{
	"id": "13e7a11a-42e0-4041-9fae-0e524309557a",
	"created_at": "2026-04-06T00:22:24.279411Z",
	"updated_at": "2026-04-10T03:20:38.270303Z",
	"deleted_at": null,
	"sha1_hash": "701ca092780829853415d4a4d4c6a71272aea74d",
	"title": "Lokibot with Autoit Obfuscated Frenchy Shellcode",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1049460,
	"plain_text": "Lokibot with Autoit Obfuscated Frenchy Shellcode\r\nBy Harsha Cheruku\r\nArchived: 2026-04-05 13:35:31 UTC\r\nDuring the first week of March, Morphisec intercepted and prevented an advanced Lokibot delivery campaign on\r\nsome of its customers in the financial sector. While Lokibot has been lately reported to be delivered via\r\nimpersonation of a known game launcher, previously it was also delivered through advanced AutoIt obfuscated\r\nFrenchy shellcode.\r\nIn the campaign Morphisec identified, the AutoIt+Frenchy shellcode is back and stronger than ever. We will dive\r\ndeeper into the technical details while pointing out the innovative additions to the campaign.\r\nLokiBot is a well-known info-stealer that scrapes information from different web browsers like Google Chrome,\r\nFirefox, Safari. It was previously also used to establish backdoors to an enterprise.\r\nThe shellcode was named “Frenchy” because of the mutex it creates and after a user named frenchy on\r\nhackforums. This shellcode has been seen with other packers loading different malware like Formbook, Netwire,\r\nAveMaria, Agent Tesla, etc.\r\nTechnical Details\r\nThe very initial stage of the delivery is through a spam/phishing email. In the figures below are the spam emails\r\nthat deliver the Lokibot and AgentTesla info-stealer malware. Both are AutoIt executables that are archived with\r\ndifferent archive extensions (for example: .cab and .zip; we saw rar and iso extensions as well), In both cases the\r\nexecutables contain a Frenchy shellcode loader that is responsible for reflectively injecting the next stage of the\r\ninfo-stealer payload. Below we will elaborate on the current loader and it’s previous versions.\r\nhttps://blog.morphisec.com/lokibot-with-autoit-obfuscator-frenchy-shellcode\r\nPage 1 of 11\n\nFigure 1: The original email delivering the Invoice executable through a cab file\r\nFigure 2: Spam email with .zip file we recently noticed delivering Agent Tesla (from March 2020)\r\nThe executable had the name as ‘Invoice No. 013696.exe’, and we used Exe2Aut to successfully de-compile and\r\nextract the AutoIt script from the sample.\r\nThe user nicknamed Frenchy sells their shellcode framework underground for some of the known packer\r\nframeworks; below are just some of that snapshots that demonstrate a few of the details seen in almost every\r\ncampaign executed and documented during the previous year\r\nhttps://blog.morphisec.com/lokibot-with-autoit-obfuscator-frenchy-shellcode\r\nPage 2 of 11\n\nFigure 3: Obfuscated code showing the starting point of the script\r\nFigure 4: Variables and functions renamed for easy understanding\r\nAs in previous rounds of the frenchy campaigns, the AutoIt script has its basic anti-vm evasion.\r\nFigure 5: vm checks in one of the functions, pvleqyepzq\r\nFigure 6: Sandbox check\r\nhttps://blog.morphisec.com/lokibot-with-autoit-obfuscator-frenchy-shellcode\r\nPage 3 of 11\n\nFigure 7: Function that can download and execute the file from temp directory\r\nIt creates a visual basic script inside the user’s profile directory, which is then used to install the actual malware,\r\nand a url shortcut to that vb script inside the startup directory to gain persistence.