Tag: autoit

19 Attack Reports | 0 Vulnerabilities

Attack reports

RAT Dropped By Two Layers of AutoIT Code

A malware attack involving multiple layers of AutoIT code has been discovered. The initial file, disguised as a project file, contains AutoIT script that generates and executes a PowerShell script. This script downloads an AutoIT interpreter and another layer of AutoIT code. Persistence is achieved…
rat
asyncrat
autoit
2025-05-19
Published: May 19, 2025
Downloadable IOCs: 4

DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt

Unit 42 researchers have identified a series of attacks distributing DarkCloud Stealer, an information-stealing malware that has been active since 2022. The latest attack chain incorporates AutoIt to evade detection and uses a file-sharing server to host the malware. The infection process begins wi…
obfuscation
phishing
infostealer
anti-analysis
credential theft
autoit
information stealing
2025-05-14
multi-stage payload
darkcloud stealer
Published: May 14, 2025
Linked vulnerabilities : CVE-2025-31324 (CVSS 10.0)
Downloadable IOCs: 4

How Lumma Stealer sneaks into organizations

Lumma Stealer, a sophisticated information-stealing malware, has gained prominence in cybercriminal circles since 2022. It employs various distribution methods, with fake CAPTCHA pages being a notable vector. These pages mimic legitimate services and trick users into executing malicious commands. T…
obfuscation
powershell
anti-analysis
lumma stealer
autoit
information stealer
cryptocurrency theft
fake captcha
2025-04-21
Published: April 21, 2025
Downloadable IOCs: 15

Cascading Shadows: An Attack Chain Approach to Avoid Detection and Complicate Analysis

A multi-layered attack chain was uncovered in December 2024, employing distinct stages to deliver malware like Agent Tesla variants, Remcos RAT, or XLoader. The campaign uses phishing emails posing as order release requests with malicious attachments. The attack chain leverages multiple execution p…
infostealer
shellcode
autoit
agent tesla
snake keylogger
remcos rat
xloader
2025-04-16
Published: April 16, 2025
Downloadable IOCs: 0

A miner and the ClipBanker Trojan being distributed via SourceForge

A unique malware distribution scheme exploiting SourceForge has been discovered. The attackers create a seemingly legitimate project on sourceforge.net, which automatically generates a sourceforge.io subdomain. This subdomain is then used to host a malicious page that tricks users into downloading …
powershell
cryptocurrency
persistence
autoit
clipbanker
2025-04-08
miner
sourceforge
Published: April 8, 2025
Downloadable IOCs: 0

Remcos RAT Malware Disguised as Major Carrier's Waybill

A sophisticated malware campaign has been discovered, utilizing the Remcos RAT disguised as a shipping company waybill. The attack begins with an email containing an HTML script, which when executed, downloads a JavaScript file. This file creates and downloads several components, including a config…
phishing
autoit
remcos rat
persistence techniques
shellcode injection
2025-04-01
javascript obfuscation
email attack
waybill disguise
Published: April 1, 2025
Downloadable IOCs: 0

New wave of targeted attacks of the Angry Likho APT on Russian organizations

The Angry Likho APT group has launched a new wave of targeted attacks primarily against Russian organizations. The group employs spear-phishing emails with malicious attachments as the initial attack vector. A previously unknown implant was discovered, utilizing a self-extracting archive and AutoIt…
apt
russia
stealer
autoit
targeted attacks
2025-02-24
lumma trojan
Published: February 24, 2025
Downloadable IOCs: 30

Evolving Snake Keylogger Variant

A new variant of Snake Keylogger, identified as AutoIt/Injector.GTY!tr, has been detected by FortiSandbox v5.0. This malware has attempted over 280 million infections, primarily targeting China, Turkey, Indonesia, Taiwan, and Spain. Snake Keylogger steals sensitive information from popular web brow…
credential theft
autoit
keylogging
snake keylogger
process hollowing
2025-02-20
fortisandbox
ai detection
404 keylogger
paix
Published: February 20, 2025
Downloadable IOCs: 3

Increase in Distribution of AutoIt Compile Malware via Phishing Emails

The distribution of malware compiled with AutoIt has been rapidly increasing, surpassing .NET-type malware. AutoIt, a scripting language for Windows automation, is preferred due to its ease of compilation into EXE files and fewer dependencies. The trend began in August 2024, with AutoIt malware nea…
phishing
infostealer
remcosrat
redline
autoit
agenttesla
2025-01-10
xloader
snakekeylogger
Published: January 10, 2025
Downloadable IOCs: 3

