Mastodawn

How to uncover a Horabot campaign and detect this malware

This report details the discovery and analysis of a Horabot malware campaign targeting primarily Mexican users. The attack chain begins with a fake CAPTCHA page leading to multiple stages of obfuscated scripts, ultimately delivering an AutoIT loader and a Delphi-based banking Trojan. The malware employs sophisticated encryption techniques, anti-VM checks, and a custom protocol for C2 communication. It also includes a spreader component written in PowerShell that harvests and exfiltrates email addresses to distribute phishing emails. The analysis reveals Brazilian Portuguese comments in the code, suggesting the threat actor's origin. The report provides detection opportunities including YARA rules and hunting queries to identify this threat.

Pulse ID: 69ba893ac080b945c5abb563
Pulse Link: https://otx.alienvault.com/pulse/69ba893ac080b945c5abb563
Pulse Author: AlienVault
Created: 2026-03-18 11:15:06

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Autoit #Bank #BankingTrojan #Brazil #CAPTCHA #CyberSecurity #Delphi #Email #Encryption #InfoSec #Malware #Mexican #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #Trojan #bot #AlienVault

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange

Habr Mar 14

Мой соавтор — DeepSeek

Эта статья о моем опыте сотрудничества с DeepSeek в разработке некоторых поделок на различных языках программирования.Раньше писал на этих языках, но без помощи ИИ.

https://habr.com/ru/articles/1010138/

#искусственный_интеллект #autoit #lua #cи #gsm

Мой соавтор — DeepSeek

Эта статья о моем опыте сотрудничества с DeepSeek в разработке некоторых поделок на различных языках программирования. Раньше писал на этих языках, но без помощи ИИ. Поделка 1: Решил разработать...

Хабр

Ramon van Belzen Sep 8, 2025

AutoIt v3.3.18.0 Released autoitscript.com/site/autoit-n… #AutoIT

AutoIt v3.3.18.0 Released - AutoIt

Overview AutoIt v3.3.18.0 has been released. Thanks to everyone involved in creating this release and everyone who continues to download and support AutoIt. Please use the forum to discuss any technical issues with AutoIt. History Please see these pages for release notes and any important changes to be aware of this version. Other Articles You May […]

AutoIt

lazarusholic Apr 1, 2025

"경찰청과 국가인권위를 사칭한 Konni APT 캠페인 분석" published by Genians. #AutoIt, #Konni, #LNK, #DPRK, #CTI https://www.genians.co.kr/blog/threat_intelligence/konni_disguise

경찰청과 국가인권위를 사칭한 Konni APT 캠페인 분석

이번 APT 공격은 초기부터 공격을 수행하는 방식 뿐만 아니라, 일정 기간 소통 후 비실행형 악성코드 등을 전달하는 대화형 공격 전술도 활용됐습니다. 특히 LNK 바로가기 파일과 AutoIT 스크립트를 이용했으며, Windows Installer 유형의 악성파일도 포착됐습니다.

lazarusholic Oct 30, 2024

"APT Group - Konni Launches New Attacks on South Korea" published by ThreatBook. #Konni, #AutoIt, #LNK, #DPRK, #CTI https://threatbook.io/blog/APT-Group---Konni-Launches-New-Attacks-on-South-Korea

Error Page

ThreatBook CTI provides high-fidelity, efficient, actionable threat intelligence which helps security operation team speed up threat detection and response.

lazarusholic Aug 22, 2024

"Threat Tracking: Analysis of puNK-003’s Lilith RAT ported to AutoIt Script" published by S2W. #LINKON, #AutoIt, #puNK-003, #CURKON, #LNK, #LilithRAT, #DPRK, #CTI https://medium.com/s2wblog/threat-tracking-analysis-of-punk-003s-lilith-rat-ported-to-autoit-script-30dd59e68213

Threat Tracking: Analysis of puNK-003’s Lilith RAT ported to AutoIt Script

2024년 4월 24일, S2W의 위협 연구 및 인텔리전스 센터 TALON은 탈세 제보와 관련된 소명 자료 목록으로 위장한 LNK 악성코드를 발견하여 분석을 진행하였다. 발견된 LNK 파일은 실행 시 파일 내부에 포함된 Decoy 문서를 드랍 및 출력하고, 하드코딩된 공격자 서버로부터 추가 파일을 다운로드 받아 실행한다. 다운로드된 파일은 악성…

S2W BLOG

lazarusholic Jul 31, 2024

"AutoIt 활용 방어 회피 전술의 코니 APT 캠페인 분석" published by Genians. #AutoIt, #LNK, #Konni, #CTI, #OSINT, #LAZARUS https://www.genians.co.kr/blog/threat_intelligence/autoit

AutoIt 활용 방어 회피 전술의 코니 APT 캠페인 분석

정부기관을 사칭해 접근하는 오토잇을 통한 APT 공격이 이어지고 있습니다. EDR을 통한 조기 탐지 및 능동적 대응이 필요합니다.

Show thread

Zeroday Podcast (stefan)Apr 19, 2024

Und jetzt die Preisfrage:
Wieso um alles in der Welt habe ich für den ganzen Mist "AutoIT" verwendet, welches ich für ein super tool halte aber für diesen Task eigendlich das falsche Werkzeug?

Aus dem wichtigsten Grund der Toolauswahl: Ich kann damit umgehen.

9/9

#programmieren #AutoIT #VM #storytime

lazarusholic Mar 27, 2024

"Konni组织针对虚拟货币行业投递AutoIt恶意软件" published by Qianxin. #AutoIt, #LNK, #Konni, #CTI, #OSINT, #LAZARUS https://zhuanlan.zhihu.com/p/689051421

Konni组织针对虚拟货币行业投递AutoIt恶意软件

团伙背景Konni最开始是Cisco Talos团队于2017年披露的一类远控木马，活动时间可追溯到2014年，攻击目标涉及俄罗斯、韩国地区。2018年，Palo Alto发现该类恶意软件与APT37（别名Reaper、Group123、Scarcruft）有关…

知乎专栏

lazarusholic Dec 8, 2023

"Kimsuky Group Uses AutoIt to Create Malware (RftRAT, Amadey)" published by Ahnlab. #AutoIt, #RftRAT, #Kimsuky, #Amadey, #CTI, #OSINT, #LAZARUS https://asec.ahnlab.com/en/59590/

Kimsuky Group Uses AutoIt to Create Malware (RftRAT, Amadey) - ASEC BLOG

AhnLab Security Emergency response Center

ASEC BLOG