)<\/code><\/pre>\n\n\n\n<p>The exfiltrated file follows a consistent naming convention: <em>PW_[username]-[hostname]_[timestamp].html.<\/em> This structured naming allows the operator to efficiently process stolen credentials from multiple victims in the drop directory.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"616\" height=\"413\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image13-1.png\" alt=\"\" class=\"wp-image-20936\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image13-1.png 616w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image13-1-300x201.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image13-1-370x248.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image13-1-270x181.png 270w\" sizes=\"(max-width: 616px) 100vw, 616px\" \/><figcaption class=\"wp-element-caption\">Agent Tesla exfiltrating data<\/figcaption><\/figure><\/div>\n\n\n<p>The following Suricata rules fired during the exfiltration phase:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>ET MALWARE AgentTesla Exfil via FTP<\/li>\n\n\n\n<li>ET MALWARE Agent Tesla CnC Exfil via TCP<\/li>\n\n\n\n<li>STEALER [ANY.RUN] AgentTesla Exfiltration (raw TCP) (\u00d72)<\/li>\n\n\n\n<li>SUSPICIOUS [ANY.RUN] Possible admin username observed in outbound connection<\/li>\n\n\n\n<li>HUNTING [ANY.RUN] Windows PC hostname observed in outbound connection<\/li>\n\n\n\n<li>HUNTING [ANY.RUN] Host CPU Enumeration observed in outbound connection<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5. Threat Infrastructure Analysis<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">The C2 Server: 89.39.83.184<\/h4>\n\n\n\n<p>The exfiltration target \u2014 ftp.horeca-bucuresti[.]ro resolving to 89[.]39[.]83[.]184 \u2014 is a <strong>legitimate Romanian hospitality business website that has been compromised<\/strong> and repurposed as a drop zone. This operational security tactic makes network blocking harder and attribution more difficult, since blocking the IP may affect a legitimate business.<\/p>\n\n\n\n<p>Querying the IP on VirusTotal reveals <strong>80 malicious files that have communicated with this server<\/strong>, with the earliest samples dating to September 2024 \u2014 confirming the infrastructure has been actively maintained for <strong>at least 18 months<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"991\" height=\"581\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image14.png\" alt=\"\" class=\"wp-image-20939\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image14.png 991w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image14-300x176.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image14-768x450.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image14-370x217.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image14-270x158.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image14-740x434.png 740w\" sizes=\"(max-width: 991px) 100vw, 991px\" \/><figcaption class=\"wp-element-caption\">Files communicating with the C2 server<\/figcaption><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">Campaign Scope: A LATAM-Focused Operation<\/h4>\n\n\n\n<p>Analysis of the 80 samples communicating with this infrastructure reveals a clear targeting pattern focused on Spanish-speaking Latin American enterprises. Pivoting on the campaign in ANY.RUN <a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=agent-tesla-latam-enterprise&amp;utm_term=140526&amp;utm_content=linktotilookuplanding\">Threat Intelligence Lookup<\/a> with the query <em>submissionCountry:&#8221;cl&#8221; AND threatLevel:&#8221;malicious&#8221;<\/em> confirms Chile as the primary submission country, and surfaces correlated behavioral artifacts including the mutex <em>local\\sm0:6816:304:wilstaging_02<\/em>, the Firebase Storage decoy PDF download URL, and all 10 Suricata network threats &#8211; all tied to aspnet_compiler.exe as the injected process.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"586\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image15.jpg\" alt=\"\" class=\"wp-image-20940\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image15.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image15-300x172.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image15-768x440.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image15-370x212.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image15-270x155.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image15-740x423.jpg 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Malicious file search in TI Lookup<\/figcaption><\/figure>\n\n\n\n<p>The filenames observed in the communicating files paint a consistent picture:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-327\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"3\"\n           data-rows=\"8\"\n           data-wpID=\"327\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bold wpdt-fs-000014\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:44.117647058824%;                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tFilename                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold wpdt-fs-000014\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:21.708683473389%;                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tType                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold wpdt-fs-000014\"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:34.173669467787%;                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tTargeting\t\t\t\tContext                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tOrden de compra.xlam \/\t\t\t\tOrden de Compra.xlam                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tOffice macro lure                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tChile \/ Peru \/ Generic\t\t\t\tLATAM                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tOC 20240814.xlam \/ OC\t\t\t\t20240813.xlam                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tOffice macro lure                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tDated purchase orders                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tN\u00f3mina de\t\t\t\tsueldos.pdf_008.exe                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tEXE disguised as PDF                