Malware: Agent Tesla — Phishing-Driven Credential Theft Campaigns Targeting the Travel Sector

Aegiron 9 mins0

Executive overview

Agent Tesla is a well-known information-stealing malware that has been active for years and continues to be widely used because it works. In recent campaigns, it has been heavily used against organizations in the travel sector such as hotels, travel agencies, tour operators, and property management companies.

These attacks rely on realistic phishing emails that blend into normal travel-related communication. Once a single employee opens the wrong file, Agent Tesla quietly steals credentials, screenshots, and sensitive data and sends them to the attacker without obvious signs of compromise.

What Agent Tesla does

Agent Tesla is a Windows malware written using Microsoft’s .NET framework. Its main purpose is to spy on the user and steal information, not to damage systems.

After infection, it can:

  • Log everything typed on the keyboard
  • Take screenshots of the user’s screen
  • Steal saved usernames and passwords from browsers
  • Extract credentials from email clients, VPN tools, and file-transfer software
  • Capture clipboard data (for example copied passwords or payment details)
  • Collect basic system details such as username and computer name

All stolen data is packaged and sent out quietly in the background.

Why the travel sector is frequently targeted

Travel businesses are attractive because:

  • Staff receive many emails from unknown customers and partners
  • Attachments and documents are part of daily work
  • Messages often involve urgency (complaints, refunds, booking issues)
  • Attackers can directly monetize stolen booking and payment access

Phishing emails in these campaigns are often designed to look like guest complaints, invoices, or booking platform notifications.

How the attack typically happens

Step 1: Phishing email

The attack begins with an email that appears legitimate. Common themes include:

  • Guest complaint or refund request
  • Reservation confirmation or modification
  • Invoice or payment document
  • Booking platform security notice

The email contains either an attachment or a link to download a file.

Step 2: Malicious file delivery

Attackers rarely attach the malware directly. Instead, they use layered delivery:

  • Word or Excel documents that ask the user to enable content
  • PDF files that redirect to a download link
  • ZIP, 7z, or ISO files that hide an executable
  • HTML files that reconstruct malware inside the browser

This approach helps bypass email and antivirus filters.

Step 3: Execution and data theft

Once the final file runs:

  • Agent Tesla starts silently
  • No visible window appears
  • The user continues working normally

From this point, keystrokes, credentials, and screenshots are being collected.

How Agent Tesla hides and survives

Agent Tesla uses simple but effective techniques:

  • Runs from user-writable folders such as AppData or Temp
  • Uses random or generic file names
  • Obfuscates its code to avoid analysis
  • Delays activity to avoid detection
  • Checks for virtual or sandbox environments

Because of this, signature-based security tools may miss it.

How stolen data is sent out

Agent Tesla supports multiple exfiltration methods, allowing attackers to switch if one is blocked:

  • Sending stolen data via outbound email
  • Uploading files to attacker-controlled FTP servers
  • Sending encrypted web requests to remote servers
  • Using messaging service APIs for data transfer

This flexibility makes it resilient and harder to disrupt.

Indicators of Compromise (IoCs)

Note: These are examples observed across campaigns. Attackers frequently rotate infrastructure.

Network-based IoCs (use [.] delimiter)

  • originwealth[.]ydns[.]eu
  • /sew/inc/10a5031d37bc79[.]php
  • api[.]telegram[.]org (unexpected traffic from workstations)
  • POST requests with long base64-like payloads to unfamiliar external servers

Email and delivery indicators

  • Emails impersonating booking platforms or guests
  • Attachments with double extensions (for example: .pdf[.]exe)
  • ZIP or ISO files containing a single executable
  • HTML attachments prompting users to download files

Host-based IoCs

  • Executables running from:
    • %AppData%
    • %Temp%
    • User Downloads folder
  • Office applications spawning:
    • powershell[.]exe
    • wscript[.]exe
    • rundll32[.]exe
  • Unexpected outbound SMTP or FTP traffic from user workstations

Behavioral indicators (high confidence)

  • Browser sessions hijacked without password changes
  • Logins from new locations shortly after phishing email interaction
  • Credentials reused successfully despite MFA not being prompted
  • Repeated outbound network connections at regular intervals

What attackers gain

With Agent Tesla active, attackers can:

  • Take over email accounts
  • Access booking and payment platforms
  • Steal customer personal and financial data
  • Move laterally using stolen credentials
  • Sell access to other criminal groups

Even one infected employee can lead to a larger breach.

What to do if infection is suspected

Immediate steps

  1. Disconnect the affected system from the network
  2. Do not continue using the machine
  3. Preserve logs and files if incident response is available

Cleanup and containment

  • Remove malicious files and persistence mechanisms
  • Block suspicious outbound connections
  • Reset all credentials used on the infected system
  • Rebuild the system from a clean image if possible

Follow-up actions

  • Review account activity for misuse
  • Force reauthentication for sensitive systems
  • Inform relevant internal teams or partners

Prevention measures that are effective

  • Enforce multi-factor authentication for email and booking systems
  • Restrict risky attachment types unless necessary
  • Block direct outbound SMTP and FTP from user endpoints
  • Use endpoint security that detects behavior, not just files
  • Train staff to verify unexpected booking-related emails

Final assessment

Agent Tesla continues to succeed because it targets people, not software flaws. In the travel sector, where staff are busy and emails are constant, these phishing campaigns blend in easily.

Strong fundamentals — email security, outbound traffic controls, MFA, and user awareness — dramatically reduce the effectiveness of Agent Tesla. Organizations that invest in these basics are far less likely to suffer serious impact from this malware.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.