AGENT TESLA

The NJCCIC observed a campaign attempting to distribute Agent Tesla malware. Agent Tesla functions as a remote access trojan (RAT) with information-stealing capabilities, including keystroke logging, password harvesting, clipboard theft, and screen capture. While first discovered in 2014, Agent Tesla remains a popular Malware-as-a-Service (MaaS).

In this campaign, threat actors send phishing emails claiming to include order forms, invoices, or other similar financial documents. These messages include either a compressed executable file or a Microsoft Excel attachment that exploits vulnerabilities in Equation Editor. When opened, these attachments will download and install Agent Tesla.

Recommendations

  • Avoid clicking links and opening attachments in unsolicited emails.
  • Confirm requests from senders via contact information obtained from verified and official sources.
  • Only download applications and software from official sources.
  • Maintain robust and up-to-date endpoint detection tools on every endpoint.
  • Consider leveraging behavior-based detection tools rather than signature-based tools.
  • If you suspect an account has been compromised, change the account’s password immediately and ensure multi-factor authentication (MFA) is enabled for all online accounts.

Review the Don’t Take the Bait! Phishing and Other Social Engineering Attacks NJCCIC product for more information on common phishing and social engineering attacks.
Report malicious cyber activity to the NJCCIC and the FBI’s IC3.

 

REMCOS RAT

Remcos is advertised as a legitimate remote administration tool used for surveillance and penetration testing purposes; however, threat actors weaponize it as a remote access trojan (RAT) to gain unauthorized access, steal credentials, capture and exfiltrate data, and install additional malware such as keyloggers, spyware, and ransomware. Throughout September and October, the NJCCIC observed a rise in Remcos RAT campaigns targeting New Jersey State employees with lures of quotations, payment advice, supplies, orders, deliveries, and urgent inquiries. The emails include an attachment labeled with one of the lures, followed by an optional “PDF” label to appear as a legitimate Adobe PDF file, and appended with a RAR or GZ file type extension. The files contain compressed VBScripts that, when clicked, install the malicious Remcos RAT. Researchers discovered similar Remcos RAT campaigns utilizing attachments with ZIP, SVG, and GZ file type extensions to drop BAT files that execute obfuscated PowerShell scripts.

The NJCCIC also received a report that a downloaded file appeared to be a PDF file. Once the malware was installed, it started messaging others to spread the same file. The local security software blocked an outbound connection attempt from a malicious executable called “WINDBVER” to a command and control (C2) server on IP address 108[.]181[.]121[.]140. VirusTotal flagged this IP address as malicious and associated it with Remcos RAT activity in the past month.

Recommendations

  • Refrain from responding to unsolicited communications, clicking links, or opening attachments from unknown senders.
  • Exercise caution with communications from known senders.
  • Confirm requests from senders via contact information obtained from verified and official sources.
  • Navigate to official websites by manually typing official website URLs into browsers, and only submit account credentials and sensitive information on official websites.
  • Use strong, unique passwords for all accounts and enable MFA where available, choosing authentication apps or hardware tokens over SMS text-based codes.
  • Keep systems up to date and apply patches after appropriate testing.
  • Run updated and reputable anti-virus or anti-malware programs.

Report malicious cyber activity to the NJCCIC and the FBI’s IC3.

This information was originally published in the NJCCIC October 23, 2025 Newsletter.