{
	"id": "5c653183-d107-4970-80d7-240232ede813",
	"created_at": "2026-04-06T00:14:40.38716Z",
	"updated_at": "2026-04-10T03:20:58.687345Z",
	"deleted_at": null,
	"sha1_hash": "2c22b0e2dc5303ff4544d010c60943c0621a523d",
	"title": "AHK RAT Loader Used in Unique Delivery Campaigns",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3216929,
	"plain_text": "AHK RAT Loader Used in Unique Delivery Campaigns\r\nBy Arnold Osipov\r\nArchived: 2026-04-05 20:20:31 UTC\r\nThe Morphisec Labs team has been tracking an ongoing RAT delivery campaign that started in February this year.\r\nThis campaign is unique in its heavy use of the AutoHotKey scripting language—a fork of the AutoIt language\r\nfrequently used for testing purposes.\r\nStarting in February, we identified at least four versions of the RAT delivery campaign, each of which includes\r\nmultiple advancements and adaptations over the past three months.\r\nIn this blog post, we dive into the details of each attack chain, highlighting interesting and rare techniques the\r\nattackers use, including:\r\nManifest flow hijack through VbsEdit manipulation\r\nUAC bypass\r\nEmulator bypass\r\nTampering with Microsoft Defender and other antivirus products\r\nIn-place compilation\r\nDelivery through text share services\r\nTechnical Details\r\nThe RAT delivery campaign starts from an AutoHotKey compiled script. This is a standalone executable that\r\ncontains the following: the AHK interpreter, the AHK script, and any files it has incorporated via the FileInstall\r\ncommand. In this campaign, the attackers incorporate malicious scripts/executables alongside a legitimate\r\napplication to disguise their intentions.\r\nhttps://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns\r\nPage 1 of 16\n\nFigure 1: Malicious scripts alongside legitimate executables \r\nWe observed various RATs distributed via a simple AHK compiled script. We also identified several attack chains\r\nlinked to this campaign, all of which start with an AHK executable that leads to the different VBScripts that\r\neventually load the RAT. In this blog, we are going to cover the technical details for each of the observed attack\r\nchains shown in the below figure.\r\nFigure 2: Possible attack chains.\r\nVjW0rm/Houdini chain\r\nhttps://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns\r\nPage 2 of 16\n\nThe attack chain that delivers the VjW0rm and Houdini RAT is the first one we saw using this Loader. This attack\r\nchain was first used utilizes thein February 2021 and is still in use as of today. We observed several changes over\r\ntime and we will describe them below:\r\nVersion 1\r\nFirst seen: February 17, 2021\r\nHash: 40e8b99b36739c397f8f0da2ab40f62b3af3da8b3f43fc2537841a9bf9105584\r\nFigure 3: The first version of the AHK script\r\nFirst, the AHK script drops a legitimate application to the %appdata% directory and executes it. Next, it drops two\r\nfiles into the %programdata% directory. The first file is called conhost.exe and the second file is called\r\nconhost.exe.manifest (malicious manifest). Then the script executes the legitimate conhost.exe application, which\r\nleads to the execution of the malicious manifest through a path hijack.\r\nThose files are the outcome of a tool called VbsEdit. The attacker uses VBsEdit to convert the VjW0rm and\r\nHoudini VBScript into an executable.\r\nhttps://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns\r\nPage 3 of 16\n\nFigure 4: A VbsEdit tool used to convert to script\r\nThe tool creates a manifest (XML) file that holds the base64 encoded VBScript and information about how to\r\nexecute the script. This manifest file needs to be located alongside the launcher (called conhost.exe). The launcher\r\nitself is a legitimate tool without any detections in VirusTotal.\r\nhttps://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns\r\nPage 4 of 16\n\nFigure 5: The manifest file\r\nVersion 2\r\nFirst seen: March 31, 2021\r\nHash: 825be2ef1143b610633150d7f2bbd5189a3e5939c21a6056283106069c7bc313\r\nIn this version, the attacker wrapped the dropped RAT with an additional AHK executable. They also added the\r\nability to disable Microsoft Defender by dropping a Batch script and an LNK file pointing to that script.