End-of-Year PTO: Days Off and Data Exfiltration with Formbook

A phishing campaign disguised as an end-of-year leave approval notice has been intercepted by the Cofense Phishing Defense Center. The malicious email, masquerading as HR communication, tricks recipients into clicking a link that leads to the deployment of FormBook malware. The email contains red f…
phishing
autoit
credential harvesting
formbook
keylogging
data exfiltration
process injection
2024-12-06
holiday-themed
Published: December 6, 2024
Downloadable IOCs: 0

Core Werewolf hones its arsenal against Russia’s government organizations

BI.ZONE Threat Intelligence continues monitoring a threat actor called Core Werewolf, which has targeted Russia's defense industry and critical infrastructure since 2021. In its recent campaigns, the adversary employed a new loader written in AutoIt and started delivering malicious files via Telegr…
loader
russia
autoit
telegram
2024-10-14
delivery
Published: October 14, 2024
Downloadable IOCs: 25

Arsenal honed against Russia's government organizations

Core Werewolf, a threat actor targeting Russia's defense industry and critical infrastructure since 2021, has evolved its tactics. The group now employs a new loader written in AutoIt and has expanded its delivery methods to include Telegram alongside email. Their campaign involves RAR archives con…
loader
government
autoit
telegram
2024-10-11
critical infrastructure
sfx executables
rar archives
Published: October 11, 2024
Downloadable IOCs: 25

SIEM agent being used in SilentCryptoMiner attacks

A global malware campaign targeting mainly Russian-speaking users has been distributing cryptocurrency mining malware through fake software download sites, Telegram channels, and YouTube videos. The multi-stage infection chain uses unusual techniques for persistence and evasion, including hiding ma…
seo poisoning
persistence
autoit
cryptomining
defense evasion
2024-10-07
silentcryptominer
siem
Published: October 7, 2024
Downloadable IOCs: 8

Credential Flusher Research

This intelligence report describes a technique employed by threat actors to compel victims into entering their credentials into a browser, thereby enabling the credentials to be stolen from the browser's credential store using traditional credential-stealing malware. The method involves launching t…
stealer
autoit
credential
stealc
2024-09-17
flusher
kiosk
Published: September 17, 2024
Downloadable IOCs: 8

Threat Tracking: Analysis of Lilith RAT ported to AutoIt Script

In April 2024, S2W's Threat Research and Intelligence Center TALON analyzed a malicious LNK file disguised as a list of tax evasion explanatory documents. The LNK file executed a PowerShell command to download and run an AutoIt script-based Lilith RAT malware from an attacker's server, which establ…
obfuscation
rat
autoit
downloader
2024-08-23
lilith
konni
lilith rat
Published: August 23, 2024
Downloadable IOCs: 33

The Abuse of ITarian RMM by Dolphin Loader

This report explores how the Dolphin Loader, a malware-as-a-service loader, abuses the legitimate ITarian Remote Monitoring and Management (RMM) software to distribute various malware payloads. The loader leverages the built-in functionality of RMM tools, such as remote command execution and system…
stealthy
python
lummac2
rhadamanthys
rmm
darkgate
redline
autoit
malware-as-a-service
sectoprat
2024-08-19
itarian
evade
dolphin loader
Published: August 19, 2024
Downloadable IOCs: 24

Exploring the Infection Chain: ScreenConnect's Link to AsyncRAT Deployment

In June 2024, eSentire's Threat Response Unit observed several incidents involving users downloading the ScreenConnect remote access client, potentially facilitated through drive-by downloads. Threat actors exploited ScreenConnect to establish unauthorized remote sessions, ultimately deploying the …
screenconnect
asyncrat
autoit
2024-07-05
nsi script
nsis installer
Published: July 5, 2024
Downloadable IOCs: 77

Exploring the Metamorfo Banking Trojan

This report delves into a malware campaign known as Metamorfo, a banking Trojan that spreads through malspam campaigns. It entices users to click on HTML attachments, initiating a series of activities focused on gathering system metadata. The infection chain involves obfuscation techniques, URL eva…
powershell
html
casbaneiro
metamorfo
2024-05-17
autoit
appdata
script file
deobfuscating
script
Published: May 17, 2024
Downloadable IOCs: 39

From Document to Script: Insides of Campaign

This report examines a recent malicious campaign initiated via phishing emails, seemingly from 'QuickBooks,' prompting users to install Java. Clicking the embedded link leads to downloading a malicious JAR file. The JAR contains commands to fetch additional payloads, including an obfuscated AutoIt …
obfuscation
phishing
darkgate
campaign
cybercrime
malicious
payload
2024-05-17
autoit
java
Published: May 17, 2024
Downloadable IOCs: 11
Click here to see more Attack Reports