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tPayroll -  HR department\t\t\t\ttargeting                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tComprobante de pago.pdf.exe                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tEXE disguised as PDF                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C5\"\n                    data-col-index=\"2\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tPayment receipt -  finance\t\t\t\ttargeting                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tNomina_Sept2025_Confidencial.xlam                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tOffice macro lure                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C6\"\n                    data-col-index=\"2\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tConfidential payroll -  HR\t\t\t\ttargeting                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tOrden - N652120.008.xlam                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tOffice macro lure                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C7\"\n                    data-col-index=\"2\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tNumbered order -  supplier\t\t\t\ttargeting                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"A8\"\n                    data-col-index=\"0\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tgivingbestthingsalwaysfor.hta                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"B8\"\n                    data-col-index=\"1\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tHTA dropper                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000012\"\n                                            data-cell-id=\"C8\"\n                    data-col-index=\"2\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tEnglish -  possible wider\t\t\t\ttargeting                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-327'>\ntable#wpdtSimpleTable-327{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-327 td, table.wpdtSimpleTable327 th { white-space: normal !important; }\n.wpdt-fs-000014 { font-size: 14px !important;}\n.wpdt-fs-000012 { font-size: 12px !important;}\n<\/style>\n\n\n\n\n<p>The Passive DNS history further reveals that the same IP hosted subdomains used as email relay infrastructure: <em>email.v.todotramitesperu.com.elgartizocon[.]ro<\/em> and <em>email.elrif[.]com<\/em> \u2014 patterns consistent with mail relay abuse to increase phishing email deliverability.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">6. MITRE ATT&amp;CK Mapping<\/h3>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-328\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"3\"\n           data-rows=\"11\"\n           data-wpID=\"328\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bold wpdt-fs-000014\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:38.386648122392%;                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tTechnique                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold wpdt-fs-000014\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:13.908205841446%;                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tID                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold wpdt-fs-000014\"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:47.705146036161%;                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tEvidence                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tPhishing: Spearphishing\t\t\t\tAttachment                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tT1566.001                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tRAR\t\t\t\tarchive with financial lure delivered via email                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tObfuscated Files or\t\t\t\tInformation                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tT1027                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tJScript\t\t\t\tEncoded .jse dropper evades AV                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tCommand and Scripting:\t\t\t\tJavaScript                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tT1059.007                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\twscript.exe\t\t\t\texecutes .jse dropper                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tCommand and Scripting:\t\t\t\tPowerShell                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tT1059.001                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C5\"\n                    data-col-index=\"2\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tStager with\t\t\t\t-ExecutionPolicy Bypass                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tProcess Injection: Process\t\t\t\tHollowing                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tT1055.012                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C6\"\n                    data-col-index=\"2\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tALTERNATE.dll\t\t\t\tinjected into aspnet_compiler.exe                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tSoftware Packing \/\t\t\t\tVirtualization                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tT1027.002                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C7\"\n                    data-col-index=\"2\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\t.NET\t\t\t\tReactor 6.x with VM + control flow obfuscation                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A8\"\n                    data-col-index=\"0\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tCredentials from Web\t\t\t\tBrowsers                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B8\"\n                    data-col-index=\"1\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tT1555.003                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C8\"\n                    data-col-index=\"2\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tChrome,\t\t\t\tFirefox credential store access confirmed                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A9\"\n                    