#autoit — Public Fediverse posts

Unmasking a Multi-Stage Loader: AutoIt Abuse Leading to Vidar Stealer Command-and-Control Communication

Pulse ID: 6a02ae6f8736a6b944d7d662
Pulse Link: https://otx.alienvault.com/pulse/6a02ae6f8736a6b944d7d662
Pulse Author: Tr1sa111
Created: 2026-05-12 04:37:03

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Autoit #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Vidar #bot #Tr1sa111

Unmasking a Multi-Stage Loader: AutoIt Abuse Leading to Vidar Stealer Command-and-Control Communication

A sophisticated multi-stage infection chain was identified through proactive threat hunting, beginning with the execution of MicrosoftToolkit.exe, a commonly abused hack tool. The attack employed file masquerading techniques, renaming a .dot file to .bat format to evade detection. The malware performed process discovery and attempted to terminate security-related processes before extracting payloads using extract32.exe. An AutoIt-compiled executable (Replies.scr) functioned as a loader, processing an external encrypted payload file and establishing command-and-control communication with infrastructure associated with Vidar Stealer. The malware demonstrated advanced anti-analysis capabilities, including debugger detection and instrumentation callback queries. It targeted credentials, browser data, cryptocurrency wallets, and system information. Post-execution cleanup routines deleted artifacts and terminated processes to minimize forensic evidence and evade detection, significantly complicating incident res...

Pulse ID: 6a01c2382e61b490cfa457e4
Pulse Link: https://otx.alienvault.com/pulse/6a01c2382e61b490cfa457e4
Pulse Author: AlienVault
Created: 2026-05-11 11:49:12

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Autoit #Browser #CyberSecurity #InfoSec #Malware #Microsoft #Nim #OTX #OpenThreatExchange #RAT #Vidar #bot #cryptocurrency #AlienVault

Unmasking a Multi-Stage Loader: AutoIt Abuse Leading to Vidar Stealer Command-and-Control Communication

Pulse ID: 6a01c03c55b2d8cb451efc11
Pulse Link: https://otx.alienvault.com/pulse/6a01c03c55b2d8cb451efc11
Pulse Author: CyberHunter_NL
Created: 2026-05-11 11:40:44

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Autoit #CyberSecurity #InfoSec #OTX #OpenThreatExchange #Vidar #bot #CyberHunter_NL

Мой соавтор — DeepSeek

Эта статья о моем опыте сотрудничества с DeepSeek в разработке некоторых поделок на различных языках программирования.Раньше писал на этих языках, но без помощи ИИ.

https://habr.com/ru/articles/1010138/

#искусственный_интеллект #autoit #lua #cи #gsm

Мой соавтор — DeepSeek

Эта статья о моем опыте сотрудничества с DeepSeek в разработке некоторых поделок на различных языках программирования.Раньше писал на этих языках, но без помощи ИИ.

https://habr.com/ru/articles/1010138/

#искусственный_интеллект #autoit #lua #cи #gsm

Мой соавтор — DeepSeek

Эта статья о моем опыте сотрудничества с DeepSeek в разработке некоторых поделок на различных языках программирования.Раньше писал на этих языках, но без помощи ИИ.

https://habr.com/ru/articles/1010138/

#искусственный_интеллект #autoit #lua #cи #gsm

Мой соавтор — DeepSeek

Эта статья о моем опыте сотрудничества с DeepSeek в разработке некоторых поделок на различных языках программирования.Раньше писал на этих языках, но без помощи ИИ.

https://habr.com/ru/articles/1010138/

#искусственный_интеллект #autoit #lua #cи #gsm

🎯 Threat Intelligence
===================

Executive summary: McAfee Labs uncovered a recent Astaroth banking‑trojan campaign that abuses GitHub repositories as resilient backup infrastructure. The operators start with phishing that delivers a .lnk shortcut which invokes obfuscated JavaScript via mshta.exe, leading to AutoIT artifacts and an encrypted Astaroth payload.

Technical details:
• The initial downloader is packaged as a ZIP containing a Windows shortcut (.lnk) which executes JavaScript through mshta.exe.
• The downloader retrieves files into ProgramData, including an AutoIT compiled script Corsair.Yoga.06342.8476.366.log, an AutoIT interpreter Corsair.Yoga.06342.8476.366.exe, and an encrypted payload stack.tmp identified as Astaroth.
• C2 communication is achieved via a reverse proxy using Ngrok for exfiltration of credentials and session data.
• When primary C2 servers are inaccessible, the malware fetches updated configuration data embedded via steganography within images hosted on GitHub repositories.
• Links used by the campaign are geo‑restricted to target specific countries (major focus on Brazil and broader South American targets, with some activity in Portugal and Italy).

Attack Chain Analysis:
• Initial Access: Phishing email with ZIP attachment and .lnk shortcut.
• Download: Obfuscated JavaScript fetched and executed via mshta.exe; artifacts written to ProgramData.
• Execution: AutoIT interpreter runs compiled AutoIT script, which launches the encrypted payload.
• Persistence/Config Fetch: Malware uses GitHub‑hosted images carrying steganographic configurations as fallback C2.
• Exfiltration: Credentials and harvested data sent through Ngrok tunnels.

Detection guidance:
• Look for execution of mshta.exe originating from .lnk shortcuts and unusual AutoIT binary activity under ProgramData.
• Monitor outbound connections to ngrok.io domains and anomalous HTTP(S) fetches of image resources from GitHub repositories, especially requests with geo‑restriction behavior.

