LATAM Under Siege: Agent Tesla’s 18-Month Credential Theft Campaign Against Chilean Enterprises

**Executive summary:** This report documents an 18‑month Agent Tesla credential‑theft campaign focused on Chilean and LATAM organizations, delivered via purchase‑order and payroll-themed phishing (RAR/.jse/macro lures). The analysis details a multi-stage .NET Reactor–protected loader that uses process hollowing and in‑memory execution to run Agent Tesla, which harvests browser, email, FTP and VPN credentials and exfiltrates HTML reports over cleartext FTP to a compromised Romanian server; the publication provides IOCs, behavioral evidence from interactive sandboxing, MITRE mappings, and detection rules and mitigations.