data-col-index=\"0\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tExfiltration\t\t\t\tOver Alternative Protocol: FTP                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B9\"\n                    data-col-index=\"1\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tT1048.003                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C9\"\n                    data-col-index=\"2\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tCleartext\t\t\t\tFTP to ftp.horeca-bucuresti.ro:21                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A10\"\n                    data-col-index=\"0\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tSystem Information\t\t\t\tDiscovery                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B10\"\n                    data-col-index=\"1\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tT1082                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C10\"\n                    data-col-index=\"2\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tCPU, RAM, OS version\t\t\t\tenumeration pre-exfil                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A11\"\n                    data-col-index=\"0\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tSystem Network\t\t\t\tConfiguration Discovery                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B11\"\n                    data-col-index=\"1\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tT1016                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C11\"\n                    data-col-index=\"2\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tExternal IP lookup via\t\t\t\tip-api.com                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-328'>\ntable#wpdtSimpleTable-328{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-328 td, table.wpdtSimpleTable328 th { white-space: normal !important; }\n.wpdt-fs-000014 { font-size: 14px !important;}\n<\/style>\n\n\n\n\n<h2 class=\"wp-block-heading\">Early Detection: Using ANY.RUN Against Agent Tesla Campaigns<\/h2>\n\n\n\n<p>ANY.RUN\u2019s Interactive Sandbox is particularly effective for early detection of sophisticated multi-stage loaders like this Agent Tesla campaign. Security teams should integrate the following practices:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Proactive Sample Submission<\/strong>: Upload suspicious attachments (especially RAR archives with non-standard extensions like .uu, .jse, or macro-enabled Office files) immediately upon receipt for interactive analysis.<\/li>\n\n\n\n<li><strong>Behavioral Monitoring<\/strong>: Use ANY.RUN\u2019s real-time process tree visualization and Suricata rule matching to identify Process Hollowing into aspnet_compiler.exe, PowerShell stagers, and FTP exfiltration patterns.<\/li>\n\n\n\n<li><strong>Threat Intelligence Pivoting<\/strong>: After identifying a C2 indicator (e.g., ftp.horeca-bucuresti[.]ro or IP 89.39.83[.]184), pivot within ANY.RUN Threat Intelligence to uncover related samples and campaign scope.<\/li>\n\n\n\n<li><strong>Team Training<\/strong>: Conduct regular red-team exercises in the interactive environment to train analysts on recognizing .NET Reactor-protected loaders and fileless execution techniques.<\/li>\n\n\n\n<li><strong>Automated Workflows<\/strong>: <a href=\"https:\/\/any.run\/integrations\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=agent-tesla-latam-enterprise&amp;utm_term=140526&amp;utm_content=linktointegrations\">Integrate<\/a> ANY.RUN via API for high-volume email gateway triage, enabling rapid quarantine of matching threats before they reach end users.<\/li>\n<\/ul>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n<span class=\"highlight\">Accelerate investigations and enrich security workflows<\/span><br>\nDetection, threat intelligence, hunting, proactive defense.\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=agent-tesla-latam-enterprise&#038;utm_term=140526&#038;utm_content=linktoenterprise#contact-sales\" rel=\"noopener\" target=\"_blank\">\nStart here\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">Detection Recommendations<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Network-Level (Suricata\/Snort)<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code># Detect AgentTesla FTP exfiltration by filename pattern\nalert tcp $HOME_NET any -&gt; $EXTERNAL_NET 21 (\n  msg:\"AgentTesla FTP Credential Exfil - PW_ prefix\";\n  flow:established,to_server;\n  content:\"STOR PW_\"; depth:8;\n  content:\".html\";\n  sid:9000001; rev:1;\n)\n \n# Detect pre-exfil hosting check\nalert http $HOME_NET any -&gt; $EXTERNAL_NET any (\n  msg:\"AgentTesla - ip-api hosting provider check\";\n  http.uri; content:\"\/line\/?fields=hosting\";\n  sid:9000002; rev:1;\n)<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">YARA Rule<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>rule AgentTesla_ALTERNATE_Loader {\n  meta:\n    description = \"Detects ALTERNATE.dll Agent Tesla loader (.NET Reactor 6.x)\"\n    author      = \"0xOlympus\"\n    date        = \"2026-03-27\"\n  strings:\n    $pdb  = \"ALTERNATE.pdb\"  ascii\n    $name = \"ALTERNATE.dll\"  ascii\n    $aes  = \"AesCryptoServiceProvider\" wide\n    $dec  = \"CreateDecryptor\"          wide\n    $va   = \"VirtualAlloc\"   ascii\n    $wpm  = \"WriteProcessMemory\" ascii\n  condition:\n    uint16(0) == 0x5A4D\n    and all of ($pdb, $name)\n    and all of ($aes, $dec)\n    and any of ($va, $wpm)\n}<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Sigma Rule<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>title: AgentTesla Process Hollowing via aspnet_compiler.exe\nstatus: experimental\nlogsource:\n  category: process_creation\n  product: windows\ndetection:\n  selection:\n    ParentImage|endswith: \"\\\\powershell.exe\"\n    Image|endswith:       \"\\\\aspnet_compiler.exe\"\n  filter_legit:\n    CommandLine|contains:\n      - \"-f \"\n      - \"-v \"\n  condition: selection and not filter_legit\nfalsepositives:\n  - Legitimate .NET compilation tasks (rare outside dev environments)\nlevel: high\ntags:\n  - attack.t1055.012\n  - attack.t1059.001<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Email Gateway Recommendations<\/h4>\n\n\n\n<p>Block or quarantine emails containing attachments matching these patterns:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Extensions .uu, .jse, .vbe inside archives;<\/li>\n\n\n\n<li>Macro-enabled Office files (.xlam, .xlsm) from external senders in procurement contexts;<\/li>\n\n\n\n<li>Filename patterns combining financial terms (orden, nomina, comprobante) with executable extensions. <\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Important Observations<\/h3>\n\n\n\n<p>This investigation yields several actionable findings for security teams in Chile and the broader LATAM region:<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">The campaign is persistent, not opportunistic<\/h4>\n\n\n\n<p>The threat actor has operated continuously since at least mid-2024 using the same FTP infrastructure (89.39.83[.]184) while iterating on lure documents. This is a sustained operation with deliberate LATAM focus.