MalwareRansomwareUsed by 1 actor

AHK Bot

AHK Bot is a modular AutoHotKey-based malware family used in intrusion activity attributed to TA866, also known as Asylum Ambuscade. It has been observed as a post-exploitation payload delivered after earlier stages such as JavaScript downloaders, WasabiSeed, and Screenshotter in campaigns that used malspam, thread hijacking, malicious attachments or URLs, 404 TDS, and later PDF attachments containing OneDrive links. Proofpoint observed AHK Bot in TA866 campaigns during late 2022, and Cisco Talos reported TA866 frequently deploying it on infected systems. Prior reporting also notes delivery alongside Rhadamanthys Stealer.

AHK Bot supports persistence, system enumeration, screenshot capture, domain identification, secondary command-and-control connection establishment, keystroke logging, credential theft, hVNC deployment and removal, and deployment and removal of remote access software. It establishes persistence by creating an LNK shortcut in the Windows Startup directory and polls C2 for additional scripts. Observed AHK Bot functionality includes a system enumeration script that collects OS, hardware, disk, processor, RAM, GPU, networking, security software, and running process information and uploads it to C2; a Domain Profiler component that determines the victim machine’s Active Directory domain and sends it to C2; and a browser credential theft script targeting Internet Explorer, Mozilla Firefox, and Chromium-based browsers. Proofpoint also reported a Stealer Loader component that downloaded, decrypted, and executed a DLL in memory, with an observed payload being Rhadamanthys Stealer.

In observed TA866 activity, AHK Bot used the victim C: drive serial number in C2 URL paths and polled a separate hardcoded C2 distinct from WasabiSeed infrastructure. Proofpoint reported AHK Bot C2 activity involving hxxp://89[.]208.105.255/%serial%-du2, hxxp://89[.]208.105.255/%serial%, and hxxp://89[.]208.105.255/download?path=e. Cisco Talos also reported TA866 using AHK Bot to retrieve DLL-based shellcode loaders and execute Rhadamanthys in memory. Russian-language comments and variable names were identified in parts of AHK Bot code, and Talos noted Russian comments in related AHK Screenshotter code. Victimology associated with TA866 campaigns included organizations primarily in the United States, with additional targeting in Germany and other countries; Talos reported manufacturing as the most affected sector, followed by government and financial services.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

TA866

Along with the deployment of WasabiSeed and Screenshotter, we have frequently observed the deployment of an AutoHotKey (AHK) based malware called AHK Bot.

via talosintelligence otherblog.talosintelligence.com

MITRE ATT&CK

Techniques & procedures

11 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique

T1608.006SEO PoisoningEvidence1

Prior reporting indicates that TA866 has been observed leveraging malicious Google advertisements and SEO poisoning to infect victims.

Initial Access

1 technique

T1566PhishingEvidence1

Typical distribution campaigns As previously mentioned, initial access to target environments is typically obtained by TA866 through successfully infecting systems via either malspam or malvertising.

Execution

3 techniques

T1047Windows Management InstrumentationEvidence1

The system and hardware enumeration AHK script uses Windows Management Instrumentation (WMI) to collect information about the hardware and software configuration of the infected system.

T1059.001PowerShellEvidence1

This includes writing a PowerShell script to C:\ProgramData\ ... Any PowerShell content received is then passed to Invoke-Expression (IEX) and executed within the existing PowerShell process.

T1059.003Windows Command ShellEvidence1

We have seen execution of a variety of system commands we attribute to the adversary operating on the system. This includes but is not limited to the following: cmd.exe /c chcp 65001 && net group Domain Computers /domain

Stealth

1 technique

T1218.007MsiexecEvidence1

Once downloaded, the MSI is passed to MsiExec to execute the next stage of the process.

Discovery

4 techniques

T1016System Network Configuration DiscoveryEvidence1

ipconfig /all

T1057Process DiscoveryEvidence1

The following information is collected: ... Running process list.

T1082System Information DiscoveryEvidence2

The following information is collected: General system information (OS, hardware devices present, location, etc.). Hard disk configuration. Processor information. RAM configuration. GPU configuration.

T1518.001Security Software DiscoveryEvidence1

The following information is collected: ... Firewall, anti-virus and anti-spyware software information.

Command and Control

1 technique

T1071.001Web ProtocolsEvidence2

Captured screenshots are transmitted to the attacker’s C2 server ... via HTTP POST requests.

INDICATORS OF COMPROMISE

IOCs tracked for this family

8 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

1 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

3 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other

4 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

hash.sha256●●●●●●●●●●●●View more in app3 years ago

ip.v4●●●●●●●●●●●●View more in app3 years ago

uri●●●●●●●●●●●●View more in app3 years ago

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app

the hacker newsNews

Aug 13, 2025

New PS1Bot Malware Campaign Uses Malvertising to Deploy Multi-Stage In-Memory Attacks

AutoHotkey-based malware referenced as technically overlapping with PS1Bot; previously used by Asylum Ambuscade and TA866.

talosintelligence otherNews

Aug 12, 2025

Malvertising campaign leads to PS1Bot, a multi-stage malware framework

AHK Bot is referenced as a previously reported malware family with architectural similarities to PS1Bot, including drive-serial-based C2 URL derivation, a main polling script, and modular follow-on payload delivery.

talosintelligence otherNews

Oct 23, 2024

Highlighting TA866/Asylum Ambuscade Activity Since 2021

AHK Bot is a modular AutoHotKey-based malware family used for persistence, C2 polling, system enumeration, screenshot capture, domain identification, keylogging, credential theft, hVNC deployment, and remote access software deployment.

proofpoint threat insight blogNews

Jan 17, 2024

Security Brief: TA866 Returns with a Large Email Campaign | Proofpoint US

Mentioned as a prior follow-on payload delivered in earlier TA866 campaigns; no functional details provided in this content.

+1 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching8

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping11

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.