Listen to this Post

AutoIT3, a scripting language designed to automate Windows tasks, has long been a favorite for developers creating legitimate applications. Its appeal lies in its simplicity—resembling Basic—and its ability to compile scripts into standalone executables. However, this same feature has drawn the attention of cybercriminals for over a decade. While AutoIT3 may seem outdated, its flexibility and ease of compilation make it a potent tool for malware authors looking to bypass detection. Recently, a new wave of AutoIT3-based threats has emerged, leveraging built-in functions to deploy shellcodes stealthily.
AutoIT3 Scripts as a Malware Delivery Tool
AutoIT3’s FileInstall() function, designed to embed files into scripts, has become a favored mechanism for attackers. This function allows a file to be included during script compilation, embedding it directly into the resulting PE file. When executed, these files are automatically written to the system’s temporary directory. This technique simplifies malware deployment, ensuring that malicious payloads are seamlessly unpacked on target machines without the need for external downloads.
A recent discovery illustrates this trend: a sample named ENQ-2548871-PO-AYPC-352-25-UN-01162.exe was delivered in a ZIP archive and flagged by VirusTotal with a score of 33/72. This script utilized FileInstall() to place a file named inhumation in %TEMP%, a subtle action that hides its true purpose. Obfuscation techniques were also employed, including simple character-shifting functions like LGYJSYH(), which parses strings by shifting ASCII values to conceal payload commands.
Obfuscation Techniques in Action
The LGYJSYH() function demonstrates how AutoIT scripts can obfuscate critical code. In essence, it shifts each character’s ASCII value by -1, creating an encoded string that only reveals its true content when processed. For example, the encoded string lfsofm43 resolves to kernel32 once deobfuscated, a critical Windows library used to execute system-level functions. This level of obfuscation is minimal but effective against casual inspection, allowing malware to evade simple static analysis.
Shellcode Execution via Memory Injection
After unpacking, the malicious payload is loaded into memory. The script reads the file, decodes it, and allocates executable memory using Windows API functions like VirtualAlloc. The shellcode is then injected into this memory space and executed via CallWindowProc(). This approach avoids writing the executable directly to disk, enhancing stealth and reducing the likelihood of detection by traditional antivirus software.
Two notable samples using this method were identified:
ENQ-2548871-PO-AYPC-352-25-UN-01162.exe, which delivers a Quasar RAT.
ENQ_DB9002M_ORDER_M24093_2025.exe, delivering the Phantom stealer.
These examples highlight a growing trend of AutoIT3 scripts being used as malware droppers, with attackers exploiting legitimate features of the language to execute harmful actions quietly.
What Undercode Say:
AutoIT3’s resurgence in malware development illustrates a broader challenge in cybersecurity: how legitimate tools can be weaponized. The FileInstall() function, intended for embedding helper files, is now a vector for automated payload delivery. Its subtlety lies in the fact that files are embedded at compile time, allowing attackers to bypass runtime detection and deliver shellcode directly into memory.
From a technical standpoint, the combination of simple obfuscation and in-memory execution reduces visibility for security tools. Functions like LGYJSYH() are trivial but effective, creating an additional layer of complexity for analysts. Attackers leveraging such scripts benefit from AutoIT3’s minimal footprint and widespread compatibility across Windows environments.
Moreover, this trend signals a shift in attacker strategies. Instead of relying solely on phishing or external downloaders, AutoIT3 allows malware authors to use trusted scripting platforms to carry and execute malicious content. This complicates detection because behavioral indicators may appear legitimate at first glance. Analysts must therefore pay closer attention to scripting languages previously considered “safe” or obsolete, as attackers often repurpose them creatively.
The two recent samples highlight the versatility of this attack vector: one delivers a remote access trojan (RAT), the other a credential stealer. Both rely on memory injection rather than disk-based persistence, which minimizes traces left on the system. This indicates a preference for stealth and persistence in modern attacks, showing how attackers are adapting classic techniques to modern defenses.
Finally, monitoring AutoIT3 scripts should extend beyond signature-based detection. Analysts should consider heuristic methods, such as tracking calls to FileInstall(), VirtualAlloc(), and CallWindowProc(), as well as identifying common obfuscation patterns. Proactive measures and sandbox testing can reveal malicious behavior before deployment, mitigating risk for enterprise environments and individual users alike.
🔍 Fact Checker Results:
✅ AutoIT3 can compile scripts into standalone executables.
✅ FileInstall() embeds files at compile time for AutoIT3 scripts.
❌ The function LGYJSYH() involves XOR operations; it actually uses ASCII character shifting.
📊 Prediction:
The use of AutoIT3 in malware campaigns is likely to increase subtly over the next year. Attackers will continue leveraging trusted scripting environments to evade detection, particularly by embedding shellcodes in PE files and executing them in memory. Enterprises should anticipate a rise in memory-based payloads, necessitating advanced heuristic monitoring and behavioral analysis tools. Detecting obfuscation and tracking embedded file operations will become essential in identifying these threats early, as traditional signature-based approaches may fail to catch sophisticated AutoIT3 attacks.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: isc.sans.edu
Extra Source Hub (Possible Sources for article):
https://www.instagram.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




