AgentTesla v3: Five-Stage JavaScript Dropper Exfiltrates Credentials via Ukrainian SMTP Infrastructure

Overview

Breakglass Intelligence analyzed a fully weaponized AgentTesla v3 credential-stealing campaign delivered via an obfuscated JavaScript dropper on March 12, 2026. The infection chain spans five stages: an obfuscated 1.3MB JS dropper, multi-layer XOR-decrypted PowerShell, a reflective .NET assembly loader, a process-hollowing injector, and the final AgentTesla payload.

The stealer exfiltrates harvested credentials via SMTP to kc@cottondreams.org using a Ukrainian VPS at 31.222.235.198 (NETH LLC, Kyiv, AS202302). The threat actor uses a FASTPANEL hosting control panel for server management. Campaign siblings trace back to January 2025, with the infrastructure domain registered in March 2024 -- indicating a persistent, long-running operation that has been active for nearly two years.

The malware targets an extraordinarily broad credential surface: 40+ browsers, 20+ email clients, 10+ FTP clients, VPN software, Discord tokens, and Windows Credential Manager vaults. At time of analysis, the C2 server was actively responding on all ports.

Sample Metadata

Field	Value
SHA256	99ef1d7248d7c0cd7ce3b10213a17336797951c4b1cef0a4c1d03330e4c95a5a
MD5	b78e6df5cd46adfe6472ccd1edc3bff0
SHA1	85f23b01186c371111e87bbdbc1e950c60df7cd6
File Type	Obfuscated JavaScript
File Size	1,316,775 bytes (1.3 MB)
First Seen	2026-03-12 17:15:04 UTC
VT Detections	14/76 (dropper), 61/76 (final payload)
Family	AgentTesla v3
Delivery	Spear phishing (fake purchase orders)

Stage Hashes

Stage	SHA256	Size	VT
Stage 1 (JS dropper)	99ef1d7248d7c0cd7ce3b10213a17336797951c4b1cef0a4c1d03330e4c95a5a	1.3 MB	14/76
Stage 4 (DEV.dll injector)	195e3d859d8fa9d0c12cd38beef8898e307b71422c8a18c2c3648f5f0220b447	47 KB	22/76
Stage 5 (AgentTesla)	af5f53021774cf410f7cc1be223f3dd88e3c6439cfa384bb64ed749c7e5390c7	240 KB	61/76

The Five-Stage Infection Chain

Stage 1: Obfuscated JavaScript Dropper

The initial sample is a 1.3MB single-line JavaScript file with multi-layer obfuscation. A string table containing 166 encoded entries is decoded at runtime using custom Base64/XOR encoding. Anti-debugging timing checks via Date.now() are embedded to detect analysis environments. The dropper runs via Windows Script Host (WScript.exe) and hands off to an embedded PowerShell payload.

Stage 2: Multi-Layer PowerShell Decryptor

The embedded PowerShell payload (980KB) implements a five-layer decryption pipeline:

1. Base64 decode of a 1.3-million-character string
2. Custom rotational XOR cipher with an embedded key
3. Second XOR pass with a derived key
4. Byte array reconstruction
5. Reflective .NET assembly loading via Assembly::Load()

The rotational XOR applies position-dependent key material, producing a non-repeating keystream that defeats simple pattern matching and frequency analysis.

Stage 3: Reflective .NET Assembly Loader

The 721KB decrypted PowerShell script contains three key functions:

• Invoke-AssemblyExecution: Loads a .NET assembly from a byte array via reflection and invokes a specified method
• Test-ProcessAbsence: Checks if Aspnet_compiler is running (persistence guard)
• Start-MonitoringCycle: Main loop that spawns the injector if the target process is absent

It invokes DEV.DOWN.SHOOT in the Stage 4 assembly, passing the Stage 5 payload as a byte array argument.

Stage 4: Process Hollowing Injector (DEV.dll)

The 47KB .NET DLL (namespace DEV.DOWN, method SHOOT) creates a suspended aspnet_compiler.exe process, unmaps its memory, maps the Stage 5 payload, and resumes execution. This is the same DEV.DOWN injector seen in PhantomStealer campaigns -- a shared component across MaaS ecosystems.

Stage 5: AgentTesla v3

The final 240KB .NET assembly is the AgentTesla v3 infostealer. Key identifiers:

• Compile target: e8ae4cc3-dac5-429a-ad46-d51bb0595a38.exe (GUID-based name for anti-forensic purposes)
• Persistence name: GLOZVJ.exe in %APPDATA%\GLOZVJ\
• Runtime: Executed hollow inside aspnet_compiler.exe

C2 Configuration

The C2 configuration was extracted from the .NET User Strings Heap:

Field	Value
Protocol	SMTP (port 587, STARTTLS)
Server	mail.cottondreams.org
Sender	mail@cottondreams.org
Recipient	kc@cottondreams.org
SSL	Enabled

Exfiltration emails are HTML-formatted with subject lines containing victim hostname, IP, username, and OS version. Attachments are organized by type: PW (passwords), KL (keylog), SC (screenshot), CP (clipboard).

