Vidar Stealer Weaponizes AutoIt and Masqueraded Scripts

Threat actors are increasingly abandoning loud, easily identifiable malware in favor of subtle, script-based deceptions. A new forensic deep-dive from LevelBlue has deconstructed a sophisticated, multi-stage infection chain that leverages Windows-native tools to deliver the notorious Vidar Stealer.

The attack begins with a classic piece of social engineering: the execution of MicrosoftToolkit.exe, a widely pirated and commonly abused utility. Once launched, the toolkit acts as a Trojan horse, spawning a command shell to initiate the next, more sinister stage of the infection.

To bypass security filters that monitor for executable attachments, the attackers employed a clever “file extension masquerading” trick. A disguised file named Swingers.dot was silently renamed to a .bat script and executed on the host. This simple rename allows the malicious logic to hide in plain sight as a seemingly benign document template.

At the heart of the campaign is AutoIt, a legitimate Windows scripting language designed for automating routine system tasks. While indispensable for sysadmins, threat actors frequently abuse it to create compiled scripts that can “execute malicious code, load encrypted payloads, and evade traditional security detection”.

In this specific incident, the researchers identified an AutoIt-compiled script named Replies.scr acting as a stealthy loader.

“Because AutoIt executables resemble normal applications, they are often used as stealthy loaders in multi-stage attacks,” the analysis explains.

This loader dynamically reconstructs and executes its payload using other native Windows utilities, such as extract32.exe, ensuring the attacker “avoids dropping a single identifiable malware binary” on the disk.

Once the AutoIt loader successfully bypasses the perimeter, it establishes outbound communication with infrastructure associated with the Vidar Stealer. Vidar is a “commodity stealer” known for its ruthless efficiency in harvesting a victim’s entire digital identity.

Confirmed targets for exfiltration include:

• Browser-stored credentials and session cookies
• Cryptocurrency wallets
• Sensitive system and user data

The presence of active command-and-control (C2) communication indicates a “high risk of data compromise” for any infected system.

The malware includes “self-cleanup behavior” designed to delete malicious artifacts immediately after execution.

According to the LevelBlue researchers, “The observed self-cleanup behavior further complicates forensic analysis and may hinder traditional incident response efforts.”