AutoIt

AutoIt is a legitimate Windows automation/scripting interpreter that is frequently abused by threat actors as a malware execution wrapper or backdoor component. The provided reporting describes multiple campaigns in which attackers delivered a legitimate AutoIt binary together with a malicious embedded or external AutoIt script. Observed infection vectors include spear-phishing LNK files that execute malicious PowerShell, use a renamed copy of curl.exe to download payloads, and then register the downloaded AutoIt components in Windows Task Scheduler for persistence; and malware campaigns distributing UPX-packed or compiled AutoIt executables with embedded AutoIt3 scripts. Documented malicious capabilities of the AutoIt-based payloads include command execution, directory listing/search, file upload, and file download. In the Dropping Elephant (also known as Chinastrats/Patchwork) espionage campaign, an UPX-packed AutoIt backdoor was dropped after exploitation of Office vulnerabilities, then used to download additional components, upload basic system information, steal Google Chrome credentials, and beacon to C2 at regular intervals. AutoIt was also observed as an execution layer in a GitHub/Reddit/Discord-driven fake game-cheat campaign that ultimately assembled and executed Vidar 2.0. Reported targeting includes South Korea in APT spear-phishing activity and high-profile diplomatic and economic targets tied to China’s foreign relations. High-confidence indicators directly tied to the AutoIt abuse described include lure filenames such as NTS_환급계좌 등록 및 확인 안내.html.lnk, 2025년 중국 정세 회고와 전망.docx.lnk, 01_다큐멘터리 (임마누엘)제작기획서.pdf.lnk, Finished.pdf.lnk, 그 마을에 가고 싶다_시놉시스.hwp.lnk, 유튜브 캠페인 유료 파트너십 제안.docx.lnk, and 해외 순방 공연 협력 제안서.pdf.lnk.