Search results for .ahk | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have uncovered an ongoing malware campaign that heavily relies on AutoHotkey (AHK) scripting language to deliver multiple remote access trojans (RAT) such as Revenge RAT, LimeRAT, AsyncRAT, Houdini, and Vjw0rm on target Windows systems. At least four different versions of the campaign have been spotted starting February 2021, according to researchers from Morphisec Labs. "The RAT delivery campaign starts from an AutoHotKey (AHK) compiled script," the researchers  noted . "This is a standalone executable that contains the following: the AHK interpreter, the AHK script, and any files it has incorporated via the  FileInstall  command. In this campaign, the attackers incorporate malicious scripts/executables alongside a legitimate application to disguise their intentions." AutoHotkey is an open-source custom scripting language for Microsoft Windows that's meant to provide easy hotkeys for macro-creation and software automation, enablin...

Threat actors have been discovered distributing a new credential stealer written in AutoHotkey (AHK) scripting language as part of an ongoing campaign that started early 2020. Customers of financial institutions in the US and Canada are among the primary targets for credential exfiltration, with a specific focus on banks such as Scotiabank, Royal Bank of Canada, HSBC, Alterna Bank, Capital One, Manulife, and EQ Bank. Also included in the list is an Indian banking firm ICICI Bank. AutoHotkey  is an open-source custom scripting language for Microsoft Windows aimed at providing easy hotkeys for macro-creation and software automation that allows users to automate repetitive tasks in any Windows application. The multi-stage infection chain commences with a malware-laced Excel file that's embedded with a Visual Basic for Applications (VBA)  AutoOpen  macro, which is subsequently used to drop and execute the downloader client script ("adb.ahk") via a legitimate portable AHK...

The operators behind the Mekotio banking trojan have resurfaced with a shift in its infection flow so as to stay under the radar and evade security software, while staging nearly 100 attacks over the last three months. "One of the main characteristics […] is the modular attack which gives the attackers the ability to change only a small part of the whole in order to avoid detection," researchers from Check Point Research said in a report shared with The Hacker News. The latest wave of attacks are said to primarily target victims located in Brazil, Chile, Mexico, Peru, and Spain. The development comes after Spanish law enforcement agencies in July 2021  arrested  16 individuals belonging to a criminal network in connection with operating Mekotio and another banking malware called Grandoreiro as part of a social engineering campaign targeting financial institutions in Europe. The evolved version of the Mekotio malware strain is designed for compromising Windows systems wit...

Cybersecurity researchers have warned of a new campaign that's leveraging a variant of the FileFix social engineering tactic to deliver the StealC information stealer malware. "The observed campaign uses a highly convincing, multilingual phishing site (e.g., fake Facebook Security page), with anti-analysis techniques and advanced obfuscation to evade detection," Acronis security researcher Eliad Kimhy said in a report shared with The Hacker News. At a high level, the attack chain involves the use of FileFix to entice users into launching an initial payload that then proceeds to download seemingly innocuous images containing the malicious components from a Bitbucket repository. This allows the attackers to abuse the trust associated with a legitimate source code hosting platform to bypass detection. FileFix, first documented by security researcher mrd0x as a proof-of-concept (PoC) in June 2025, is a little different from ClickFix in that it eschews the need for us...

The threat actor known as  Asylum Ambuscade  has been observed straddling cybercrime and cyber espionage operations since at least early 2020. "It is a crimeware group that targets bank customers and cryptocurrency traders in various regions, including North America and Europe," ESET  said  in an analysis published Thursday. "Asylum Ambuscade also does espionage against government entities in Europe and Central Asia." Asylum Ambuscade was  first documented  by Proofpoint in March 2022 as a nation-state-sponsored phishing campaign that targeted European governmental entities in an attempt to obtain intelligence on refugee and supply movement in the region. The goal of the attackers, per the Slovak cybersecurity firm, is to siphon confidential information and web email credentials from official government email portals. The attacks start off with a spear-phishing email bearing a malicious Excel spreadsheet attachment that, when opened, either exploits V...

A previously unknown threat actor has been targeting companies in the U.S. and Germany with bespoke malware designed to steal confidential information. Enterprise security company Proofpoint, which is tracking the activity cluster under the name  Screentime , said the group, dubbed  TA866 , is likely financially motivated. "TA866 is an organized actor able to perform well thought-out attacks at scale based on their availability of custom tools; ability and connections to purchase tools and services from other vendors; and increasing activity volumes," the company  assessed . Campaigns mounted by the adversary are said to have commenced around October 3, 2022, with the attacks launched via emails containing a booby-trapped attachment or URL that leads to malware. The attachments range from macro-laced Microsoft Publisher files to PDFs with URLs pointing to JavaScript files. The intrusions have also leveraged conversation hijacking to entice recipients into clicking on...