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Dynamic analysis is non-negotiable for this family<\/h4>\n\n\n\n<p>.NET Reactor 6.x with virtualization and control flow obfuscation significantly raises the cost of static analysis. Organizations relying solely on static AV will miss this family. Dynamic analysis in sandboxes like ANY.RUN provides the detection coverage that static tools cannot.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">FTP exfiltration remains dangerously undermonitored<\/h4>\n\n\n\n<p>Despite being a decades-old protocol, FTP exfiltration continues to succeed because most organizations focus monitoring on HTTP\/S. Since FTP operates in cleartext, when it is captured, full credentials and data content are visible \u2014 but only if outbound FTP traffic is logged and inspected.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Financial and procurement roles are high-value targets<\/h4>\n\n\n\n<p>The consistent use of purchase order and payment receipt lures indicates deliberate targeting of accounts payable and procurement departments. Targeted security awareness training for these roles represents a high-ROI defensive investment.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How ANY.RUN Accelerated This Investigation<\/h2>\n\n\n\n<p>Several phases of this investigation would have been significantly slower or impossible without ANY.RUN. Here is where the platform made a direct impact:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Interactive Detonation<\/h3>\n\n\n\n<p>Unlike fully automated sandboxes, ANY.RUN\u2019s interactive environment allowed real-time observation of the infection chain. This was critical for the .jse stage, which checks for user interaction before proceeding \u2014 a common evasion technique that automated systems fail to bypass.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"524\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image16-1024x524.png\" alt=\"\" class=\"wp-image-20947\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image16-1024x524.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image16-300x153.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image16-768x393.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image16-1536x785.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image16-370x189.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image16-270x138.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image16-585x300.png 585w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image16-740x378.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/05\/image16.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Agent Tesla detonated in ANY.RUN Sandbox<\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Automatic Network Threat Detection<\/h3>\n\n\n\n<p>ANY.RUN matched 6 Suricata rules against the network traffic automatically, immediately confirming the Agent Tesla family and the FTP exfiltration behavior. In a traditional lab setup, this would require manual PCAP capture, Wireshark analysis, and custom rule development.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Cleartext FTP Capture<\/h3>\n\n\n\n<p>The cleartext FTP session \u2014 including the authentication handshake, the C2 hostname (ftp.horeca-bucuresti[.]ro), and the exfiltrated filename pattern \u2014 was captured in full by ANY.RUN\u2019s network interception layer and presented directly in the Network tab, reducing analysis time from hours to minutes.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Threat Intelligence Pivoting<\/h3>\n\n\n\n<p>Using the C2 IP as a pivot point in ANY.RUN Threat Intelligence (combined with VirusTotal), we surfaced 80 related malicious samples, identified the 18-month campaign timeline, and mapped the full scope of LATAM targeting \u2014 transforming a single sample investigation into a comprehensive campaign report.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Appendix: Complete IOC Reference<\/h2>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-329\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"3\"\n           data-rows=\"14\"\n           data-wpID=\"329\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bold wpdt-fs-000014\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:57.505285412262%;                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tIndicator                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold wpdt-fs-000014\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:13.213530655391%;                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tType                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold wpdt-fs-000014\"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:29.281183932347%;                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tDescription                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000011\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\t948C8C69FE02EDA9231AEBFA5C626335307058AC74A5C3C40B346179A1BFC982                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000011\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tSHA256                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000011\"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tRAR dropper                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000011\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tA7EEEAD9C868D9944ED1C1F113328F32                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000011\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tMD5                