highPhishing

AgentTesla's New Trick: A 5MB JavaScript Dropper With Four Layers of Obfuscation and a DonutLoader Payload

PublishedMarch 12, 2026

Threat Actors:Variable Names (OPSEC Artifacts)uses distinctive uppercase variable naming:ProfileAssessmentTimeline

phishingagentteslacredential-theftc2supply-chainaptspearphishing

Published: 2026-03-10 Author: GHOST -- Breakglass Intelligence Tags: AgentTesla, DonutLoader, JavaScript, LOLBin, Telegram C2, credential stealer, MaaS Read online: https://intel.breakglass.tech/post/agenttesla-donutloader-js-dropper-march-2026

TL;DR: A coordinated campaign delivering AgentTesla credential stealer was caught in the wild on March 10, 2026. The attack begins with a 5MB JavaScript dropper that uses four distinct obfuscation layers -- obfuscator.io string rotation, Unicode-to-CP437 byte mapping, "9-padding" string concealment, and a 347KB junk data blob designed purely to waste analyst time. The dropper chains through Windows Script Host COM objects, drops a PE payload to a predictable public directory, establishes registry persistence, and abuses the legitimate Scriptrunner.exe LOLBin to launch DonutLoader shellcode that unpacks AgentTesla entirely in memory. Exfiltrated credentials are shipped out over Telegram Bot API. At least five related samples were identified in a single-day campaign burst targeting shipping, logistics, and procurement organizations.

Background

AgentTesla is one of the most prolific commodity credential stealers in the threat landscape, sold as Malware-as-a-Service (MaaS) and used by a wide range of financially motivated threat actors. While the final payload is well-documented, the delivery mechanisms continue to evolve. This investigation documents a campaign that pairs a novel multi-layer JavaScript obfuscation scheme with DonutLoader shellcode execution and Telegram-based exfiltration -- a combination that pushes detection boundaries for organizations relying on static analysis or basic email gateway filtering.

The primary sample (SHA256: e813c38d77394e96cbe31d088798a866b6eadcf22342a5149a46844dc84e16f2) was first reported on MalwareBazaar on March 10, 2026 by researcher James_inthe_box. Sandbox analysis scored it 10/10 on Tria.ge, and vendor detections include ClamAV (Sanesecurity.Malware.31320), ReversingLabs (Script-JS.Trojan.Cryxos), and Kaspersky (Malware).

Key Findings

1. Four-Layer JavaScript Obfuscation

This is not a typical obfuscator.io wrapper. The threat actor has stacked four distinct obfuscation techniques into a single 5MB JavaScript file, each serving a different defensive purpose:

Layer 1 (obfuscator.io): Standard string table rotation with _0x58b9 decoder function and 12,249 string references
Layer 2 (Unicode byte mapping): 73 mapping entries converting Unicode codepoints (U+00A0-U+258C) back to CP437 raw byte values -- this is how the PE payload is encoded within the script
Layer 3 (9-padding): Configuration strings interleaved with blocks of 9 characters, decoded at runtime via split('99').join('')
Layer 4 (junk blob): Lines 1-825 contain 347,325 characters of repeating Unicode data assigned to a variable with an absurdly long name, contributing zero functional value but inflating the file to 5MB

The junk blob is the most interesting defensive measure. It uses only 10 unique non-ASCII characters in a repeating pattern across 4,950 fragments. Automated analysis tools that attempt to process the entire file waste cycles on this data, and manual analysts may abandon the file upon seeing the apparent complexity.

2. LOLBin Abuse via Scriptrunner.exe

After dropping the PE payload to C:\Users\Public\Libraries\, the dropper does not execute it directly. Instead, it invokes Scriptrunner.exe -appvscript <payload_path>, abusing the legitimate Microsoft App-V Scriptrunner binary as a Living-off-the-Land Binary (LOLBin). This technique bypasses application whitelisting solutions that trust signed Microsoft binaries and evades behavioral detections that flag direct child process execution from WScript.

3. DonutLoader Shellcode Chain

The dropped PE is not AgentTesla itself but a DonutLoader shellcode packer. DonutLoader unpacks and executes the AgentTesla binary entirely in memory, leaving no additional artifacts on disk beyond the initial dropper. This two-stage approach (dropper to DonutLoader to final payload) significantly reduces the detection surface.