\r\nFigure 8: VBS file created by script\r\nFigure 9: Persistency shortcut\r\nComparison With Older AutoIt Packers Used In Other Versions of Frenchy\r\nShellcode\r\nPreviously we have seen Frenchy shellcode used by different campaigns that were packed using both AutoIt and\r\n.Net. The first two versions came in packed with an AutoIt obfuscator and the third version was found packed with\r\n.Net. Researchers also found Frenchy shellcode version 5 (mutex_005) which was loading Lokibot, but the AutoIt\r\nscript looked different from what we observed from our sample. In this section we will describe a few differences\r\nthat we noticed in previous AutoIt obfuscators.\r\nString Encryption, Shellcode and Payload Data Representation\r\nAutoIt obfuscation used with Frenchy shellcode v001 has more functions when compared to the v002, v005, and\r\nthe sample we analyzed. Some of the function names are the same in all versions, which could be due to the same\r\nhttps://blog.morphisec.com/lokibot-with-autoit-obfuscator-frenchy-shellcode\r\nPage 4 of 11\n\ntechnique/obfuscator used to obfuscate function and variable names, but the functionality is not similar. The string\r\nencryption technique used in the version we analyzed slightly resembled the initial packers, while the obfuscation\r\nfrom frenchy shellcode v005 implements a string shifting technique.\r\nIn Figure 11 below we can see that different packer versions use various techniques, like string reversing, string\r\nreplacing, string shifting, doing XOR with arguments, and binary to string of hex values.\r\nFigure 10: The string decryption function in different AutoIt versions\r\nThe shellcode and payload data in the sample we analyzed, and in packer with frenchy shellcode version v005 was\r\nsplit and concatenated as a hexadecimal string inside runPE and the main function. But in the earlier versions it\r\nwas attached into the AutoIt executables as resources. Packers had the readresources and globaldata functions to\r\nload the encrypted resources by name and type.\r\nhttps://blog.morphisec.com/lokibot-with-autoit-obfuscator-frenchy-shellcode\r\nPage 5 of 11\n\nFigure 11: Payload data collected from resources\r\nFigure 12: Function that loads the resources and concatenates the payload\r\nFigure 13: Payload split and concatenated from string\r\nThe shellcode is split and distributed within the AutoIt code, in both the packer with Frenchy shellcode v005 and\r\nin our sample.\r\nhttps://blog.morphisec.com/lokibot-with-autoit-obfuscator-frenchy-shellcode\r\nPage 6 of 11\n\nFigure 14: Scattered shellcode in packer with frenchy shellcode v005\r\nFigure 15: Shellcode collected into a variable (from our sample)\r\nWinAPI Functions are back\r\nThe AutoIt packer used with frenchy shellcode v001 and v002 have the winapi functions used as public and\r\ninternal functions, and was removed in frenchy shellcode v005. But the script we analyzed has these winapi\r\nfunctions again, which shows that the malware authors could be switching between old and new ways and using\r\nmodified versions of old obfuscators to pack and load the shellcode and final payload.\r\nNo More UAC Bypass\r\nThe User Access Control (UAC) bypass techniques, using event viewer (for windows 7 and 8) and fodhelper (for\r\nwindows 10) which were present in the older version of AutoIt packers that distributed formbook and tesla\r\nmalware are now removed for this Lokibot version. The shellcode from the Lokibot sample analyzed by\r\nresearchers at Fortinet in November 2019 had both UAC bypass techniques in it. It was not present in packers that\r\ncame with frenchy shellcode v001 or 002 but it was a newer version and still had the UAC bypass techniques.\r\nProcess Injection and Hollowing\r\nWe noticed that older versions had the list of other legitimate process names inside the runPE function used for\r\nprocess injection and hollowing, but the version we analyzed had it set to @ScriptFullPath and did not have any\r\nother process names.\r\nhttps://blog.morphisec.com/lokibot-with-autoit-obfuscator-frenchy-shellcode\r\nPage 7 of 11\n\nFigure 16: Process names for injection and hollowing (from version 005)\r\nFigure 17: runPE function uses the same process for hollowing\r\nNo quickassist.bat File\r\nOne of the older versions of the AutoIt obfuscators used a .bat file (quickassist.bat) alongside the vbs file in its\r\nstartup function.