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000011\"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tRAR dropper                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000011\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tB50B3800B17AD7AD5C4483C0B6B24D1D151A9D10                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000011\"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tSHA1                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000011\"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tRAR dropper                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000011\"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\t7929355856A2A85D48F95D230CD74FBB5AD554BED49E73B1800136C4BCCCD1A8                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000011\"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tSHA256                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000011\"\n                                            data-cell-id=\"C5\"\n                    data-col-index=\"2\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\t.jse encoded dropper                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000011\"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tCD83F5CEB2D014BADFA991106A9D37A6AEAB9043D60D796AD0F16D36CDFA5703                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000011\"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tSHA256                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000011\"\n                                            data-cell-id=\"C6\"\n                    data-col-index=\"2\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tPowerShell stager (all\t\t\t\tvariants)                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000011\"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\t96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000011\"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tSHA256                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000011\"\n                                            data-cell-id=\"C7\"\n                    data-col-index=\"2\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tPS stager template                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000011\"\n                                            data-cell-id=\"A8\"\n                    data-col-index=\"0\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        89.39.83[.]184                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000011\"\n                                            data-cell-id=\"B8\"\n                    data-col-index=\"1\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tIPv4                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000011\"\n                                            data-cell-id=\"C8\"\n                    data-col-index=\"2\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tFTP C2 -\t\t\t\t MALICIOUS -  block immediately                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000011\"\n                                            data-cell-id=\"A9\"\n                    data-col-index=\"0\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        ftp.horeca-bucuresti[.]ro                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000011\"\n                                            data-cell-id=\"B9\"\n                    data-col-index=\"1\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tFQDN                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000011\"\n                                            data-cell-id=\"C9\"\n                    data-col-index=\"2\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tFTP C2 hostname - \t\t\t\tMALICIOUS                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000011\"\n                                            data-cell-id=\"A10\"\n                    data-col-index=\"0\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        208.95.112[.]1                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000011\"\n                                            data-cell-id=\"B10\"\n                    data-col-index=\"1\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tIPv4                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000011\"\n                                            data-cell-id=\"C10\"\n                    data-col-index=\"2\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tip-api.com\t\t\t\t(victim fingerprinting)                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000011\"\n                                            data-cell-id=\"A11\"\n                    data-col-index=\"0\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        americas2@horeca-bucuresti[.]ro                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000011\"\n                                            data-cell-id=\"B11\"\n                    data-col-index=\"1\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tFTP account                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000011\"\n                                            data-cell-id=\"C11\"\n                    data-col-index=\"2\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tOperator drop account                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000011\"\n                                            data-cell-id=\"A12\"\n                    data-col-index=\"0\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tC:\\Temp\\[A-Z]{8}.ps1                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000011\"\n                                            data-cell-id=\"B12\"\n                    data-col-index=\"1\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tPath regex                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000011\"\n                                            data-cell-id=\"C12\"\n                    data-col-index=\"2\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tDropped stager pattern                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000011\"\n                                            data-cell-id=\"A13\"\n                    