4. Telegram Bot API as Primary C2

Rather than the traditional SMTP or FTP exfiltration channels commonly associated with AgentTesla, this campaign uses Telegram Bot API as the primary exfiltration method. Six bot tokens were identified in ThreatFox, with creation dates spanning from December 2025 through March 2026:

Bot Token	First Reported
`bot8581062014:AAELVYtJQrXBZGQq27PI1H4GchLS-hAB2e4`	2026-03-03
`bot8498302719:AAGngGyPNP9afNCU6d6F66SbcyU5QH20yFQ`	2026-02-25
`bot8512555116:AAG0X6w-tKKSElrCDhHIaPtXgy2wIRma4pg`	2026-02-05
`bot8393528187:AAHE-fyrLEN4E-tne4sqWpoJxCobZTMq5ME`	2025-12-16
`bot8194658562:AAEAkHGba5YUASDs5JFXv6GHA22t6IXyf9I`	2025-12-15
`bot8259516548:AAHq8gR23Gv1XmyhSw6mMk09ShNEYcVsQJA`	2025-12-09

The 8xxx-series bot ID prefixes indicate these were created in the 2024-2026 timeframe. The rotation cadence (roughly monthly) suggests the operator creates new bots as old ones get flagged or banned.

5. Five-Sample Campaign Burst

This is not an isolated sample. At least five related JavaScript droppers and executable variants were submitted to MalwareBazaar on March 10, 2026 alone, indicating a coordinated campaign burst:

SHA256 (truncated)	Filename	Size	Lure Theme
`e813c38d...`	792725328.js	5.0 MB	Generic (our sample)
`1dbe912c...`	Bill of Lading Toll - TNGB7337093.JS	4.2 MB	Shipping/logistics
`5992a834...`	2610539900.js	1.3 MB	Generic
`e2f688b6...`	Ramona_Vessel_Particulars_pdf.exe	1.2 MB	Maritime/shipping
`43063e72...`	Urgent Inquiry For Quotation.exe	1.2 MB	Procurement

The shipping and procurement lure themes are consistent with business email compromise (BEC) targeting supply chain and logistics organizations.

Attack Chain

The full execution flow proceeds through six distinct stages:

Stage 1: Email Delivery
  Victim receives spearphishing email with .JS attachment
  Lure themes: "Bill of Lading", "Vessel Particulars", "Urgent Inquiry For Quotation"

Stage 2: JavaScript Execution via WSH
  Double-click triggers WScript.exe (Windows Script Host)
  Script begins deobfuscation through 4-layer chain

Stage 3: COM Object Chain
  WScript.Shell (WWWNIA) -- command execution, registry writes
  Microsoft.XMLDOM -- base64 payload decoding (bin.base64 type)
  ADODB.Stream -- binary stream writing to disk
  Scripting.FileSystemObject -- file system operations

Stage 4: Payload Drop + Persistence
  PE binary written to C:\Users\Public\Libraries\<random>.exe
  Registry key created: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
  Value points to dropped EXE path (REG_SZ type)

Stage 5: LOLBin Execution
  Scriptrunner.exe -appvscript <dropped_payload_path>
  Legitimate Microsoft binary executes the malicious PE

Stage 6: In-Memory Payload
  DonutLoader shellcode unpacks AgentTesla in memory
  Keylogging, credential harvesting, screenshot capture, clipboard monitoring
  Exfiltration via Telegram Bot API (HTTPS to api[.]telegram[.]org)

Infrastructure Analysis

Command and Control

The campaign uses two distinct C2 channels:

Telegram Bot API (Primary Exfiltration)

All stolen credentials, screenshots, and keystrokes are exfiltrated via HTTPS POST requests to api[.]telegram[.]org using the bot tokens listed above. This approach has several advantages for the attacker: Telegram infrastructure is highly available, difficult to block without disrupting legitimate usage, and the Bot API provides a simple HTTP interface that requires no custom server infrastructure.

