Bitdefender researchers have recently found spearphishing campaigns, either impersonating a well-known Egyptian engineering contractor or a shipment company, dropping the Agent Tesla spyware Trojan. 

According to a Bitdefender blog, the impersonated engineering contractor (Enppi – Engineering for Petroleum and Process Industries) has experience in onshore and offshore projects in oil and gas, with attackers abusing its reputation to target the energy industry in Malaysia, the United States, Iran, South Africa, Oman and Turkey, among others, based on Bitdefender telemetry. The second campaign, impersonating the shipment company, used legitimate information about a chemical/oil tanker, plus industry jargon, to make the email believable when targeting victims from the Philippines. 

Recently, due to COVID-19, oil demand has decreased by more than half - the lowest since 2002. However, a dispute over oil production between Russia and Saudi Arabia ended with an agreement at the recent meeting between the OPEC+ alliance and the Group of 20 nations, aiming to slash oil production output and balance prices, says the blog. 

The targeted attacks suggests motivation and interest in knowing how specific countries plan to address the issue.

Both campaigns seem to deliver the Agent Tesla spyware Trojan instead, and beyond just the oil & gas sector, they also target other energy verticals that have been tagged as critical during this Coronavirus pandemic. After analyzing the profile of the affected victims, Bitdefender researchers found them activating in oil & gas, charcoal processing, hydraulic plants, manufacturers of raw materials, and transporters of large merchandise.

According to Bitdefender, the Agent Tesla spyware Trojan has reportedly been around since 2014 and reportedly operates under a malware-as-a-service offering, with its developers offering various pricing tiers based on different licensing models. Some of its most known capabilities involve stealth, persistence and security evasion techniques that ultimately enable it to extract credentials, copy clipboard data, perform screen captures, form-grabbing, and keylogging functionality, and even collect credentials for a variety of installed applications.

For the full report, visit