The “Nieuwe bestelling 20230517/4500338579” email lures AgentTesla. The attachment contains a Tar file with an exe: the malware. The stolen data is exfiltrated via Telegram API to the same C2 of the “Nieuwe bestelling–100 STUKS ELK” campaign

The product-themed AgentTesla campaign uses a new trick to try to evade anti-viruses.

The gz attachment of the email “Nieuwe bestelling 20230517/4500338579” contains a tar file with an exe inside: the malware. The stolen data is then exfiltrated via Telegram API.

The campaign is the same as the one that uses the “Nieuwe bestelling – 100 STUKS ELK” email as bait with which it shares its C2 and the false origin of the message from the Netherlands. AgentTesla, through the keylogger function, can capture everything the user types. Also, it can steal emails and browser credentials and take screenshots. Finally, it has the ability to remotely issue commands to the infected PC, such as downloading additional payloads or updating existing ones.