AgentTesla Being Distributed via Sophisticated PowerPoint Files
When the PowerPoint file is run, a security notice appears, where the user selects whether or not to enable macros just like in the previous cases.
Selecting Enable macro runs the malicious macro.
When the malicious macro is executed, an error notice appears disguised as a PowerPoint error, making it difficult for users to notice malicious behaviors.
The malicious macro is executed automatically by the Auto_Open() function, and the data used for the malicious behavior is obfuscated.
Unobfuscating it shows the strings below, and the malicious command is executed via the shell function.
The malicious command executed by the malicious macro and just like in the previous cases, it approaches a malicious URL via mshta process to run additional scripts.
Featured Resources
View More Resources
blog
How to Prioritize Vulnerabilities in 2026: From CVSS to Real Risk
Security teams have more vulnerability data than ever. Scanners find exposures across endpoints, cloud assets, applications, identities and third-party tools. The problem is no
CUSTOMERS
Financial Regulatory Authority Strengthens Security and Gains Continuous Visibility with Cymulate
Limited Visibility and Reliance on Point-in-Time Testing With a lean team of five responsible for securing a complex internal environment,
blog
CVE-2026-35603: One Writable Folder, Every User Compromised: Exploiting Configuration Trust in AI Coding Tools
Ilan Kalendarov, Security Research Team LeadBen Zamir, Security ResearcherElad Beber, Security Researcher The AI coding tools that millions of developers launch every