Threats Tagged 'agenttesla'

This report analyzes infostealer malware distribution trends observed in May 2026. The primary infection vectors were illegal software disguised as cracks and keygens, and email campaigns. The most prevalent malware variants included ACRStealer, Remus, and LummaC2, with Remus showing significant growth. Distribution channels involved domains hosted on platforms like Mediafire and AWS S3 buckets. Microsoft was the most impersonated company in these campaigns. Execution types were mainly EXE files (78.9%) and DLL side-loading (21.1%). macOS infections involved ClickFix techniques and malicious Bash scripts. Email campaigns also distributed AgentTesla and DarkCloud malware. No specific affected software versions or patches are identified.

In March 2026, trojans represented 21% of attachment-based threats, while phishing attacks using fake pages dropped from 42% to 15% month-over-month. Script-based malware increased significantly, with HTML at 14% and JavaScript at 11%. Compressed files including ZIP (14%), RAR (8%), and 7Z (5%) were common distribution methods. Document-based threats utilized PDF (13%), XLS (5%), and DOCX (2%) files. Attackers impersonated courier services like FedEx and DHL, as well as financial institutions including Hana Bank and Woori Bank. Distribution methods included HTML scripts and PDF hyperlinks leading to credential-stealing pages. Notable malware families included RemcosRAT and AgentTesla, with command-and-control infrastructure utilizing Telegram API tokens and external mail servers for data exfiltration.