AutoIt Loader Linked to Vidar Stealer C2 Infrastructure in Multi-Stage Evasion Attack

Security researchers have uncovered a sophisticated multi-stage infection chain leveraging AutoIt-compiled loaders to establish command-and-control communication with infrastructure tied to Vidar Stealer, a known credential-harvesting malware. The attack chain, identified through proactive threat hunting, began with the execution of MicrosoftToolkit.exe—a commonly abused hack tool—and demonstrates advanced evasion techniques designed to bypass endpoint defenses.

The initial stage employed file masquerading, renaming a .dot file to .bat format to obscure its true purpose. Once inside the target environment, the malware performed process discovery and systematically terminated security-related processes before extracting additional payloads using extract32.exe. An AutoIt-compiled executable, identified as Replies.scr, functioned as the primary loader. This component processed an external encrypted payload and connected to Vidar Stealer command-and-control infrastructure. The malware exhibited advanced anti-analysis capabilities, including debugger detection and instrumentation callback queries, making forensic analysis significantly more difficult.

The final payload targeted a wide range of sensitive data: browser credentials, system information, and cryptocurrency wallets. Post-execution cleanup routines were deployed to delete artifacts and reduce forensic traces. The attack underscores the continued abuse of legitimate scripting frameworks like AutoIt by threat actors to obfuscate malicious activity, and highlights the persistent threat posed by credential-stealing malware families operating through multi-stage delivery mechanisms.