Financial institutions in Latin America are being threatened by a banking trojan called Mekotio (aka Melcoz). That's according to findings from Trend Micro, which said it recently observed a surge in cyber attacks distributing the Windows malware. Mekotio , known to be actively put to use since 2015, is known to target Latin American countries like Brazil, Chile, Mexico, Spain, Peru, and Portugal with an aim to steal banking credentials. First documented by ESET in August 2020, it's part of a tetrade of banking trojans targeting the region, such as Guildma, Javali, and Grandoreiro , the latter of which was dismantled by law enforcement earlier this year. "Mekotio shares common characteristics for this type of malware, such as being written in Delphi, using fake pop-up windows, containing backdoor functionality and targeting Spanish- and Portuguese-speaking countries," the Slovakian cybersecurity firm said at the time. The malware operation suffered a blow in ...

Cybersecurity researchers have uncovered new variants of the  ChromeLoader  information-stealing malware, highlighting its evolving feature set in a short span of time. Primarily used for hijacking victims' browser searches and presenting advertisements, ChromeLoader came to light in January 2022 and has been distributed in the form of ISO or DMG file downloads advertised via QR codes on Twitter and free gaming sites. ChromeLoader has also been codenamed Choziosi Loader and ChromeBack by the broader cybersecurity community. What makes the adware notable is that it's fashioned as a browser extension as opposed to a Windows executable (.exe) or Dynamic Link Library (.dll). The infections typically work by enticing unsuspecting users into downloading movie torrents or cracked video games through malvertising campaigns on pay-per-install sites and social media. Besides requesting invasive permissions to access browser data and manipulate web requests, it's also designed t...

A new variant of  AsyncRAT  malware dubbed  HotRat  is being distributed via free, pirated versions of popular software and utilities such as video games, image and sound editing software, and Microsoft Office. "HotRat malware equips attackers with a wide array of capabilities, such as stealing login credentials, cryptocurrency wallets, screen capturing, keylogging, installing more malware, and gaining access to or altering clipboard data," Avast security researcher Martin a Milánek  said . The Czech cybersecurity firm said the trojan has been prevalent in the wild since at least in October 2022, with a majority of the infections concentrated in Thailand, Guyana, Libya, Suriname, Mali, Pakistan, Cambodia, South Africa, and India. The attacks entail bundling the cracked software available online via torrent sites with a malicious AutoHotkey ( AHK ) script that initiates an infection chain designed to deactivate antivirus solutions on the compromised host and...

Cybersecurity researchers have discovered a new malvertising campaign that's designed to infect victims with a multi-stage malware framework called PS1Bot . "PS1Bot features a modular design, with several modules delivered used to perform a variety of malicious activities on infected systems, including information theft, keylogging, reconnaissance, and the establishment of persistent system access," Cisco Talos researchers Edmund Brumaghin and Jordyn Dunk said . "PS1Bot has been designed with stealth in mind, minimizing persistent artifacts left on infected systems and incorporating in-memory execution techniques to facilitate execution of follow-on modules without requiring them to be written to disk." Campaigns distributing the PowerShell and C# malware have been found to be active since early 2025, leveraging malvertising as a propagation vector, with the infection chains executing modules in-memory to minimize forensic trail. PS1Bot is assessed to share ...

The threat actor tracked as  TA866  has resurfaced after a nine-month hiatus with a new large-volume phishing campaign to deliver known malware families such as WasabiSeed and Screenshotter. The campaign, observed earlier this month and blocked by Proofpoint on January 11, 2024, involved sending thousands of invoice-themed emails targeting North America bearing decoy PDF files. "The PDFs contained OneDrive URLs that, if clicked, initiated a multi-step infection chain eventually leading to the malware payload, a variant of the WasabiSeed and Screenshotter custom toolset," the enterprise security firm  said . TA866 was  first documented  by the company in February 2023, attributing it to a campaign named Screentime that distributed WasabiSeed, a Visual Basic script dropper that's used to download Screenshotter, which is capable of taking screenshots of the victim's desktop at regular intervals of time and exfiltrating that data to an actor-controlled domain. ...