data-col-index=\"0\"\n                    data-row-index=\"12\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tPW_[user]-[host]_[timestamp].html                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000011\"\n                                            data-cell-id=\"B13\"\n                    data-col-index=\"1\"\n                    data-row-index=\"12\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tFilename pattern                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000011\"\n                                            data-cell-id=\"C13\"\n                    data-col-index=\"2\"\n                    data-row-index=\"12\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tExfil output format                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000011\"\n                                            data-cell-id=\"A14\"\n                    data-col-index=\"0\"\n                    data-row-index=\"13\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tALTERNATE.dll \/\t\t\t\tALTERNATE.pdb                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000011\"\n                                            data-cell-id=\"B14\"\n                    data-col-index=\"1\"\n                    data-row-index=\"13\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tBinary strings                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left wpdt-fs-000011\"\n                                            data-cell-id=\"C14\"\n                    data-col-index=\"2\"\n                    data-row-index=\"13\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \t\t\t\tInternal loader identifiers                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-329'>\ntable#wpdtSimpleTable-329{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-329 td, table.wpdtSimpleTable329 th { white-space: normal !important; }\n.wpdt-fs-000014 { font-size: 14px !important;}\n.wpdt-fs-000011 { font-size: 11px !important;}\n<\/style>\n\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=agent-tesla-latam-enterprise&amp;utm_term=140526&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>&nbsp;delivers cybersecurity solutions designed to support real-world SOC operations. They&nbsp;help&nbsp;security teams understand&nbsp;threats&nbsp;faster, make informed decisions,&nbsp;and&nbsp;operationalize threat intelligence across&nbsp;detection, investigation,&nbsp;and&nbsp;response&nbsp;workflows.&nbsp;<\/p>\n\n\n\n<p>The&nbsp;company\u2019s solutions include&nbsp;<a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=agent-tesla-latam-enterprise&amp;utm_term=140526&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">Interactive Sandbox<\/a>&nbsp;for&nbsp;enterprise-grade malware analysis, as well as ANY.RUN\u2019s Threat Intelligence with its modules&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=agent-tesla-latam-enterprise&amp;utm_term=140526&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Lookup<\/a>&nbsp;and&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=agent-tesla-latam-enterprise&amp;utm_term=140526&amp;utm_content=linktotifeedslanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Feeds,<\/a>&nbsp;providing continuously updated intelligence based on live attack analysis.&nbsp;<\/p>\n\n\n\n<p>Used by over 15,000 organizations&nbsp;and&nbsp;600,000 security professionals&nbsp;worldwide, ANY.RUN is&nbsp;<a href=\"https:\/\/any.run\/compliance\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=soc_ready_reporting&amp;utm_term=130526&amp;utm_content=linktocompliance\" target=\"_blank\" rel=\"noreferrer noopener\">SOC 2 Type II certified,<\/a>&nbsp;ensuring strong security controls&nbsp;and&nbsp;protection of customer data.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=agent-tesla-latam-enterprise&amp;utm_term=140526&amp;utm_content=linktoenterprise#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener\">Request access to ANY.RUN\u2019s solutions \u2192<\/a>&nbsp;&nbsp;<\/p>\n\n\n\n<div class=\"schema-faq wp-block-yoast-faq-block\"><div class=\"schema-faq-section\" id=\"faq-question-1778757638059\"><strong class=\"schema-faq-question\">Q1: What makes this Agent Tesla campaign different from others?<\/strong> <p class=\"schema-faq-answer\">It uses a sophisticated .NET Reactor-protected loader with Process Hollowing and has operated persistently against LATAM targets for over 18 months using the same infrastructure.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1778757705785\"><strong class=\"schema-faq-question\">Why are Chilean companies specifically targeted?<\/strong> <p class=\"schema-faq-answer\">Rapid digitalization, prevalent use of email for business documents, and relatively lower security maturity in SME supply chains.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1778757722383\"><strong class=\"schema-faq-question\">Can standard antivirus stop this attack?<\/strong> <p class=\"schema-faq-answer\">Often not. The heavy obfuscation, fileless execution, and legitimate process injection frequently bypass static AV. Dynamic analysis is critical.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1778757735969\"><strong class=\"schema-faq-question\">What should employees do when receiving a suspicious purchase order?<\/strong> <p class=\"schema-faq-answer\">Verify the sender through a separate channel and avoid opening attachments from unexpected sources.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1778757751911\"><strong class=\"schema-faq-question\">How can we detect the FTP exfiltration?<\/strong> <p class=\"schema-faq-answer\">Monitor outbound FTP traffic (port 21) and look for filenames starting with \u201cPW_\u201d followed by username and hostname.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1778757758752\"><strong class=\"schema-faq-question\">How can ANY.RUN help my security team?<\/strong> <p class=\"schema-faq-answer\">It provides interactive detonation, automatic threat detection, and intelligence pivoting that accelerate both analysis and proactive defense.