Agent Tesla.

A .NET-based remote access trojan and information stealer active since 2014, sold openly as a commercial product and distributed primarily through phishing emails carrying malicious Office documents and archive attachments. It belongs to the Malware category of cybersecurity.

A .NET-based remote access trojan and information stealer active since 2014, sold openly as a commercial product and distributed primarily through phishing emails carrying malicious Office documents and archive attachments.

Agent Tesla is a .NET-based info-stealer and remote-access trojan that has been continuously active since 2014, sold openly as a 'monitoring' product on its own clearnet site and through reseller channels. It exists in dozens of slightly different versions because affiliates routinely repack the binary. Capabilities include keystroke logging, clipboard capture, screenshot capture, webcam access, theft of browser passwords and cookies, mail client credentials (Outlook, Thunderbird, FoxMail), VPN client credentials, FTP credentials, and exfiltration over SMTP, FTP, HTTP, or Telegram bots. The dominant infection vector is phishing email: lure documents embed Equation Editor (CVE-2017-11882, CVE-2018-0802) exploits or contain malicious archive attachments delivering a loader stage. Agent Tesla is one of the longest-running commodity stealers and routinely tops monthly malware ranking reports from anti-spam vendors, especially in business-email-compromise-adjacent campaigns. Defenses include disabling Office Equation Editor, attachment-detonation sandboxes, and EDR detections on the common loader behaviors (process hollowing into RegSvcs.exe, AspNetCompiler.exe).

Defences for Agent Tesla typically combine technical controls and operational practices, as detailed in the full definition above.

Common alternative names include: AgentTesla, OriginLogger (rebrand).