Limitations and context:
• IoCs published by McAfee included file names and behavioral details; repositories mentioned were reported to GitHub and removed. Specific IPs or hashes were not fully listed in the summarized text.

🔹 Astaroth #GitHub #Ngrok #AutoIt #mshta

🔗 Source: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/astaroth-banking-trojan-abusing-github-for-resilience/

Und jetzt die Preisfrage:
Wieso um alles in der Welt habe ich für den ganzen Mist "AutoIT" verwendet, welches ich für ein super tool halte aber für diesen Task eigendlich das falsche Werkzeug?

Aus dem wichtigsten Grund der Toolauswahl: Ich kann damit umgehen.

9/9

#programmieren #AutoIT #VM #storytime

💡 #TIL there's another effort going on to bring inglorious

#AutoHotkey to 🐧 GNU/‬#Linux!
(#X11, that is.)

Meet #AHK_X11 🥳

🌐 https://github.com/phil294/AHK_X11
📖 https://phil294.github.io/AHK_X11

☝️ Caveat: It only supports legacy #AHK 1.1 syntax and does not aim for 100% feature parity/compatibility, but should enable you to use most of your #hotkeys and #hotstrings #crossplattform! (Sync on your own).

#scripting #automation #DesktopAutomation #KeyboardWarriors #xdotool #gtk #AutoIt #AutoKey #AlternativeTo

@nixCraft I was 14 and I was trying to make a program to backup my Minecraft world saves 😅

Before that I had unsuccessfully attempted to learn #python, it never clicked to me. Everyone said that the syntax was easy but it wasn't easy for me.

What did click with me was Windows Shell Script, a.k.a Batch!

I felt very powerful when I started writing my little batch scripts. Soon after I discovered an obscure language called #AutoIt which I loved! I still use it to this day, professionally too.

@craigmaloney

Use #Autohotkey / #Autoit ans make em yourself ...

Well, here goes: #introduction

It started with Apple IIs and Oregon Trail in the late 80s, and in middle school they had a lab full of them and we drew stuff with LOGO and saved our work on the old 5 inch floppies. Was addicted to Hover when it came out. Finally we had a family computer and got dialup, and I was home alone when I experienced my first malware infection, and not wanting to get in trouble, I learned really fast what the command line and the registry were, and I had it all cleaned up with no trace by the time anyone else got home. I'd spend hours tinkering with this or that, or fixing things that went wrong.

Discovered AI/chatbots and built a couple using the Personality Forge, and for a while they were the most advanced chatbots on the site. I'd work on their programming with a Palm IIIe and a folding keyboard, while away from my desk, and then I'd 'hotsync' my notes and upload changes via dialup, those were the days! "Get off the computer I need to make a phone call" lol

My interests were anything tech. It went from being an interest to being a professional endeavor when I started doing flash dev and website work for a travel directory site in PV, Mexico, while I was living there, and when I returned to the states I worked for a small ISP doing #WIMAX installs using Motorola Canopy gear, along with whatever malware removal, hardware fixes, repairs, reinstalls, whatever, all manner of PC stuff.

Moved to TX, worked for another ISP down there doing the same thing, involved using slightly older tech gear, and this was around the time malware infections were starting to really plague even smaller businesses, and I started to focus on #infosec and #security, and then they bought a webhosting company and I switched back to website work, updating sites that had been built using... html tables and sketchy code that was often missing tags. Wrote repair articles for #Technibble for a while, then started out on my own, specializing in anything tech, from #networking #troubleshooting #ComputerRepair #programming small stuff using batch scripts, #AutoIT, (am I supposed to tag this stuff? I'm new to this here) and started up my own #webhosting company where I could pick and choose what platforms to use, free reign to give customers the best bang for their buck, and #WordPress was simple enough to get them into, make something that fit the need, and then hand the reins over to them for most of the content changes in the future unless something went terribly wrong.

Worked in retail electronics and got some experience with mobile tech, helped customers with analog phones transfer their stuff to new phones, activation, etc, meanwhile discovering Android, which led to #root discovery and fascination with #CustomRom stuff, which led to #AppDev for a customer using Android and iOS, but I only dabble in that sector.

Returned to WA and helped with a non-tech family business, but the lack of a #CRM that did what I wanted led me to build custom functionality onto an existing CRM using the ol' #php, and then built a custom #IoT system using #micropython for a customer, #ESP32 (love these things) etc, and then the pandemic happened and I went straight into #python and wanted to use #django but the workflow wasn't to my liking, so I took a step back and followed a friend's advice to get more into #javascript which I'm absolutely loving, with a focus on #NodeJS.

My main line of work at the moment is something I'd probably have to add a disclaimer for, so instead I'll just say that it's really fun and keeps me active, and involves tech to a degree, possibly primarily because I prefer to leverage tech solutions wherever possible to save time, money, and 'decision fatigue' to spend that instead on refreshing old skills and learning new ones.

I type really fast, which unfortunately leads to me writing entire novels inside emails (heh) and I also forget a lot of the stuff I've done because I switch focus depending on what solutions are needed, so for a TL;DR:

I'm a nerd who loves anything even lightly tech or security related, sort of a jack of all trades #technologist: If someone has a problem or a tech need, I either find an affordable/free solution or build it. If I need to learn it to build it, no worries, just adds a little time to the project.

I love this #Mastodon thing and look forward to all the awesome stuff I've been seeing here, wishing I had more to share in return. Thank you @jerry!