Credential Harvesting: Total Coverage

AgentTesla v3 targets an unusually comprehensive credential surface.

Browsers (40+)

Chrome, Firefox, Edge Chromium, Opera, Brave, Vivaldi, Yandex Browser, Waterfox, SeaMonkey, PaleMoon, UC Browser, Torch, Kometa, 7Star, Iridium, Amigo, CentBrowser, Comodo Dragon, and many more. Browser credential decryption handles both modern Chromium v80+ (BCrypt AES-GCM for Local State keys) and legacy browsers (DPAPI ProtectedData.Unprotect), plus Firefox's NSS-based key4.db/key3.db formats.

Email Clients (20+)

Outlook (all versions 11.0 through 16.0), Thunderbird, The Bat!, Opera Mail, Eudora, IncrediMail, FoxMail, Mailbird, Claws Mail, eM Client, Becky!, Postbox, Windows Mail, SeaMonkey Mail.

FTP/File Transfer (10+)

FileZilla, CoreFTP, WinSCP, SmartFTP, FlashFXP, FTP Navigator, WS_FTP, FTP Commander, FTPGetter, FTP Commander Deluxe.

VPN

OpenVPN (config files + registry), NordVPN (user.config), Private Internet Access (account.json).

Remote Access / VNC

RealVNC 3.x and 4.x, TightVNC, TigerVNC, UltraVNC.

Messaging

Discord token scraping via regex [\w-]{24}\.[\w-]{6}\.[\w-]{27}, Pidgin, Trillian, Paltalk, Psi/Psi+.

Other

MySQL Workbench, JDownloader 2.0, DynDNS, Windows Credential Manager (all 8 vault GUIDs), IE/Edge credential vault.

Persistence and Surveillance Modules

Registry Persistence

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\GLOZVJ
→ %APPDATA%\GLOZVJ\GLOZVJ.exe

Keylogger

Installs a WH_KEYBOARD_LL low-level keyboard hook that captures all keystrokes with active window titles. Output is logged in HTML format: <b>[ WindowTitle ]</b> (timestamp).

Screenshot Capture

Uses the CopyFromScreen GDI method at configurable intervals, saving as JPEG with timestamped filenames.

Clipboard Monitoring

Hooks the clipboard via SetClipboardViewer and exfiltrates content to the C2.

Public IP Discovery

Queries an external IP-check service (PublicIpAddressGrab) and includes the victim's public IP in every exfiltration email header.

C2 Infrastructure Deep Dive

Server Profile: 31.222.235.198

Field	Value
Country	Ukraine (Kyiv)
ISP	NETH LLC
ASN	AS202302
Hosting	netx.com.ua (Ukrainian VPS)
OS	Ubuntu Linux
MTA	Exim 4.95
IMAP/POP	Dovecot
Web	nginx 1.28.0
Panel	FASTPANEL (ports 7777, 8888)
TLS CN	dedaGLmj.netx.com.ua (self-signed)

The server runs a full mail stack: SMTP (ports 25/465/587), IMAP (143/993), POP3 (110/995). FASTPANEL -- a Russian-developed web hosting control panel widely used by post-Soviet hosting providers -- is exposed on ports 7777 and 8888. The TLS certificate CN dedaGLmj.netx.com.ua reveals the hosting provider netx.com.ua, bypassing the Namecheap/Cloudflare privacy layer.

Domain Intelligence: cottondreams.org

Field	Value
Registrar	Namecheap
Registered	2024-03-24
Expires	2026-03-24
DNS	Cloudflare
VT Detections	5/94
Certificates	109 certs via crt.sh

Notable certificate transparency subdomains: mail.cottondreams.org (C2 SMTP), server.cottondreams.org (additional endpoint), and a suspicious cross-domain cert for cottondreams.org.auss-rite.store.

Campaign Timeline and Longevity

Date	Event
2024-03-24	cottondreams.org registered; Let's Encrypt certs issued same day
2025-01-23	Campaign sibling Wipfztftom.exe first seen on VT
2026-03-12	Current JS dropper submitted to MalwareBazaar
2026-03-12	C2 server actively responding on all ports

The January 2025 sibling sample (Wipfztftom.exe, aka PO For Quote No 228 for lab Furnitures.com, 53/75 VT) confirms the actor has been using the same infrastructure for over a year -- no domain rotation, no IP changes. This operational consistency is both an OPSEC failure for the actor and a detection advantage for defenders.

