Monday, May 19, 2025
HomeCyber AttackAutoHotkey-Based Credential Stealer Targets US, Canadian Bank Customers

AutoHotkey-Based Credential Stealer Targets US, Canadian Bank Customers

Published on

SIEM as a Service

Follow Us on Google News

Trend Micro team has detected a malware’s command-and-control (C&C) servers that has been targeting the financial institutions in the US and Canada and determined that these come from the US, the Netherlands, and Sweden. It is believed that they have been using the scripting language AutoHotkey (AHK)

What is AutoHotkey (AHK)?

AHK is an open-source scripting language for Windows that aims to provide easy keyboard shortcuts or hotkeys, fast micro-creation, and software automation. AHK also allows users to create a “compiled” .EXE with their code in it.

Threat actors have used this scripting language that has no built-in compiler within a victim’s operating system, and which can’t be executed without its compiler or interpreter.

- Advertisement - Google News

How does the malware work?

The two critical roles in the infection are

  • The dropped adb.exe:

The adb.exe is a legitimate portable AHK script compiler, and its job is to compile and execute the AHK script at a given path.

  • adb.ahk:

AHK script is a downloader client that is responsible for achieving persistence, profiling victims, and downloading and executing the AHK script on a victim system

The downloader client also creates an autorun link for adb.exe in the startup folder. This portable executable executes an AHK script with the same name in the same directory which is called as adb.ahk.

Then this script calls each user by generating a unique ID for each victim based on the volume serial number of the C drive. The malware then goes through an infinite loop and starts to send an HTTP GET request every five seconds with the generated ID.

This ID serves as the request path to its command-and-control (C&C) server to retrieve and execute the AHK script on an infected system.

For command execution, the malware accepts various AHK scripts for different tasks per victim and executes these using the same C&C URL.

There are five C&C servers and two commands discovered here: deletecookies and passwords

Through the downloads a stealer is written in AHK which is responsible for harvesting credentials from various browsers and exfiltrating them to the attacker, which majorly targets Bank website addresses.

To precise the working, this malware infection consists of multiple stages that start with a malicious Excel file. If the user enables the macros to open the Excel file, VBA AutoOpen macro will then drop and execute the downloader client script via a legitimate portable AHK script compiler.

The downloader client is responsible for achieving persistence, profiling victims, and downloading and executing AHK script in a victim system. Instead of receiving commands from the C&C server, the malware downloads and executes the AHK script for different tasks.

The downloaded script is a stealer that targets various browsers such as Google Chrome, Opera, Edge, and more. The stealer collects and decrypts credentials from browsers and exfiltrates the information to the attacker’s server via an HTTP POST request.

Effects of malware attack

The main purpose of this malware is to steal credentials from various browsers such as Microsoft Edge, Google Chrome, Opera, Firefox, and Internet Explorer (IE).

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Hackers Exploit RVTools to Deploy Bumblebee Malware on Windows Systems

A reliable VMware environment reporting tool, RVTools, was momentarily infiltrated earlier this week on...

Confluence Servers Under Attack: Hackers Leverage Vulnerability for RDP Access and Remote Code Execution

Threat actors exploited a known vulnerability, CVE-2023-22527, a template injection flaw in Atlassian Confluence...

New ModiLoader Malware Campaign Targets Windows PCs, Harvesting User Credentials

AhnLab Security Intelligence Center (ASEC) has recently uncovered a malicious campaign distributing ModiLoader (also...

Health Care Data Breach Costs BreachForums Admin $700,000 Fine

Conor Brian Fitzpatrick, the 22-year-old former administrator of cybercrime forum Breachforums, will forfeit approximately...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hackers Exploit RVTools to Deploy Bumblebee Malware on Windows Systems

A reliable VMware environment reporting tool, RVTools, was momentarily infiltrated earlier this week on...

Confluence Servers Under Attack: Hackers Leverage Vulnerability for RDP Access and Remote Code Execution

Threat actors exploited a known vulnerability, CVE-2023-22527, a template injection flaw in Atlassian Confluence...

New ModiLoader Malware Campaign Targets Windows PCs, Harvesting User Credentials

AhnLab Security Intelligence Center (ASEC) has recently uncovered a malicious campaign distributing ModiLoader (also...