Agent

Agent is a generic malware/tool name used in multiple distinct contexts in the provided content rather than a single well-defined family. High-confidence references include: (1) Trojan-Downloader.AndroidOS.Agent.no, embedded in modified messaging apps and other Android app mods, which downloads Trojan-Clicker.AndroidOS.Agent.bl; the clicker opens ad URLs in an invisible WebView and uses machine learning to locate and click close buttons, inflating ad views on victims’ devices. (2) Trojan.Loader.Agent, a detection name for a malicious DLL in a multi-stage Windows loader campaign delivered via phishing emails impersonating a travel agency. That campaign abused CVE-2013-3900 to trojanize a signed WinWord.exe, side-loaded msvcr100.dll, established persistence via HKCU\Software\Microsoft\Windows\CurrentVersion\Run and a scheduled task named WindowsUpdateCore, decrypted a payload hidden in the certificate area, and hollowed cvtres.exe to launch a RAT. Reported capabilities of the final payload included TLS-encrypted C2, screen capture, WMI-based host reconnaissance, file theft, active-window tracking, idle-time-based keylogging activity, privilege checks, runtime code execution, and downloading additional modules stored in the registry; reported IOCs included MD5 6CC1EAD08ADD4F967370FF1D6D07F9E1, MD5 C4C6B65C8D32B27B737E7E95ECC00D69, C2 104.37.173.244:56001, and mutexes WUCorePayload_4A8F and Ethatqehl. (3) An OS X malware context tied to CoinThief, where a RAT-like binary named Agent was installed at ~/Library/Application Support/.com.google.softwareUpdateAgent after delivery via trojanized applications such as StealthBit; it appeared responsible for sending data to remote servers and enabling remote access, and checked for Little Snitch and 1Password. (4) During Operation Wocao, threat actors used a custom proxy tool called Agent that supported multiple hops, encrypted hop IP addresses with RC4, and upgraded sockets to TLS to relay traffic. Because the content conflates several unrelated Android, Windows, macOS, and intrusion-tool usages under the same label, Agent should be treated as an ambiguous/generic name rather than a single malware family.