Tag: autoit

13 Attack Reports | 0 Vulnerabilities

Attack reports

New wave of targeted attacks of the Angry Likho APT on Russian organizations

The Angry Likho APT group has launched a new wave of targeted attacks primarily against Russian organizations. The group employs spear-phishing emails with malicious attachments as the initial attack vector. A previously unknown implant was discovered, utilizing a self-extracting archive and AutoIt…
apt
russia
stealer
autoit
targeted attacks
2025-02-24
lumma trojan
Published: February 24, 2025
Downloadable IOCs: 30

Evolving Snake Keylogger Variant

A new variant of Snake Keylogger, identified as AutoIt/Injector.GTY!tr, has been detected by FortiSandbox v5.0. This malware has attempted over 280 million infections, primarily targeting China, Turkey, Indonesia, Taiwan, and Spain. Snake Keylogger steals sensitive information from popular web brow…
credential theft
autoit
keylogging
snake keylogger
process hollowing
2025-02-20
fortisandbox
ai detection
404 keylogger
paix
Published: February 20, 2025
Downloadable IOCs: 3

Increase in Distribution of AutoIt Compile Malware via Phishing Emails

The distribution of malware compiled with AutoIt has been rapidly increasing, surpassing .NET-type malware. AutoIt, a scripting language for Windows automation, is preferred due to its ease of compilation into EXE files and fewer dependencies. The trend began in August 2024, with AutoIt malware nea…
phishing
infostealer
remcosrat
redline
autoit
agenttesla
2025-01-10
xloader
snakekeylogger
Published: January 10, 2025
Downloadable IOCs: 3

End-of-Year PTO: Days Off and Data Exfiltration with Formbook

A phishing campaign disguised as an end-of-year leave approval notice has been intercepted by the Cofense Phishing Defense Center. The malicious email, masquerading as HR communication, tricks recipients into clicking a link that leads to the deployment of FormBook malware. The email contains red f…
phishing
autoit
credential harvesting
formbook
keylogging
data exfiltration
process injection
2024-12-06
holiday-themed
Published: December 6, 2024
Downloadable IOCs: 0

Core Werewolf hones its arsenal against Russia’s government organizations

BI.ZONE Threat Intelligence continues monitoring a threat actor called Core Werewolf, which has targeted Russia's defense industry and critical infrastructure since 2021. In its recent campaigns, the adversary employed a new loader written in AutoIt and started delivering malicious files via Telegr…
loader
russia
autoit
telegram
2024-10-14
delivery
Published: October 14, 2024
Downloadable IOCs: 25

Arsenal honed against Russia's government organizations

Core Werewolf, a threat actor targeting Russia's defense industry and critical infrastructure since 2021, has evolved its tactics. The group now employs a new loader written in AutoIt and has expanded its delivery methods to include Telegram alongside email. Their campaign involves RAR archives con…
loader
government
autoit
telegram
2024-10-11
critical infrastructure
sfx executables
rar archives
Published: October 11, 2024
Downloadable IOCs: 25

SIEM agent being used in SilentCryptoMiner attacks

A global malware campaign targeting mainly Russian-speaking users has been distributing cryptocurrency mining malware through fake software download sites, Telegram channels, and YouTube videos. The multi-stage infection chain uses unusual techniques for persistence and evasion, including hiding ma…
seo poisoning
persistence
autoit
cryptomining
defense evasion
2024-10-07
silentcryptominer
siem
Published: October 7, 2024
Downloadable IOCs: 8

Credential Flusher Research

This intelligence report describes a technique employed by threat actors to compel victims into entering their credentials into a browser, thereby enabling the credentials to be stolen from the browser's credential store using traditional credential-stealing malware. The method involves launching t…
stealer
autoit
credential
stealc
2024-09-17
flusher
kiosk
Published: September 17, 2024
Downloadable IOCs: 8

Threat Tracking: Analysis of Lilith RAT ported to AutoIt Script

In April 2024, S2W's Threat Research and Intelligence Center TALON analyzed a malicious LNK file disguised as a list of tax evasion explanatory documents. The LNK file executed a PowerShell command to download and run an AutoIt script-based Lilith RAT malware from an attacker's server, which establ…
obfuscation
rat
autoit
downloader
2024-08-23
lilith
konni
lilith rat
Published: August 23, 2024
Downloadable IOCs: 33

The Abuse of ITarian RMM by Dolphin Loader

This report explores how the Dolphin Loader, a malware-as-a-service loader, abuses the legitimate ITarian Remote Monitoring and Management (RMM) software to distribute various malware payloads. The loader leverages the built-in functionality of RMM tools, such as remote command execution and system…
stealthy
python
lummac2
rhadamanthys
rmm
darkgate
redline
autoit
malware-as-a-service
sectoprat
2024-08-19
itarian
evade
dolphin loader
Published: August 19, 2024
Downloadable IOCs: 24

Exploring the Infection Chain: ScreenConnect's Link to AsyncRAT Deployment

In June 2024, eSentire's Threat Response Unit observed several incidents involving users downloading the ScreenConnect remote access client, potentially facilitated through drive-by downloads. Threat actors exploited ScreenConnect to establish unauthorized remote sessions, ultimately deploying the …
screenconnect
asyncrat
autoit
2024-07-05
nsi script
nsis installer
Published: July 5, 2024
Downloadable IOCs: 77

Exploring the Metamorfo Banking Trojan

This report delves into a malware campaign known as Metamorfo, a banking Trojan that spreads through malspam campaigns. It entices users to click on HTML attachments, initiating a series of activities focused on gathering system metadata. The infection chain involves obfuscation techniques, URL eva…
powershell
html
casbaneiro
metamorfo
2024-05-17
autoit
appdata
script file
deobfuscating
script
Published: May 17, 2024
Downloadable IOCs: 39

From Document to Script: Insides of Campaign

This report examines a recent malicious campaign initiated via phishing emails, seemingly from 'QuickBooks,' prompting users to install Java. Clicking the embedded link leads to downloading a malicious JAR file. The JAR contains commands to fetch additional payloads, including an obfuscated AutoIt …
obfuscation
phishing
darkgate
campaign
cybercrime
malicious
payload
2024-05-17
autoit
java
Published: May 17, 2024
Downloadable IOCs: 11
Click here to see more Attack Reports