Multi-Stage Malware Attack Uses .JSE and PowerShell to Deploy Agent Tesla and XLoader

A newly discovered multi-stage malware campaign observed in December 2024 highlights how attackers are stacking simple yet effective techniques to deploy remote access trojans (RATs) like Agent Tesla, Remcos, and XLoader.

According to Palo Alto Networks' Unit 42, the attack initiates with a phishing email posing as an order request, tricking users into opening a malicious 7-Zip archive containing a .JSE (JavaScript Encoded) file. Once executed, the file downloads a PowerShell script from an external server, beginning the infection chain.

This script contains a Base64-encoded payload, which is decoded and saved in the Windows temp directory. It triggers a dropper—either a .NET or AutoIt-compiled executable. The .NET version injects the final payload (Agent Tesla or XLoader) into RegAsm.exe, while the AutoIt variant does the same through RegSvcs.exe, further complicating detection.

Rather than using advanced obfuscation, the attackers build resilience through layered execution paths to evade security tools and sandbox analysis.

Defence Strategies

To defend against such sophisticated delivery chains, organizations should:

• Deploy Advanced Email Filters: Block phishing emails containing suspicious attachments like .JSE or .ZIP.

• Use EDR and Behavioural Analytics: Endpoint Detection and Response solutions can detect unusual script behaviour and process injection.

• Restrict Script Execution: Enforce strict policies on executing JavaScript and PowerShell scripts, especially from unknown sources.

• Regular Patch Management: Keep OS and third-party software up to date to minimize exploit surfaces.

• Security Awareness Training: Educate employees on identifying phishing emails and reporting suspicious activity.

Proactive monitoring and layered security controls remain key to stopping these attacks before they reach critical systems.

About Us – Indian Cyber Security Solutions (ICSS) At Indian Cyber Security Solutions, we specialize in building robust cyber defences for businesses of all sizes. From proactive threat hunting and penetration testing to real-time incident response, our cybersecurity services are trusted by over 200 clients across the globe.

Whether you're a startup or an enterprise, our team of certified cybersecurity experts is dedicated to securing your infrastructure against emerging threats. We offer industry-recognized services such as VAPT (Vulnerability Assessment and Penetration Testing), secure code audits, digital forensics, cloud security assessments, and incident response.

We are also recognized for delivering hands-on, industry-relevant training programs in Ethical Hacking, Cybersecurity, Cloud Computing, and more—empowering the next generation of cyber professionals.

✅ Visit us at https://indiancybersecuritysolutions.com to explore how we can strengthen your organization’s cyber resilience against evolving threats.