Infostealer / RAT
Agent Tesla
aka AgentTesla · Negasteal
A long-running .NET infostealer and RAT sold as malware-as-a-service, specialising in credential theft, keylogging and exfiltration over SMTP/FTP/Telegram.
Agent Tesla is a commodity .NET infostealer with RAT features, sold and resold since 2014. Marketed openly as "monitoring software," it is one of the most frequently seen strains in phishing campaigns worldwide thanks to its low price and ease of use.
Capabilities
It harvests credentials from browsers and email clients, logs keystrokes, captures the clipboard and screenshots, and exfiltrates over SMTP, FTP, HTTP or Telegram. Newer builds add obfuscation and multi-stage loaders to evade detection.
Why it persists
Agent Tesla thrives on volume: cheap, generic, and constantly repacked. Its logs feed the broader infostealer economy and account takeover. A .NET unpacking guide lives on the Reverse Engineering Hub.
Defense
Block executable email attachments, enforce MFA, and alert on outbound SMTP/FTP/Telegram from endpoints.