Skip to main content

Sophisticated Phishing Campaign Deploying Agent Tesla, OriginBotnet, and RedLine Clipper.


Phishing Campaign

A sophisticated phishing campaign is using a Microsoft Word document lure to distribute a trifecta of threats, namely Agent Tesla, OriginBotnet, and RedLine Clipper, to gather a wide range of information from compromised Windows machines.

"A phishing email delivers the Word document as an attachment, presenting a deliberately blurred image and a counterfeit reCAPTCHA to lure the recipient into clicking on it," Fortinet FortiGuard Labs researcher Cara Lin said.

Clicking on the image leads to the delivery of a loader from a remote server that, in turn, is designed to distribute OriginBotnet for keylogging and password recovery, RedLine Clipper for cryptocurrency theft, and Agent Tesla for harvesting sensitive information.

The loader, written in .NET, employs a technique called binary padding by adding null bytes to increase the file's size to 400 MB in an attempt to evade detection by security software.

The activation of the loader triggers a multi-stage process to establish persistence on the host and extract a dynamic-link library (DLL) that's responsible for unleashing the final payloads.

One among them is RedLine Clipper, a .NET executable for stealing cryptocurrencies by tampering with the user's system clipboard to substitute the destination wallet address with an attacker-controlled one.

"To carry out this operation, RedLine Clipper utilizes the 'OnClipboardChangeEventHandler' to regularly monitor clipboard changes and verify if the copied string conforms to the regular expression," Lin said.

Agent Tesla, on the other hand, is a .NET-based remote access trojan (RAT) and data stealer for gaining initial access and exfiltrating sensitive information such as keystrokes and login credentials used in web browsers to a command-and-control (C2) server over SMTP protocol.

Also delivered is a new malware dubbed OriginBotnet, which packs in a wide range of features to collect data, establish communications with its C2 server, and download supplementary plugins from the server to execute keylogging or password recovery functions on compromised endpoints.



"The PasswordRecovery plugin retrieves and organizes the credentials of various browser and software accounts," Lin said. "It records these results and reports them via HTTP POST requests."

It's worth noting that Palo Alto Networks Unit 42, in September 2022, detailed an Agent Tesla successor called OriginLogger, which comes with similar features as that of OriginBotnet, suggesting that they could be both the work of the same threat actor.

"This cyberattack campaign [...] involved a complex chain of events," Fortinet said. "It began with a malicious Word document distributed via phishing emails, leading victims to download a loader that executed a series of malware payloads. The attack demonstrated sophisticated techniques to evade detection and maintain persistence on compromised systems."


Source: BarefootLawyers.

Comments

Post a Comment

Popular posts from this blog

More Than 100 Angry Youths Chased Maracha District Officials Out of Site Meeting Over Corruption.

📸: Some of the angry Youths displaying placards as others walked in to stop the ongoing meeting by Maracha District officials. Story by Osuta Yusuf. Maracha District. 3-February-2025. 📸: Kololo Public Seed Secondary School whose construction project has again stalled. Photo by Osuta Yusuf, Our News Reporter. The angry youths from Vurra Parish, Tara Sub-county in Maracha East constituency, Maracha District have on Monday 3-Feb-2025 chased the entire Maracha District officials out of a site meeting in Kololo Seed Secondary over allegations of corruption stemming from the stalled seed school construction project. Key Maracha District officials who went for the site meeting on Monday 3-Feb-2025 include, the Security department headed by the deputy RDC Koliba Monica Kotevu and Assistant RDC Collins Dramani, the LC5 Chairperson Hon Obitre Stephen together with his DEC Councilors, the accounting  / technical department headed by the CAO Mr Olila Patrick, the Engi...
Post a Comment
Read more

Ambassador Angualia Richard Perished in a Fatal Accident.

Story by Osuta Yusuf. Arua City. 29-7-2025. 📸: Portrait of Ambassador Angualia Richard. Courtesy Photo. Former Uganda's Ambassador to Egypt, Ambassador Angualia Louis Richard has been reported dead this evening 5pm 28-7-2025 after he was involved in a head-on collision accident with another motorcycle rider near Abi Farm, Ayivu East Constituency in Arua City. 📸: Photos from the scene of the Accident. Courtesy Photos. He met his death this evening while riding on a Bajaj Motorcycle. Amb. Angualia, who contested in 2011 for Maracha County but lost to Hon Alex Onzima Adrooa. In 2016 when two Constituencies were created in Maracha District, carving Maracha Constituency and Maracha East constituency, Ambassador Angualia contested for Maracha Constituency MP position in 2016 but lost to Hon Oguzu Lee Denis. Ambassador Angualia later shifted to contest in Maracha East Constituency but again lost to Hon Ruth Lematia Molly Ondoru during the 4-September-2020...
1 comment
Read more

Lab Student Drowned, Body Missing in Rokoze Lake in Nyadri Sub-county, Maracha District.

Maracha District.  5-December-2025. 📸: Residents gathered around the lake as they searched the missing body of the student. Photo by #Information_is_Power's news reporter.  This afternoon Friday 5-December-2025, a student from St Joseph Laboratory Training School in Maracha hospital, a one  Araku Denis drowned in Rokoze water body in Nyadri Sub-county and the  body has not been retrieved upto this night as the police and residents searched for it and in vain but they are expected to resume retrieving it tomorrow Saturday 6-December-2025. 📸: Photo of the deceased which we captured on his phone screen this night. Araku and his fellow students had  reportedly gone to pass time at water point after completing exams papers of today. Him and callagues got attracted to swimming at water body where he perished.  By press time, efforts to retrieve his body proved futile as the body remains invisible on water surface.  Rokoze water body...
Post a Comment
Read more