\r\nFigure 6: Added the ability to disable Defender\r\nWhen executing the LNK file, the Batch script starts to perform several Powershell commands.\r\nhttps://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns\r\nPage 5 of 16\n\nFigure 7: The script used to disable Defender\r\nThe commands download a known hacking tool that disables Defender (DefenderControl.exe v1.7) through an\r\nadditional Powershell script that performs a known disk cleanup UAC bypass technique. This bypass allows the\r\nattacker to gain the higher privileges necessary to disable Microsoft Defender (assuming the user is also an\r\nadministrator).\r\nFigure 8: Disk Cleanup UAC bypass\r\nOnce Defender has been disabled, the AHK drops an additional AHK executable(CONHOSTHOST.exe). This\r\nAHK executable utilizes the VBS launcher technique shown in previous versions.\r\nFigure 9: The second AHK executable.\r\nVersion 3\r\nFirst seen: April 8, 2021\r\nHash: 16142a05c08de5cc69c1fb13924df2861e81b48e5ca5e0ef3f71684cfa3aeb55\r\nhttps://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns\r\nPage 6 of 16\n\nTwo more capabilities were added in this version:\r\nThe first drops and executes a VBScript that blocks connections to popular Antivirus solutions by\r\nmanipulating the victim’s C:WindowsSystem32driversetchosts file. This manipulation denies the DNS\r\nresolution for those domains by resolving the localhost IP address instead of the real one.\r\nFigure 10: The data written to the host’s file.\r\nThe second drops and executes a VBScript that terminates wscript.exe processes to clean traces of a failed\r\nattempt to perform the previous VBScript.\r\nVersion 4\r\nFirst seen: May 2, 2021\r\nHash: fb63eea2503686f90c4c2ec9a74407a2d5a1211e8a1566ae1da63f0d1d9e2cad\r\nIn this version, the attacker added directory-creation spamming that creates around 10 directories and\r\nsubdirectories, then overrides the call numerous times. Though the attacker’s intentions are not clear at this point,\r\nthis might be a technique to introduce noise or to spam an emulator.\r\nhttps://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns\r\nPage 7 of 16\n\nFigure 11: Directory-creation spamming\r\nAdditionally, a new VBScript is dropped into %ProgramData%kellvbs.vbs. This script leads to a new variant of\r\nour previously researched HCrypt. It ends up delivering njRAT with the same C2 address as the Vjw0rm that has\r\nbeen dropped by the VBScript launcher.\r\nIn the second stage, AHK drops a Batch script that hides the manifest file, so that only the benign VBS launcher\r\ncalled conhost.exe will be visible to the victim.\r\nFigure 12: Hiding the manifest file\r\nPowershell Loader Chain\r\nThis attack chain first appeared in late April 2021. It has a strong resemblance to the previously described chain,\r\nexcept for the delivery technique and the RAT distribution used. In this chain, we have observed LimeRAT and\r\nRevengeRAT loaded as the final payload. Both of the delivered RATs communicate to the same C2 address –\r\ngamers2020.ownip[.]net.\r\nVersion 1\r\nFirst seen: April 26, 2021\r\nHash: c7165a80a5233ff799a7cdb0de9d1dafc7c40e4b31db01226b3d975411ceb59e\r\nhttps://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns\r\nPage 8 of 16\n\nFigure 13: The AHK second chain script.\r\nThe RAT is delivered by an obfuscated VBScript (as shown in Figure 14) that is dropped to the victims\r\n%ProgramData% directory. This script deobfuscates a PowerShell command that downloads the next stage from a\r\nPastebin-like sharing platform service called stikked.ch.\r\nhttps://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns\r\nPage 9 of 16\n\nFigure 14: Obfuscated VBScript downloads and executes PowerShell from a Pastebin service.\r\nThe Powershell stage from the paste embeds the next stage as a C# source code represented in a hexadecimal\r\nencoded blob ($Win32Runpe in Figure 15). To execute the next stage, the Powershell decodes the blob, compiles\r\nand saves it into the %temp% directory under the name RegAsm.exe, then executes the compiled executable.