Agent Tesla is a sophisticated Remote Access Trojan (RAT) and information stealer identified as the most active malware in March 2025 in Africa troubling organizations and individuals.
Active since at least 2014, it is often distributed through phishing emails and malicious attachments used for cyber espionage and credential theft.
Agent Tesla operates as Malware-as-a-Service (MaaS), meaning cybercriminals can purchase it on underground forums and deploy it with ease.
According to Check Point’s 2025 Cybersecurity Report, Agent Tesla was among the top 10 malware variants in 2024, impacting 6.3% of corporate networks globally. Its activity rose by 22% between 2023 and 2024, highlighting its adaptability in targeted attacks.
Impact on Africa
Agent Tesla is actively targeting key sectors in Africa, causing severe financial and security risks:
- Nigeria: Cybercriminals are using Agent Tesla to steal banking credentials, manipulate financial transactions, and commit fraud. Phishing emails and malicious attachments help them infiltrate banking networks, extracting sensitive data for unauthorized transactions or sales on underground markets.
- South Africa: Enterprises are under constant attack as Agent Tesla harvests credentials from corporate applications, leading to data breaches, intellectual property theft, and financial losses. The rise of cloud-based services has made South African businesses prime targets for cybercriminals looking to exploit business communications.
- Kenya: Mobile users face increasing threats as attackers exploit mobile banking and payment platforms. Agent Tesla steals credentials from email clients, web browsers, and clipboard data, putting individuals and small businesses at risk. Its advanced evasion techniques make it difficult to detect, leaving users vulnerable to financial theft and fraud.
How Agent Tesla Operates
Agent Tesla is a Remote Access Trojan (RAT) built for data theft and remote control. It records keystrokes, steals credentials, captures screenshots, monitors clipboards, and executes additional payloads.
The malware targets over 50 applications, including web browsers, email clients, and FTP tools, allowing attackers to extract sensitive login details. Once it gathers data, Agent Tesla sends it to Command-and-Control (C2) servers using HTTP, SMTP, FTP, or Telegram, giving attackers continuous access to infected systems for espionage or financial theft.
It spreads through phishing emails that trick users into opening malicious Office documents or executing disguised executable files. It exploits vulnerabilities like CVE-2017-11882 and CVE-2018-0802 to run code remotely.
To evade detection, Agent Tesla obfuscates its code, using Base64 encoding, XOR encryption, and steganography to hide its presence. It detects and stops execution in sandboxed environments and debugging tools.
The malware bypasses AMSI protections, injects itself into legitimate Windows processes (e.g., RegAsm.exe, RegSvcs.exe), and constantly updates its code to defeat antivirus signatures. It also leverages encrypted Telegram channels to communicate with C2 servers, making it difficult to track and block its operations.
Mitigation Recommendations (Courtesy of Ethnos Cyber)
- Patch Management: Apply security patches for CVE-2017-11882, CVE-2018-0802, and CVE-2024-3400 immediately to prevent exploitation.
- Email Security: Implement anti-phishing filters with sandbox analysis to block malicious attachments and suspicious links.
- Endpoint Protection: Deploy Endpoint Detection and Response (EDR) solutions to identify and block AMSI bypass attempts, process injection, and unauthorized credential access.
- Multi-Factor Authentication (MFA): Enforce MFA across all critical systems to minimize the risk of stolen credentials being used for unauthorized access.
- User Awareness Training: Conduct regular cybersecurity training to educate employees on phishing threats, with a focus on Africa’s high-risk sectors like banking and enterprise environments.
About Author