Compromised Web Panel (Secondary/Legacy)

A traditional AgentTesla web panel was identified at etvidanueva[.]com/photos/images/WebPanel/login.php:

Property	Value
Domain	`etvidanueva[.]com`
IP	`198[.]187[.]31[.]148`
ASN	AS22612 (Namecheap)
Server	LiteSpeed + cPanel (shared hosting)
Domain Created	2013-03-11
Open Ports	21, 53, 80, 443, 993, 2083

The domain was registered in 2013 and appears to be a compromised legitimate website rather than attacker-registered infrastructure. The open ports (FTP, DNS, HTTP/HTTPS, IMAP SSL, cPanel) are consistent with standard shared hosting, and the C2 panel is buried in a /photos/images/ directory that likely existed before compromise.

Payload Delivery Infrastructure

One sample references gl1g7tts-5500[.]euw[.]devtunnels[.]ms -- a Microsoft Dev Tunnels endpoint being abused for payload delivery. This is another LOLBin-style technique, using Microsoft's own tunneling infrastructure to host malicious payloads.

Actor OPSEC Profile

Despite the sophisticated obfuscation, the threat actor exhibits several consistent operational security failures:

Distinctive variable naming: Names like TAXIELYOKUM, ELOULYASMAYL, LOUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUONIA, Bi33ddy, and kittul are unique fingerprints linkable across campaigns
Consistent tooling: The same four-layer obfuscation technique appears across all campaign samples
Predictable drop path: Always C:\Users\Public\Libraries\ -- never randomized
Same COM object chain: Identical split('99').join('') pattern and ActiveXObject sequence in every sample
Linguistic markers: Variable names suggest a non-native English speaker with possible Middle Eastern or South Asian background

Actor Timeline

Date	Activity
2025-12-09	Earliest Telegram bot token identified
2025-12-15	Additional bot tokens appear
2026-01-18	`etvidanueva[.]com` C2 first reported to ThreatFox
2026-01-21	Dev Tunnels payload delivery infrastructure reported
2026-02-05	New Telegram bot tokens deployed
2026-03-03	Latest Telegram bot token
2026-03-10	Campaign burst: 5+ JS droppers + EXE variants in single day

The three-month operational window with regular bot rotation suggests an active, ongoing campaign rather than a one-off deployment.

Detection

YARA Summary

Detection rules target the following artifacts:

JS Dropper Pattern: The combination of split('99').join('') pattern, Microsoft.XMLDOM COM creation, ADODB.Stream usage, and Scriptrunner.exe -appvscript execution within a single JavaScript file
Variable Fingerprint: The distinctive long variable name ZHMYKTJQGSBIXTQQCJJISDGYSHQWXGLDHFRBRYJOVGLXGDBUDZRVMZDXFACOPMIFW used for the junk blob and Unicode byte mapping table
Obfuscation Marker: The combination of _0x58b9 string decoder (obfuscator.io) with Unicode codepoint hex conversion (0123456789ABCDEF) in the same file
Drop Path Pattern: String references to C:\Users\Public\Libraries\ combined with HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Suricata Summary

Network detection rules cover:

Telegram Bot Exfiltration: HTTP POST requests to api.telegram.org/bot8581062014, bot8498302719, or bot8512555116 containing AgentTesla-pattern data
C2 Panel Communication: HTTP traffic to etvidanueva[.]com matching the /photos/images/WebPanel/ path structure
Dev Tunnels Abuse: DNS resolution or HTTP traffic to *.euw.devtunnels.ms subdomains from endpoints that should not be using developer tunnels

IOCs (Defanged)

Network Indicators

# Telegram Bot C2 (exfiltration)
api[.]telegram[.]org/bot8581062014:AAELVYtJQrXBZGQq27PI1H4GchLS-hAB2e4/
api[.]telegram[.]org/bot8498302719:AAGngGyPNP9afNCU6d6F66SbcyU5QH20yFQ/
api[.]telegram[.]org/bot8512555116:AAG0X6w-tKKSElrCDhHIaPtXgy2wIRma4pg/

# Web panel C2
etvidanueva[.]com (198[.]187[.]31[.]148, AS22612 Namecheap)
etvidanueva[.]com/photos/images/WebPanel/login.php

# Payload delivery
gl1g7tts-5500[.]euw[.]devtunnels[.]ms

File Indicators

# Primary sample (JS dropper)
SHA256: e813c38d77394e96cbe31d088798a866b6eadcf22342a5149a46844dc84e16f2
SHA1:   a17f915437167987ec83c108a73427ff7ab0c0f0
MD5:    ac0502103294b4ec884ec6e3673d0807