\r\nWe notice that the author compiled the executable with `GenerateExecutable=true` which is uncommon for\r\nattackers, as he could compile the executable in memory by setting the flag  `GenerateInMemory=true`. This\r\nmight be an evasion attempt as many solutions are looking for this flag.\r\nhttps://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns\r\nPage 10 of 16\n\nFigure 15: PowerShell script from stikked.ch Pastebin.\r\nThe C# source code embeds the RAT payload as an AES encrypted blob (Buffer in Figure 16). The keys are\r\nembedded in the source code as well. In order to execute the RAT payload, it decrypts the blob, reflectively loads\r\nthe decrypted payloads, then invokes it.\r\nhttps://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns\r\nPage 11 of 16\n\nFigure 16: C# source code.\r\nVersion 2\r\nFirst seen: April 26, 2021\r\nHash: 24fdf42e2c026708b3ed29fe6791190e3a40c2dca063bfd8233c974f373e775f\r\nIn this version, the attacker added a hexadecimal obfuscation layer to the VBScript and used a different\r\nPowerShell paste (hxxps://stikked[.]ch/view/raw/5d4df3b8) to load the RAT.\r\nThe PowerShell script used in this attack is a notorious one that is observed in several other RAT campaigns (1, 2,\r\n3). It holds two hexadecimal blobs. The first one is a .NET DLL that is used for injecting the second hexadecimal\r\npayload, which is the RAT.\r\nhttps://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns\r\nPage 12 of 16\n\nFigure 17: PowerShell script from stikked.ch Pastebin.\r\nHCrypt Chain\r\nFirst seen: April 21, 2021\r\nHash: d9b6a27e17fbf09801a848e3b42206b3a02e728207e9c1bd4e1e2a56294aba7c\r\nThis chain is slightly different from the others, as the AHK script bundled files have different naming conventions\r\nand don’t include the VBS launcher. We will explain the connection and similarity to this campaign in the next\r\nsection.\r\nSimilar to previous chains, the AHK script drops and executes a legitimate application. Next, it drops and executes\r\na VBScript that downloads and executes an in-memory PowerShell script that leads to HCrypt. HCrypt is known\r\nas a RAT loader. In this campaign, we observed AsyncRAT as the loaded RAT.\r\nFigure 18: The VBScript that leads to HCrypt.\r\nFingerprinting the Campaign\r\nIn this campaign, we described various attack chains. We can attribute them to the same actor based on the\r\nfollowing:\r\nhttps://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns\r\nPage 13 of 16\n\nThey all drop a legitimate application before performing any malicious activity.\r\nThey have the same resource naming convention across all of the versions: *.MP4, KELLVBS.VBS,\r\nCONHOST.EXE, etc.\r\nThe AHK script has a strong resemblance across all of the chains, using the same commands: FileInstall,\r\nrun, sleep, and drop the files to the %ProgramData% directory.\r\nIn several attack chains, we observed the same directory spamming technique.\r\nThey use the same scripts and UAC bypass technique to disable the Defender (in different stages).\r\nConclusion\r\nAs threat actors study baseline security controls like emulators, antivirus, and UAC, they develop techniques to\r\nbypass and evade them. The technique changes detailed in this report did not affect the impact of these campaigns.\r\nThe tactical goals remained the same. Rather, the technique changes were to bypass passive security controls. A\r\ncommon denominator among these evasive techniques is the abuse of process memory because it’s typically a\r\nstatic and predictable target for the adversary.\r\nWe still need these baseline controls to keep the automated attacks at bay. But the manual tradecraft employed by\r\ninnovative attackers like this one requires a modern approach to security. Morphisec offers control and visibility\r\nof these baseline controls while adding advanced breach prevention for in-memory exploits and evasive fileless\r\ntechniques like those used in these campaigns. If you are experiencing a breach or would like a proactive audit of\r\nyour critical assets, Morphisec’s team of researchers is available to assist.