<\/p> <\/div> <\/div>\n","protected":false},"excerpt":{"rendered":"<p>Editor\u2019s note:\u00a0The analysis is authored by Moises Cerqueira, malware researcher &amp; threat hunter. You can\u00a0find Moises on LinkedIn and X. Credential&nbsp;theft&nbsp;malware rarely announces itself with ransomware-level noise. Instead, it&nbsp;operates&nbsp;like a silent siphon hidden inside everyday business workflows: invoices, payroll files, purchase orders, procurement requests. Agent Tesla campaigns are especially dangerous because they target the operational [&hellip;]<\/p>\n","protected":false},"author":19,"featured_media":20855,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[100,57,10,101,34,40],"class_list":["post-20852","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-agent-tesla","tag-anyrun","tag-cybersecurity","tag-latam","tag-malware-analysis","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Agent Tesla Campaign Targeting LATAM Enterprises<\/title>\n<meta name=\"description\" content=\"Deep-dive into an active Agent Tesla credential-stealing campaign targeting Chilean and LATAM enterprises via spear-phishing since 2024.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Moises Cerqueira (0xOlympus)\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"19 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/\"},\"author\":{\"name\":\"Moises Cerqueira (0xOlympus)\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"LATAM Under Siege: Agent Tesla&#8217;s 18-Month Credential Theft Campaign Against Chilean Enterprises\",\"datePublished\":\"2026-05-14T11:55:31+00:00\",\"dateModified\":\"2026-05-14T12:30:01+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/\"},\"wordCount\":3972,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"Agent Tesla\",\"ANYRUN\",\"cybersecurity\",\"LATAM\",\"malware analysis\",\"malware behavior\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/#respond\"]}]},{\"@type\":[\"WebPage\",\"FAQPage\"],\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/\",\"name\":\"Agent Tesla Campaign Targeting LATAM Enterprises\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2026-05-14T11:55:31+00:00\",\"dateModified\":\"2026-05-14T12:30:01+00:00\",\"description\":\"Deep-dive into an active Agent Tesla credential-stealing campaign targeting Chilean and LATAM enterprises via spear-phishing since 2024.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/#breadcrumb\"},\"mainEntity\":[{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/#faq-question-1778757638059\"},{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/#faq-question-1778757705785\"},{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/#faq-question-1778757722383\"},{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/#faq-question-1778757735969\"},{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/#faq-question-1778757751911\"},{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/#faq-question-1778757758752\"}],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"LATAM Under Siege: Agent Tesla&#8217;s 18-Month Credential Theft Campaign Against Chilean Enterprises\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"Moises Cerqueira (0xOlympus)\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Moises.jpg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Moises.jpg\",\"caption\":\"Moises Cerqueira (0xOlympus)\"},\"description\":\"Malware Researcher & Threat Hunter with a strong background in Blue Team operations. Specialized in malware analysis and reverse engineering, with hands-on experience dissecting binaries and reconstructing attacker TTPs from initial delivery to command-and-control communication. Driven by a deep interest in adversary tradecraft, bridging low-level technical analysis with strategic threat intelligence and detection engineering. Follow Moises on: LinkedIn X Website\",\"sameAs\":[\"https:\/\/0xdelta.org\/\"],\"url\":\"#molongui-disabled-link\"},{\"@type\":\"Question\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/#faq-question-1778757638059\",\"position\":1,\"url\":\"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/#faq-question-1778757638059\",\"name\":\"Q1: What makes this Agent Tesla campaign different from others?\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"It uses a sophisticated .NET Reactor-protected loader with Process Hollowing and has operated persistently against LATAM targets for over 18 months using the same infrastructure.\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/#faq-question-1778757705785\",\"position\":2,\"url\":\"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/#faq-question-1778757705785\",\"name\":\"Why are Chilean companies specifically targeted?\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Rapid digitalization, prevalent use of email for business documents, and relatively lower security maturity in SME supply chains.\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/#faq-question-1778757722383\",\"position\":3,\"url\":\"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/#faq-question-1778757722383\",\"name\":\"Can standard antivirus stop this attack?\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Often not. The heavy obfuscation, fileless execution, and legitimate process injection frequently bypass static AV. Dynamic analysis is critical.\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/#faq-question-1778757735969\",\"position\":4,\"url\":\"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/#faq-question-1778757735969\",\"name\":\"What should employees do when receiving a suspicious purchase order?\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Verify the sender through a separate channel and avoid opening attachments from unexpected sources.\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/#faq-question-1778757751911\",\"position\":5,\"url\":\"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/#faq-question-1778757751911\",\"name\":\"How can we detect the FTP exfiltration?\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Monitor outbound FTP traffic (port 21) and look for filenames starting with \u201cPW_\u201d followed by username and hostname.\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/#faq-question-1778757758752\",\"position\":6,\"url\":\"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/#faq-question-1778757758752\",\"name\":\"How can ANY.RUN help my security team?\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"It provides interactive detonation, automatic threat detection, and intelligence pivoting that accelerate both analysis and proactive defense.