Go to listing page

A Credential Stealer Written in AutoHotkey Scripting Language

A Credential Stealer Written in AutoHotkey Scripting Language
A new credential stealer has been identified that is written in AutoHotkey (AHK) scripting language. In an ongoing attack campaign that started in early 2020, threat actors were found to be distributing this infostealer, focusing on customers of financial organizations located in the U.S. and Canada.

What has happened?

The infostealer specifically focuses on credential exfiltration and has targeted multiple banks, such as Royal Bank of Canada, Scotiabank, HSBC, Alterna Bank, EQ Bank, Capital One, Manulife, and ICICI Bank. 
  • The multi-stage infection chain starts with the use of a malware-laced Excel file laden with a VBA AutoOpen macro. Subsequently, it drops/executes a downloader client script by using a portable AHK script compiler executable.
  • This client script is also used for profiling victims, persistence, and downloading and executing more AHK scripts from command-and-control servers located in Sweden, the Netherlands, and the U.S.
  • In the final stage, the stealer gathers and decrypts system requirements from browsers and sends this information to the C&C server in a simple text by using an HTTP Post request.

Additional insights

  • What is unique about this stealer is that instead of getting or obtaining any instructions from the C&C server, this stealer downloads and executes AHK scripts to fulfill various jobs. It prevents the main parts of malware from getting exposed publicly. 
  • By doing so, an attacker can add a custom script for a different type of job for each and every person or group of customers, allowing them to control the malware.

Recent attacks using infostealers

  • In early-December, a payment card skimmer group was found to be using Raccoon info-stealer to siphon off data.
  • In addition, a web skimmer was discovered in social media buttons, targeting e-commerce and online shoppers.


Using scripting language allows cybercriminals to hide their intention from sandboxes, making the attacks more sophisticated and deadly. Thus, experts suggest organizations provide training to their employees about risks associated with a macro-laced email attachment. In addition, it is recommended to use reliable anti-malware software and stay alert while opening emails from unknown senders.

Cyware Publisher