Attribution

Attribute	Assessment	Confidence
Malware Family	AgentTesla v3 (MaaS)	HIGH
Delivery	Spear phishing, fake PO/invoice lures	HIGH
Infrastructure	Ukrainian VPS (NETH LLC, AS202302, Kyiv)	HIGH
Panel	FASTPANEL (Russian-developed)	HIGH
Language/Region	Russian-speaking (probable)	MEDIUM
Motivation	Financial -- credential theft	HIGH

OPSEC Mistakes

1. Plaintext credentials in binary: SMTP credentials stored in .NET user strings heap -- trivially extractable
2. Direct IP resolution: Despite Cloudflare DNS, mail.cottondreams.org resolves directly to the server IP
3. FASTPANEL exposure: Management panel on ports 7777/8888 exposed to the internet with a self-signed certificate
4. No infrastructure rotation: Same domain and IP in use since March 2024
5. Certificate CN leak: dedaGLmj.netx.com.ua reveals the actual hosting provider behind Cloudflare

MITRE ATT&CK TTPs

ID	Technique	Implementation
T1566.001	Spear Phishing Attachment	.js file disguised as business document
T1059.007	JavaScript	Stage 1 obfuscated JS dropper
T1059.001	PowerShell	Stages 2-3 multi-layer PS1 execution
T1027	Obfuscated Files or Information	5-stage obfuscation chain
T1027.010	Command Obfuscation	Base64 + XOR encoding
T1620	Reflective Code Loading	Stage 3: Assembly::Load()
T1055.012	Process Hollowing	Hollows aspnet_compiler.exe
T1547.001	Registry Run Keys	HKCU Run key for GLOZVJ.exe
T1056.001	Keylogging	WH_KEYBOARD_LL hook
T1113	Screen Capture	GDI CopyFromScreen
T1115	Clipboard Data	SetClipboardViewer hook
T1555.003	Credentials from Web Browsers	40+ browser credential harvesting
T1555	Credentials from Password Stores	Windows Credential Manager
T1552.001	Credentials in Files	FTP/email/VPN config file parsing
T1528	Steal Application Access Token	Discord token regex extraction
T1020	Automated Exfiltration	SMTP exfil at configurable intervals
T1071.003	Application Layer Protocol: Mail	SMTP for C2 exfiltration
T1082	System Information Discovery	CPU, RAM, OS, MAC, IP collection

IOC Tables

File Hashes

SHA256	MD5	Family
99ef1d7248d7c0cd7ce3b10213a17336797951c4b1cef0a4c1d03330e4c95a5a	b78e6df5cd46adfe6472ccd1edc3bff0	JS Loader
195e3d859d8fa9d0c12cd38beef8898e307b71422c8a18c2c3648f5f0220b447	061c1eed62c8326f2c8052851090f33d	DEV.dll Injector
af5f53021774cf410f7cc1be223f3dd88e3c6439cfa384bb64ed749c7e5390c7	71d57788cede0516516dae01575e2331	AgentTesla v3
b2059d59922556f2677361a44d5b1c0a4422654e1f8e1af8f311771c4cf818d2	--	Campaign sibling

Network Indicators

Indicator	Type	Context
31.222.235.198	IPv4	C2 SMTP server (Kyiv, UA)
mail.cottondreams.org	Domain	C2 SMTP hostname
cottondreams.org	Domain	C2 parent domain
server.cottondreams.org	Domain	Additional C2 subdomain
kc@cottondreams.org	Email	Exfil recipient
mail@cottondreams.org	Email	SMTP auth account

Host Indicators

Indicator	Type	Context
%APPDATA%\GLOZVJ\GLOZVJ.exe	File path	Persistence location
HKCU\...\Run\GLOZVJ	Registry	Autorun key
e8ae4cc3-dac5-429a-ad46-d51bb0595a38.exe	Filename	Dropped payload GUID name
aspnet_compiler.exe	Process	Process hollowing host
DEV.DOWN	.NET class	Injector type name

Detection Guidance

Email Gateway

• Block/alert on emails with .js attachments
• Block outbound SMTP to mail.cottondreams.org / 31.222.235.198
• Monitor for emails matching the AgentTesla subject pattern: [Hostname]/[Username]/[IP]

EDR/Host

• Alert on aspnet_compiler.exe spawned from non-ASP.NET build contexts
• Alert on WScript.exe or cscript.exe spawning powershell.exe
• Alert on creation of %APPDATA%\GLOZVJ\ directory
• Alert on HKCU\Run key modifications from PowerShell parent processes

Network

• Block all traffic to 31.222.235.198
• Block DNS resolution of cottondreams.org and all subdomains
• Alert on SMTP connections from workstations (non-mail-server hosts) on port 587

---

Analysis by GHOST -- Breakglass Intelligence