Skip to content
July 18, 2026
  • Linkedin
  • Twitter
  • Facebook
  • Youtube

Daily CyberSecurity

Zero-hour alerts. Unmatched analysis.

Primary Menu
  • Home
  • CVE Data
    • CVE Watchtower
    • Top Exploited CVEs
    • CVE Stats by Vendor
    • Q2 2026 Report
  • Cyber Criminals
  • Data Leak
  • Linux
  • Malware
  • Vulnerability
  • Submit Press Release
  • Weekly Recap
Light/Dark Button
  • Home
  • News
  • Malware
  • New Agent Tesla Spyware Variant was spread via Microsoft Word documents
  • Malware

New Agent Tesla Spyware Variant was spread via Microsoft Word documents

Do Son April 9, 2018 3 minutes read
Agent Tesla Spyware
Add Daily CyberSecurity as a preferred source on Google

According to the FortiGuard Threat Research and Response Lab, they recently captured a new malware sample that spreads through Microsoft Word documents. Initial investigation results show that this is a new variant of the spyware agent Tesla.

Agent Tesla was originally a simple keylogger, and researchers at network security company Zscaler stated in an analysis released in 2016 that it has officially become a complete spyware.

FortiGuard Labs captured another variant of Agent Tesla (based on the Microsoft .Net framework) in June 2017 and conducted a detailed analysis of it. At the time, researchers discovered that spyware was being spread through Microsoft Word documents containing malicious VBA macros that could be executed automatically. When the document is opened, the victim is prompted to click on the “Enable Content” button to display the content. Once clicked, spyware is automatically downloaded and installed invisible.

FortiGuard Labs stated that in recent activities, new variants have switched to being distributed through Microsoft Word documents that contain embedded exe files. When you open a document, everything except a blue icon is ambiguous. As you can see, it tells the victim through text that the “clear view” can be enabled by double-clicking the blue icon in the document. Once the victim is following this instruction, it will extract a “POM.exe” file from the embedded object into the infected system’s temporary folder and run it.

The FortiGuard Lab explains that POM.exe is written in MS Visual Basic and is an installer. At runtime, it puts two files (“filename.exe” and “filename.vbs”) in the “%temp%\subfolder” folder.

To establish persistence on infected systems, filename.vbs is first added to the system registry as a launcher. This action allows spyware to execute automatically each time the system is started.

FortiGuard Labs stated that the new variant has the same malicious features as the previously captured variants, including monitoring and collecting the victim’s keyboard input, system clipboard, victim screenshots, and collecting credentials for various installed software.

The difference is that the way data is submitted to the Command and Control (C&C) server has changed. The previous variant used HTTP POST to send the collected data, and the new variant has switched to using SMTPS to send the collected data to the attacker’s email address.

After an in-depth analysis, researchers at FortiGuard Labs discovered the SMTP credentials (“username” and “password”) and the SMTP server used by the attacker. This is a free Zoho e-mail account and the researcher immediately notified the e-mail service provider about this abuse.

Source, Image: Fortinet

Related coverage

  • Google Threat Intelligence Exposes UNC6384’s Stealthy Espionage Campaign
  • TAMECAT Exposed: APT42’s Fileless Backdoor Targets Defense Chiefs
  • Unmasking the Menace: Trend Micro Exposes AsyncRAT’s Deception
  • BlackLock Ransomware Disrupted: Resecurity’s Infiltration Exposes Operations
  • Fake AI Assistant: Malicious “ClawdBot” Extension Hides Trojan in VS Code
Track all actively exploited CVEs →

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee Logo Buy Me a Coffee PayPal
Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Share this article:

Facebook Post LinkedIn Telegram
Written by
@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.

Tags: Agent Tesla Spyware

Search

Translation

CVE WATCHTOWER
🚨

Receive alerts for vulnerabilities being exploited in the wild.

⚡

Get notified instantly when a Proof of Concept (PoC) exploit is published.

🔍

Access critical info on vulnerabilities even when marked as "RESERVED".

🧠

Insights powered by decades of expertise and global intelligence sources.

🎯

Customize alerts with up to 10 keywords for your specific tech stack.

📊

Export the raw CVE database for SIEM integration and reporting.

Upgrade Package

🚨 Active Exploits in the Wild

  • CVE-2026-6875CVSS 9.5
    ServiceNow has addressed a remote code execution vulnerability that was identified in the ServiceNow AI platform. This vulnerability...
    Admin intel📅 Updated: Jul 18, 2026
  • CVE-2026-39808CVSS 9.8
    A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox...
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2026-25089CVSS 9.8
    A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox...
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2026-58644CVSS 9.8
    Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a network.
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2023-4346CVSS 7.5
    KNX devices that use KNX Connection Authorization and support Option 1 are, depending on the implementation, vulnerable to...
    CISA KEV📅 Added to KEV: Jul 15, 2026
  • CVE-2026-53362
    In the Linux kernel, the following vulnerability has been resolved: ipv6: account for fraggap on the paged allocation...
    Admin intel📅 Updated: Jul 14, 2026
  • CVE-2026-46242CVSS 7.8
    In the Linux kernel, the following vulnerability has been resolved: eventpoll: fix ep_remove struct eventpoll / struct file...
    Admin intel📅 Updated: Jul 14, 2026
  • CVE-2026-56155CVSS 7.8
    Insufficient granularity of access control in Active Directory Federation Services (AD FS) allows an authorized attacker to elevate...
    CISA KEV📅 Added to KEV: Jul 14, 2026
Powered by CVE Watchtower

🔴 Live Critical Threats

  • CVE-2026-16117CVSS 10.0
    Impact: @fastify/http-proxy versions up to and including 11.5.0 fail to rewrite the...
  • CVE-2026-47865CVSS 9.8
    VMware Avi Load Balancer contains an authentication bypass vulnerability. A malicious user...
  • CVE-2026-55518CVSS 9.6
    Avo is a framework to create admin panels for Ruby on Rails...
  • CVE-2026-54159CVSS 10.0
    PrestaShop ps_facetedsearch is a module that adds layered navigation filters. From 3.0.0...
  • CVE-2026-48062CVSS 9.8
    CodeIgniter is a PHP full-stack web framework. Prior to 4.7.3, the ext_in...
  • CVE-2026-13446CVSS 9.8
    IBM Langflow OSS 1.0.0 through 1.10.1 contains hard-coded credentials, such as a password...
  • CVE-2026-8859CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow an attacker to...
  • CVE-2026-8635CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 allows authenticated users to escalate privileges...
  • CVE-2026-8505CVSS 9.8
    IBM Langflow OSS 1.0.0 through 1.10.0 has a vulnerability in Langflow's webhook...
  • CVE-2026-8476CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 contain a critical remote code execution...
Powered by CVE WATCHTOWER

Our Websites
  • Penetration Testing Tools
  • The Daily Information Technology
  • Top Exploited CVEs
  • Daily CyberSecurity

    • About SecurityOnline.info
    • Advertise with us
    • Announcement
    • Contact
    • Contributor Register
    • Login
    • Disclaimer
    • DCMA
    • Privacy Policy
    • About SecurityOnline.info
    • Advertise on SecurityOnline.info
    • Contact Us

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works

    • CVE Watchtower
    • CVE Statistics by Vendor 2026
    • Q2 2026 Report
    • Top Exploited CVEs
    • Linkedin
    • Twitter
    • Facebook
    • Youtube
    © 2017 - 2026 Daily CyberSecurity. All Rights Reserved.