T1059.010 AutoHotKey & AutoIT
Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.21
Adversaries may use AHK (.ahk) and AutoIT (.au3) scripts to execute malicious code on a victim’s system. For example, adversaries have used for AHK to execute payloads and other modular malware such as keyloggers. Adversaries have also used custom AHK files containing embedded malware as Phishing payloads.3
These scripts may also be compiled into self-contained executable payloads (.exe).21
| Item | Value |
|---|---|
| ID | T1059.010 |
| Sub-techniques | T1059.001, T1059.002, T1059.003, T1059.004, T1059.005, T1059.006, T1059.007, T1059.008, T1059.009, T1059.010, T1059.011, T1059.012, T1059.013 |
| Tactics | TA0002 |
| Platforms | Windows |
| Version | 1.1 |
| Created | 29 March 2024 |
| Last Modified | 15 April 2025 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G0087 | APT39 | APT39 has utilized AutoIt malware scripts embedded in Microsoft Office documents or malicious links.10 |
| S1111 | DarkGate | DarkGate uses AutoIt scripts dropped to a hidden directory during initial installation phases, such as test.au3.9 |
| S1213 | Lumma Stealer | Lumma Stealer has utilized AutoIt malware scripts and AutoIt executables.54 |
| S0530 | Melcoz | Melcoz has been distributed through an AutoIt loader script.6 |
| S1017 | OutSteel | OutSteel was developed using the AutoIT scripting language.8 |
| S1207 | XLoader | XLoader can use an AutoIT script to decrypt a payload file, load it into victim memory, then execute it on the victim machine.7 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1038 | Execution Prevention | Use application control to prevent execution of AutoIt3.exe, AutoHotkey.exe, and other related features that may not be required for a given system or network to prevent potential misuse by adversaries. |
References
-
AutoHotkey Foundation LLC. (n.d.). Using the Program. Retrieved March 29, 2024. ↩↩
-
AutoIT. (n.d.). Running Scripts. Retrieved March 29, 2024. ↩↩
-
Splunk Threat Research Team. (2024, January 17). Enter The Gates: An Analysis of the DarkGate AutoIt Loader. Retrieved March 29, 2024. ↩
-
Cybereaon Security Services Team. (n.d.). Your Data Is Under New Lummanagement: The Rise of LummaStealer. Retrieved March 22, 2025. ↩
-
Vishwajeet Kumar, Qualys. (2024, October 20). Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA. Retrieved March 22, 2025. ↩
-
GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020. ↩
-
Nart Villeneuve, Randi Eitzman, Sandor Nemes & Tyler Dean, Google Cloud. (2017, October 5). Significant FormBook Distribution Campaigns Impacting the U.S. and South Korea. Retrieved March 11, 2025. ↩
-
Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022. ↩
-
Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024. ↩
-
FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020. ↩