# Related campaign samples
SHA256: 1dbe912cb021358dfa0a1fe56d03647c6245ed0f1af2e041b6a2ec6af3528a5f
SHA256: 5992a834e1bcdd68b42024c54a1e90367d8922aac7d8d3a8ffdd21fbe12e186d
SHA256: 03ef900249f9237d80ac65c42b5a17784183b1c67525e6799ec7cdb76e77bc3e
SHA256: e2f688b63574e73861df42ff4f7802da67f97c2f2d1f6436ab3212287e0762ab
SHA256: 43063e72f4684d346da8b8404d32ba8fd8be7565dd77e0a92faf0a50e792ad55

Host Indicators

# Drop path
C:\Users\Public\Libraries\*.exe

# Persistence
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ (REG_SZ value pointing to drop path)

# LOLBin execution
Scriptrunner.exe -appvscript <payload_path>

# COM objects (in JS context)
WScript.Shell
Microsoft.XMLDOM
ADODB.Stream
Scripting.FileSystemObject

# Obfuscation fingerprint variable
ZHMYKTJQGSBIXTQQCJJISDGYSHQWXGLDHFRBRYJOVGLXGDBUDZRVMZDXFACOPMIFW

MITRE ATT&CK Mapping

Tactic	Technique	ID	Notes
Initial Access	Spearphishing Attachment	T1566.001	JS file via email with shipping/procurement lures
Execution	JavaScript	T1059.007	WSH JavaScript dropper
Execution	PowerShell	T1059.001	Observed in sandbox execution of related samples
Execution	System Binary Proxy Execution	T1218	Scriptrunner.exe LOLBin
Persistence	Registry Run Keys	T1547.001	HKCU Run key with dropped EXE path
Defense Evasion	Obfuscated Files or Information	T1027	Four-layer JS obfuscation
Defense Evasion	Software Packing	T1027.002	DonutLoader shellcode packing
Defense Evasion	Deobfuscate/Decode Files	T1140	Runtime split/join + XMLDOM base64 decode
Credential Access	Keylogging	T1056.001	AgentTesla keystroke capture
Credential Access	Credentials from Password Stores	T1555	Browser, email, FTP credential theft
Discovery	System Information Discovery	T1082	Location, process, language enumeration
Collection	Screen Capture	T1113	Periodic screenshot capture
Collection	Clipboard Data	T1115	Clipboard monitoring
Exfiltration	Over C2 Channel	T1041	Telegram Bot API exfiltration
Command and Control	Web Protocols	T1071.001	HTTPS to Telegram API

Recommendations

Immediate (24-48 hours)

Block the identified Telegram bot tokens at your web proxy or CASB. If full Telegram blocking is not feasible, alert on api.telegram.org/bot8581062014, bot8498302719, and bot8512555116 patterns.
Create EDR alerts for Scriptrunner.exe execution with the -appvscript flag -- this is almost never used in legitimate operations.
Hunt for files dropped to C:\Users\Public\Libraries\ across your endpoint fleet.
Block .js file execution via WScript from email attachment paths (e.g., Outlook temp directories).

Short-term (1-2 weeks)

Add etvidanueva[.]com and gl1g7tts-5500.euw.devtunnels.ms to DNS blocklists.
Audit HKCU Run keys for entries pointing to C:\Users\Public\Libraries\ across all endpoints.
Review email gateway logs for JavaScript attachments with shipping or procurement themes from the past 30 days.
Submit abuse reports to Namecheap (for etvidanueva[.]com) and Telegram (for the identified bot IDs).

Medium-term (1-3 months)

Implement application whitelisting to prevent WSH script execution from user-writable paths.
Add Scriptrunner.exe to your LOLBin monitoring alongside mshta.exe, certutil.exe, and regsvr32.exe.
Evaluate blocking outbound Telegram API access from endpoints where it is not a business requirement.
Consider disabling Windows Script Host entirely via Group Policy if JavaScript execution is not required.

References

GHOST -- Breakglass Intelligence Automated threat intelligence. Zero analyst fatigue.