AHK Bot

AHK Bot is an AutoHotkey-based modular post-exploitation malware used in campaigns attributed by Proofpoint to TA866 and also previously associated with Asylum Ambuscade. Proofpoint observed it as a follow-on payload in the TA866 “Screentime” activity cluster, which was active from October 2022 into 2023 and primarily targeted organizations in the United States, with some targeting in Germany, across multiple industries. TA866 campaigns were assessed as largely financially motivated and commonly began with email-delivered malicious attachments or URLs, including macro-enabled Publisher files, JavaScript downloads, PDFs containing URLs, and traffic routed through the 404 TDS. In later activity, Proofpoint also reported TA866 campaigns using invoice-themed emails with PDF attachments containing OneDrive links that led through JavaScript and MSI stages involving WasabiSeed and Screenshotter; prior TA866 campaigns had delivered AHK Bot and Rhadamanthys Stealer.

Within the observed infection chain, a JavaScript downloader installed an MSI containing the WasabiSeed VBS downloader, which established persistence and repeatedly polled command-and-control infrastructure for additional MSI payloads. TA866 used a dedicated Screenshotter payload to capture and exfiltrate desktop screenshots, and Proofpoint assessed the actor likely manually reviewed screenshots before making additional payloads available, including AHK Bot. Proofpoint observed AHK Bot in a December 20, 2022 campaign.

AHK Bot uses AutoHotKey scripts and polls a separate hardcoded C2 from WasabiSeed, using the victim system’s C: drive serial number in the URL path. Observed AHK Bot C2 endpoints included hxxp://89[.]208.105.255/%serial%-du2, hxxp://89[.]208.105.255/%serial%, and hxxp://89[.]208.105.255/download?path=e. Its documented components included a Domain Profiler that determined the infected machine’s Active Directory domain and sent it to C2, and a Stealer Loader that downloaded, decrypted, and executed a DLL in memory. In the observed case, that in-memory payload was Rhadamanthys Stealer, whose sample connected to moosdies[.]top. Proofpoint also noted Russian-language variable names and comments in parts of AHK Bot code, and observed payload availability aligned roughly with 2am to 2pm EST, suggesting an operator time zone of UTC+2 or UTC+3.

Cisco Talos later reported that PS1Bot, a PowerShell/C# malware framework active since early 2025, shares technical overlaps with AHK Bot. Talos described AHK Bot as malware previously used by Asylum Ambuscade and TA866. High-confidence capabilities directly described for AHK Bot in the provided content are AutoHotkey-based modular operation, C2 polling keyed to the victim drive serial number, Active Directory domain profiling, and in-memory loading of Rhadamanthys Stealer.