\r\nFigure 18: BdvSOLRjPN (vbs file), and quickassist.bat file\r\nat startup in one of the older versions of AutoIt\r\nhttps://blog.morphisec.com/lokibot-with-autoit-obfuscator-frenchy-shellcode\r\nPage 8 of 11\n\nShellcode Differences\r\nIn this section we will only present minor differences that we noticed in shellcode versions, because the actual\r\nfunctionality of the shellcode is still the same as older versions. Other researchers have already presented the\r\nshellcode’s functionality.\r\nInitial frenchy shellcode versions had the tag with version number inside, but it was removed in later versions.\r\nFigure 15 below shows the CreateMutexW function used in version 001-005.\r\nFigure 19: CreateMutexW function\r\nFrenchy_shellcode_001 validates for IsWow64Process before mapping the DLLs from KnownDlls or\r\nKnownDlls32, which was later optimized to avoid using kernel32 overall. The DLLs mapped are advapi32.dll,\r\nuser32.dll, ole32.dll, ntdll.dll, and kerne32.dll which are the same as in older versions. The API functions used to\r\nmap these DLLs are NtOpenSection and NtMapViewOfSection. See below for the process validation.\r\nFigure 20: IsWow64Process validation\r\nThe shellcode gets the address of GetProcAddress and LoadLibrary to load other DLLs and make required API\r\ncalls.\r\nhttps://blog.morphisec.com/lokibot-with-autoit-obfuscator-frenchy-shellcode\r\nPage 9 of 11\n\nConclusion\r\nIt looks like Frenchy has gained popularity among malware-as-a-service providers and is being successfully\r\nutilized to deliver many info stealers without significant modifications in the code. This unfortunately magnifies\r\nthe inability of detection solutions to handle memory evasive malware techniques.\r\nMorphisec Automated Moving Target Defense protects against Frenchy and other memory evasive malwares\r\nwithout any dependency on malware version.\r\nIOCs:\r\nSamples:\r\nAutoIT compiled executable with frenchy shellcode and lokibot (our sample)\r\nInvoice_No._013696.cab\r\n857BC421B19A4A2D7EFEF95B377640821041A06E\r\nOther AutoIT executables with frenchy shellcode and different malware family payloads embedded inside:\r\nDF9EE6A47AAD3BAD15C980C469A1857745B2D94E\r\n3A7FBE4C15BA812B5BAB2B9F1D9A5DC247668E77\r\n7A7F7E857121542EC8C2437690A01E3F824EEED2\r\n45007E1BC83848F4EB4826EA4505BC70A20B4632\r\nExtracted Shellcodes:\r\n773E69F513A6E900112AC03498545EDAC04AE664\r\n5F07A9E03A9086C89D29476FA39B47E3C4CB908D\r\n56082B2C75ED7FD75BC6D39F3D9804EB1A156133\r\n3165972381CF8393BA999B35C669E253924DB9F1\r\nAbout the author\r\nhttps://blog.morphisec.com/lokibot-with-autoit-obfuscator-frenchy-shellcode\r\nPage 10 of 11\n\nHarsha Cheruku\r\nSource: https://blog.morphisec.com/lokibot-with-autoit-obfuscator-frenchy-shellcode\r\nhttps://blog.morphisec.com/lokibot-with-autoit-obfuscator-frenchy-shellcode\r\nPage 11 of 11\n\nthat we noticed String Encryption, in previous AutoIt Shellcode obfuscators. and Payload Data Representation    \nAutoIt obfuscation used with Frenchy shellcode v001 has more functions when compared to the v002, v005, and\nthe sample we analyzed. Some of the function names are the same in all versions, which could be due to the same\n   Page 4 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://blog.morphisec.com/lokibot-with-autoit-obfuscator-frenchy-shellcode"
	],
	"report_names": [
		"lokibot-with-autoit-obfuscator-frenchy-shellcode"
	],
	"threat_actors": [],
	"ts_created_at": 1775434944,
	"ts_updated_at": 1775791238,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/701ca092780829853415d4a4d4c6a71272aea74d.pdf",
		"text": "https://archive.orkl.eu/701ca092780829853415d4a4d4c6a71272aea74d.txt",
		"img": "https://archive.orkl.eu/701ca092780829853415d4a4d4c6a71272aea74d.jpg"
	}
}