In a malicious campaign, threat actors target users in South America and Europe to obtain their login credentials stored in browsers, using the AgentTesla information stealer.

For this, more than 26,000 spoofed emails—with malicious attachments—have been sent to businesses across South America and Europe.

Who are potential victims?

On August 12, a phishing campaign was discovered, and three days later, a larger attack wave targeted users in Germany. The following week, South America, particularly Argentina, was targeted again, and the current week has seen a small wave of similar attacks on Switzerland users.

Infection chain

  • Spoofed email addresses contain attachments with the extension .IMG or .ISO.
  • A JavaScript section is obfuscated in the attached file and executes the PowerShell command, which then delivers the final payload.
  • A JPG image is downloaded in the background disguised as a final payload. The goal is to evade firewalls, intrusion detection systems, and malware analysts.
  • Instead of a JPG image, the downloaded data is a PowerShell script that drops the AgentTesla malware.

Attack details

  • The malware capabilities include stealing passwords from browsers, email clients, VPN clients, FTP clients, and clipboards. 
  • It steals credentials from browsers and collects information about victims' computers, including user names, computer names, OSs, CPUs, and RAM. 
  • The collected data is sent to an attacker-controlled FTP server, which archives everything from the entire campaign.
  • Information about the victims' computers and compromised credentials are stored on the server in a number of different files. 
  • Approximately every hour, the attacker downloads and deletes these files.


Malware campaign using AgentTestla is becoming increasingly widespread, making it a potential threat. One of the top indicators of infected email is file extensions used in attachments. Email attachments containing pdf.exe or docx.exe should be seen as highly suspicious since these are executable files. Anyone receiving such emails should delete them immediately.
Cyware Publisher