Check out the results from our first round of ATT&CK Evaluations at!

AutoIt backdoor

AutoIt backdoor is malware that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352. [1] This malware makes use of the legitimate scripting language for Windows GUI automation with the same name.

ID: S0129
Aliases: AutoIt backdoor
Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1088Bypass User Account ControlAutoIt backdoor attempts to escalate privileges by bypassing User Access Control.[1]
EnterpriseT1132Data EncodingAutoIt backdoor has sent a C2 response that was base64-encoded.[1]
EnterpriseT1083File and Directory DiscoveryAutoIt backdoor is capable of identifying documents on the victim with the following extensions: .doc; .pdf, .csv, .ppt, .docx, .pst, .xls, .xlsx, .pptx, and .jpeg.[1]
EnterpriseT1086PowerShellAutoIt backdoor downloads a PowerShell script that decodes to a typical shellcode loader.[1]


Groups that use this software: