Unmasking a Multi-Stage Loader: AutoIt Abuse Leading to Vidar Stealer Command-and-Control Communication

MITRE Techniques

• [T1204.002] User Execution: Malicious File – The attack relied on the user running a hack tool to begin execution (‘User downloaded and executed MicrosoftToolkit.exe’ and ‘User executed microsofttoolkit.exe’).
• [T1059.003] Command and Scripting Interpreter: Windows Command Shell – cmd.exe was spawned to continue the staged execution (‘spawn of cmd.exe’).
• [T1036] Masquerading – The threat renamed a .dot file to a .bat file to hide the true file type (‘Renaming and execution of swingers.dot as swingers.dot.bat’).
• [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Batch/script behavior was used to stage and run additional commands (‘renaming and execution of swingers.dot as swingers.dot.bat’).
• [T1082] System Information Discovery – tasklist and findstr were used to enumerate running processes and identify security-related tooling (‘Process discovery (tasklist, findstr)’).
• [T1027] Obfuscated Files or Information – Payloads were staged in disguised or embedded file formats, requiring extraction (‘Payload extraction via extract32.exe’ and ‘payload container format’).
• [T1140] Deobfuscate/Decode Files or Information – extract32.exe was used to unpack the next-stage payload (‘Payload extraction via extract32.exe’).
• [T1059] Command and Scripting Interpreter – Replies.scr executed scripted loader logic with an external parameter (‘Execution of replies.scr with parameter D’).
• [T1218] Signed Binary Proxy Execution – The .scr AutoIt-compiled binary was abused as a loader to execute malicious logic (‘Execution of replies.scr’).
• [T1027.005] Indicator Removal from Tools – The malware used staged and disguised components plus cleanup to reduce visibility (‘file-based staging’, ‘removal of execution artifacts’).
• [T1562.001] Disable or Modify Security Tools – The malware attempted to identify and potentially disrupt security-related processes (‘attempts to identify security-related processes’).
• [T1057] Process Discovery – tasklist and related checks were used to discover running processes (‘tasklist, findstr’).
• [T1070.004] Indicator Removal on Host: File Deletion – The malware deleted dropped and staged files to erase traces (‘Deletion of dropped or staged files from the disk’).
• [T1489] Service Stop – The malware terminated its own processes and other processes during cleanup (‘Termination of its own processes’).
• [T1497.001] Virtualization/Sandbox Evasion: System Checks – ZwQueryInformationProcess was used to detect debugging and instrumentation callbacks (‘detect the presence of a debugger’ and ‘instrumentation callbacks’).
• [T1105] Ingress Tool Transfer – The loader reconstructed and loaded a payload from a separate file into memory (‘reads it into memory for decryption and execution’).
• [T1071.001] Application Layer Protocol: Web Protocols – C2 communication used HTTP/HTTPS via WinINet and HTTP requests (‘InternetConnectA’, ‘HttpOpenRequestA’, ‘HttpSendRequestA’).
• [T1573] Encrypted Channel – Communication occurred over HTTPS to hide traffic content (‘https[:]//telegram[.]me/…’).
• [T1071.004] Application Layer Protocol: DNS – The malware used DNS resolution for dynamic infrastructure (‘DNS resolution for gz[.]technicalprorj[.]xyz via public DNS’).
• [T1041] Exfiltration Over C2 Channel – Observed activity aligned with Vidar data theft over the C2 path (‘likely exfiltration of credentials, browser data’).