Another Holiday-Themed Phish: Eid al-Adha is the Pretext for an Agent Tesla Campaign

Share Now


Holidays and global events provide timely material for threat actors to use as phishing lures. This technique is a common practice, and can sometimes be convincing to targets, especially just before a major holiday. On Sunday, August 19, 2018, Cofense Intelligence™ received an Eid-themed phishing email. Eid al-Adha, the Islamic festival/holiday, began this week.

While the phishing email is generic, threat actors use a narrative claiming to deliver an “Eid Ticket” for an Eid event purportedly from the accounting department of To view the tickets, the victim is tasked with downloading the attached .zip archive. But instead of tickets, the file contains an executable sample of the Agent Tesla keylogger. This malware also acts as an information stealer capable of decoding and exfiltrating data from a number of applications, such as Google Chrome, Firefox FileZilla, and Steam.

The primary task of Agent Tesla is to exfiltrate sensitive credentials from the victim’s machine to the threat actors’ command and control location, and will take screenshots of the victim’s machine during the infection. In this sample, Agent Tesla exfiltrates stolen credentials via email to storeglis[@]lordshotels[.]com.

Figure 1: Eid al-Adha phishing email for unspecified Eid event

In another holiday-themed phishing scenario, Cofense Intelligence reported a Fourth of July holiday phish on July 3, 2018 distributing the Geodo financial crimes malware. Holiday-themed phishing lures are a classic strategy that can often be effective. Organizations and enterprises must develop a strong defense strategy to combat these enticing lures. It is important to educate and empower users to report suspicious emails that use this method of phishing lures. Remember, computer users are the last line of defense against phishing attacks.

To learn more about resiliency to all types of phishing attacks, view the most recent Cofense™ Phishing Resiliency and Defense Report.


All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

This site is registered on as a development site.