\r\nIOCs\r\nAHK\r\n40e8b99b36739c397f8f0da2ab40f62b3af3da8b3f43fc2537841a9bf9105584\r\n5181018a9ad6d851adce6768cd01a5d10c2bd0b0180c75e92a3ce00827624bae\r\n06d23a4c6bcd34a4a4817cb193c2916cd56dd440b022803d5b4c8f68a0951291\r\n825be2ef1143b610633150d7f2bbd5189a3e5939c21a6056283106069c7bc313\r\nd9f512ede0ad80c19866666e54ed2d95727c4f3d026a32465db009fac4fc6796\r\n2df67fbe0455598c0fc2981b3f80a776f85d73b74c6083d34d0fdd1f6c6db30a\r\n16142a05c08de5cc69c1fb13924df2861e81b48e5ca5e0ef3f71684cfa3aeb55\r\naa16fe9cd572b39e45e334ba463d26f9fa1187bfaa25daf9775eb200a056f62d\r\nhttps://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns\r\nPage 14 of 16\n\n185e01e26c705e3aa27f3ad33ff1333411c37c28cc7ff108f183947ade1b44ca\r\n5114f28181ce5659c78cd2bfae35258a9679134fd72d1fdb3572ac3e55317e25\r\nd9b6a27e17fbf09801a848e3b42206b3a02e728207e9c1bd4e1e2a56294aba7c\r\ne86d6e2ef1f4efd2a034f8ff7b469841be425dc3eed97b001ae7afefce329165\r\n0908a9d8c47f6ad062f3be988b2361c68be658be625093a38ea286f9f10edb70\r\ne24f6b1cb9a91280d8cb990b367f45b0d8c46ec08aef6e4a454d10ce87e67197\r\nc7165a80a5233ff799a7cdb0de9d1dafc7c40e4b31db01226b3d975411ceb59e\r\n24fdf42e2c026708b3ed29fe6791190e3a40c2dca063bfd8233c974f373e775f\r\n03d4bd103fc021ff00b6895d2fcbf204f7aacc1df4ab52418bbd8510f271c692\r\n0a8a100017fbfa4a203405dfe3a545bb160a229e940dff3768596928bde49f36\r\n179c76e5640aaa7a3448ae6e617035ab680b625637395f0fc6de88d07ebaa2f9\r\n65c564cf147a8dad9d243c2d292ebe2ce5d3e52cd36b4d3c51323dd1c5ed05ec\r\nfb63eea2503686f90c4c2ec9a74407a2d5a1211e8a1566ae1da63f0d1d9e2cad\r\nac61c8ff51634976c633035b0bcf704407f828a8e9367f0b15cee48fb858842c\r\nC2s\r\nhxxp://tahoo.publicvm[.]com:1955\r\nhxxp://tahoo.publicvm[.]com:9999\r\nhxxp://tinatahoo.publicvm[.]com:1000\r\nhxxp://domaineweb.publicvm[.]com:1002\r\nhxxp://tinda.publicvm[.]com:888\r\nhxxp://domaineweb.publicvm[.]com:777\r\nhxxp://janda.publicvm[.]com:1005\r\nhxxp://gamers2020.ownip[.]net\r\nhxxp://like-sports.publicvm[.]com:300\r\nhxxp://facebook-sports.publicvm[.]com:150\r\nhxxp://volaria.publicvm[.]com:1010\r\nhxxp://musicnote.soundcast[.]me:90\r\nhxxp://websites.publicvm[.]com:1003\r\nDisabling Defender \u0026 UAC bypass URLs\r\nhxxp://gamecardsy[.]com/ahmadtestupl/kell5.bat\r\nhxxp://gamecardsy[.]com/ahmadtestupl/kilall.vbs\r\nhxxp://gamecardsy[.]com/ahmadtestupl/ss.ps1\r\nhxxp://gamecardsy[.]com/ahmadtestupl/DefenderControl.exe\r\nhxxp://gamecardsy[.]com/ahmadtestupl/DefenderKill.txt\r\nhxxp://gamecardsy[.]com/ahmadtestupl/Defender.bat\r\nhxxp://gamecardsy[.]com/ahmadtestupl/ff.ps1\r\nhxxp://gamecardsy[.]com/ahmadtestupl/DefenderControl.txt\r\nhxxp://firas.alifares[.]org/defender/ff.ps1\r\nhxxp://firas.alifares[.]org/defender/DefenderControl.ini\r\nhttps://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns\r\nPage 15 of 16\n\nhxxp://firas.alifares[.]org/defender/DefenderControl.exe\r\nhxxp://firas.alifares[.]org/defender/DefenderKill.lnk\r\nhxxp://firas.alifares[.]org/defender/Defender.bat\r\nhxxp://firas.alifares[.]org/defender/kil.ps1\r\nhxxp://firas.alifares[.]org/defender/11.txt\r\nPaste URLs\r\nhxxps://stikked[.]ch/view/raw/5d4df3b8\r\nhxxps://stikked[.]ch/view/raw/f03bc538\r\nAbout the author\r\nArnold Osipov\r\nMalware Researcher\r\nArnold Osipov is a Malware Researcher at Morphisec, who has spoken at BlackHat and and been recognized by\r\nMicrosoft Security for his contributions to malware research related to Microsoft Office. Prior to his arrival at\r\nMorphisec 6 years ago, Arnold was a Malware Analyst at Check Point.\r\nSource: https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns\r\nhttps://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns"
	],
	"report_names": [
		"ahk-rat-loader-leveraged-in-unique-delivery-campaigns"
	],
	"threat_actors": [],
	"ts_created_at": 1775434480,
	"ts_updated_at": 1775791258,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2c22b0e2dc5303ff4544d010c60943c0621a523d.pdf",
		"text": "https://archive.orkl.eu/2c22b0e2dc5303ff4544d010c60943c0621a523d.txt",
		"img": "https://archive.orkl.eu/2c22b0e2dc5303ff4544d010c60943c0621a523d.jpg"
	}
}