## Agent Tesla Sustains 18-Month Credential Theft Campaign Against LATAM Enterprises via Procurement-Themed Phishing
A sophisticated malware campaign leveraging the Agent Tesla infostealer has been targeting enterprises across Latin America for over 18 months, with particular focus on financial and procurement teams, according to threat analysis published on the any.run platform. The campaign employs procurement-themed phishing lures to deliver credential-harvesting payloads capable of compromising business email communications and cloud infrastructure, representing a persistent and organized threat to corporate financial operations throughout the region.

The technical execution chain begins with RAR archives containing JScript Encoded (.jse) droppers, which execute through wscript.exe to deploy PowerShell stagers. These stagers inject the Agent Tesla payload—delivered as ALTERNATE.dll—into the legitimate process aspnet_compiler.exe using process hollowing techniques. The malware loader employs multiple layers of protection, including .NET Reactor 6.x obfuscation, AES-256 encryption, and control flow virtualization, which significantly complicates static analysis and detection. The malware targets over 80 applications for credential theft, with exfiltration occurring via cleartext FTP to the infrastructure endpoint ftp.horeca-bucuresti.ro.

Organizations facing exposure to this campaign face multi-vector risk including direct credential compromise, business email compromise (BEC) fraud, and potential cloud account takeovers. Security teams are advised to implement sandboxing for suspicious attachments, conduct regular awareness training emphasizing procurement-themed lure recognition, and monitor outbound FTP traffic as a detection signal. The sustained 18-month operational timeline of the command-and-control infrastructure suggests a well-resourced actor maintaining persistent access to targeted networks, requiring ongoing vigilance rather than one-time remediation efforts.
---
- **Source**: Mastodon:mastodon.social:#cybersecurity
- **Sector**: The Lab
- **Tags**: infostealer, credential-theft, LATAM, phishing, BEC
- **Credibility**: unverified
- **Published**: 2026-05-14 13:18:30
- **ID**: 83020
- **URL**: https://whisperx.ai/en/intel/83020