\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Agent Tesla Campaign Targeting LATAM Enterprises","description":"Deep-dive into an active Agent Tesla credential-stealing campaign targeting Chilean and LATAM enterprises via spear-phishing since 2024.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/","twitter_misc":{"Written by":"Moises Cerqueira (0xOlympus)","Est. reading time":"19 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/"},"author":{"name":"Moises Cerqueira (0xOlympus)","@id":"https:\/\/any.run\/"},"headline":"LATAM Under Siege: Agent Tesla&#8217;s 18-Month Credential Theft Campaign Against Chilean Enterprises","datePublished":"2026-05-14T11:55:31+00:00","dateModified":"2026-05-14T12:30:01+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/"},"wordCount":3972,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["Agent Tesla","ANYRUN","cybersecurity","LATAM","malware analysis","malware behavior"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/#respond"]}]},{"@type":["WebPage","FAQPage"],"@id":"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/","url":"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/","name":"Agent Tesla Campaign Targeting LATAM Enterprises","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2026-05-14T11:55:31+00:00","dateModified":"2026-05-14T12:30:01+00:00","description":"Deep-dive into an active Agent Tesla credential-stealing campaign targeting Chilean and LATAM enterprises via spear-phishing since 2024.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/#breadcrumb"},"mainEntity":[{"@id":"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/#faq-question-1778757638059"},{"@id":"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/#faq-question-1778757705785"},{"@id":"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/#faq-question-1778757722383"},{"@id":"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/#faq-question-1778757735969"},{"@id":"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/#faq-question-1778757751911"},{"@id":"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/#faq-question-1778757758752"}],"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"LATAM Under Siege: Agent Tesla&#8217;s 18-Month Credential Theft Campaign Against Chilean Enterprises"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"Moises Cerqueira (0xOlympus)","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Moises.jpg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/02\/Moises.jpg","caption":"Moises Cerqueira (0xOlympus)"},"description":"Malware Researcher & Threat Hunter with a strong background in Blue Team operations. Specialized in malware analysis and reverse engineering, with hands-on experience dissecting binaries and reconstructing attacker TTPs from initial delivery to command-and-control communication. Driven by a deep interest in adversary tradecraft, bridging low-level technical analysis with strategic threat intelligence and detection engineering. Follow Moises on: LinkedIn X Website","sameAs":["https:\/\/0xdelta.org\/"],"url":"#molongui-disabled-link"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/#faq-question-1778757638059","position":1,"url":"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/#faq-question-1778757638059","name":"Q1: What makes this Agent Tesla campaign different from others?","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"It uses a sophisticated .NET Reactor-protected loader with Process Hollowing and has operated persistently against LATAM targets for over 18 months using the same infrastructure.","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/#faq-question-1778757705785","position":2,"url":"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/#faq-question-1778757705785","name":"Why are Chilean companies specifically targeted?","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"Rapid digitalization, prevalent use of email for business documents, and relatively lower security maturity in SME supply chains.","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/#faq-question-1778757722383","position":3,"url":"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/#faq-question-1778757722383","name":"Can standard antivirus stop this attack?","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"Often not. The heavy obfuscation, fileless execution, and legitimate process injection frequently bypass static AV. Dynamic analysis is critical.","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/#faq-question-1778757735969","position":4,"url":"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/#faq-question-1778757735969","name":"What should employees do when receiving a suspicious purchase order?","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"Verify the sender through a separate channel and avoid opening attachments from unexpected sources.","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/#faq-question-1778757751911","position":5,"url":"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/#faq-question-1778757751911","name":"How can we detect the FTP exfiltration?","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"Monitor outbound FTP traffic (port 21) and look for filenames starting with \u201cPW_\u201d followed by username and hostname.","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/#faq-question-1778757758752","position":6,"url":"https:\/\/any.run\/cybersecurity-blog\/agent-tesla-latam-enterprise\/#faq-question-1778757758752","name":"How can ANY.RUN help my security team?","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"It provides interactive detonation, automatic threat detection, and intelligence pivoting that accelerate both analysis and proactive defense.","inLanguage":"en-US"},"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/20852"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/19"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=20852"}],"version-history":[{"count":101,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/20852\/revisions"}],"predecessor-version":[{"id":20972,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/20852\/revisions\/20972"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/20855"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=20852"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=20852"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=20852"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}