Researchers have discovered a sophisticated malware campaign targeting Windows systems by using multiple layers of AutoIT code to deliver a Remote Access Trojan (RAT).
The attack begins with an executable file named “1. Project”, which initiates a complex infection chain. This chain is designed to avoid detection and maintain long-term access to the infected system.
How the Malware Works
AutoIT is a scripting language often used for Windows automation. In this case, threat actors have weaponized it to interact deeply with Windows components, making the attack difficult to analyze.
The initial executable connects to a command and control (C2) server at:
hxxps://xcvbsfq32e42313[.]xyzIt also creates several files on the victim’s machine, including:
- A PowerShell script located at
C:\Users\Public\PublicProfile.ps1 - An additional AutoIT script named
Secure.au3
These components work together to ensure persistence, evade antivirus tools, and enable remote control of the system.
Multi-Stage Infection Process
According to a report from the SANS Technology Institute, the campaign was identified on May 19, 2025. The malware uses a layered, modular structure, making each component independently updatable and highly adaptable.
The second-stage AutoIT script, Secure.au3, is executed by a file called SwiftWrite.pif, which acts as an interpreter for the script.
Advanced Obfuscation and Antivirus Evasion
The second-layer script is heavily obfuscated. It includes a custom string decoder function called “Wales” that hides malicious content until it is needed during execution.
This script also checks for security software. Specifically, it looks for the process avastui.exe to detect if Avast antivirus is running.
Final Payload Execution
In the last stage of the attack, the malware launches a process named jsc.exe and injects it with a malicious DLL called Urshqbgpm.dll.
This DLL attempts to connect back to the attacker’s C2 server, completing the infection chain and giving the attacker remote access to the compromised system.
Security Implications
This campaign shows how threat actors are evolving their techniques by using modular, script-based malware. The use of AutoIT and PowerShell highlights the need for organizations to monitor scripting activity and enhance detection for fileless and obfuscated threats.
