Hackers Leverage AutoIT Code to Deliver Malware Attacking Windows System

A sophisticated malware campaign utilizing multiple layers of AutoIT code has been discovered targeting Windows systems.

The attack begins with a seemingly innocent executable file named “1. Project” that initiates a complex infection chain designed to deploy a Remote Access Trojan (RAT).

This campaign represents a concerning evolution in threat actors’ tactics, leveraging the flexibility of AutoIT, a scripting language capable of deep interaction with Windows operating system components.

The initial payload establishes communication with command and control infrastructure hosted at “hxxps://xcvbsfq32e42313[.]xyz” while creating multiple files on the victim’s system, including a PowerShell script and additional AutoIT code.

These components work together to ensure persistence and evade detection while the malware establishes a foothold on the compromised system.

SANS Technology Institute researchers identified the campaign on May 19, 2025, noting its multi-stage approach that makes analysis particularly challenging.

The researchers highlighted that this technique allows attackers to modify individual components independently, creating a modular attack framework that can be rapidly adapted to bypass new security measures.

The infection mechanism employs an intricate, layered approach starting with the initial AutoIT executable. Upon execution, the malware generates a PowerShell script at “C:UsersPublicPublicProfile.ps1” and downloads a secondary AutoIT script named “Secure.au3” from the attacker’s server.

This second-layer script is executed by a component labeled “SwiftWrite.pif” which serves as an AutoIT interpreter.

The second AutoIT layer contains sophisticated obfuscation techniques, including a custom encoding function called “Wales” that decodes strings during runtime.

This layer also performs security product detection, checking specifically for “avastui[.]exe” to determine if Avast antivirus is running on the system.

In the final stage, the malware spawns a “jsc[.]exe” process and injects it with a malicious DLL named “Urshqbgpm.dll” which attempts to establish connection with the command and control server, completing the attack chain.

How SOC Teams Save Time and Effort with ANY.RUN - Live webinar for SOC teams and managers

The post Hackers Leverage AutoIT Code to Deliver Malware Attacking Windows System appeared first on Cyber Security News.