AHKBOT
AHKBot is an AutoHotkey-based downloader/backdoor framework used to deliver additional payloads and spy on infected systems through extensible AutoHotkey plugins. The provided reporting describes it as a downloader written in AutoHotkey that can receive and run additional AutoHotkey scripts, with plugin-based surveillance capabilities including screenshot capture, keylogging, browser password theft, Active Directory/domain discovery, process and window listing, hVNC deployment, and downloading or launching additional payloads such as Cobalt Strike and Remote Utilities RAT. In Microsoft reporting on tax-themed phishing campaigns observed in early 2025, AHKBot was delivered via a malicious macro-enabled Excel file (Tax_Refund_Eligibility_Document.xlsm) reached through an IRS-themed lure abusing an open redirect on a Google Business page; enabling macros caused download and execution of an MSI containing a legitimate AutoHotkey runner (AutoNotify.exe) and an AHKBot Looper script (AutoNotify.ahk). That Looper component was observed receiving and executing additional AutoHotkey scripts, downloading a Screenshotter module to capture screenshots, and using C2 IP address 181.49.105[.]59 for commanding and screenshot exfiltration. Separate reporting attributes broader use of AHKBot to the Asylum Ambuscade threat actor, which has used it in both crimeware and cyberespionage operations since at least 2020, including against government entities in Europe and Central Asia as well as individuals, cryptocurrency traders, and SMBs. In those operations, AHKBot is commonly deployed after first-stage SunSeed downloaders and communicates with C2 over HTTP using victim-specific identifiers derived from the C: drive serial number.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Earlier this April, the Redmond-based company warned of several phishing campaigns leveraging tax-related themes to deploy malware such as Latrodectus, AHKBot, GuLoader, and BruteRatel C4 (BRc4). The phishing pages, it added, were delivered via RaccoonO365, with one such campaign attributed to an initial access broker called Storm-0249.
Techniques & procedures
8 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique“abuse legitimate services like file-hosting services and business profile pages…”, “downloaded a ZIP file… from Dropbox”, “received a JavaScript file from Firebase”
Initial Access
3 techniquescampaigns using RaccoonO365 have been active since September 2024. These attacks typically mimic trusted brands like Microsoft, DocuSign, SharePoint, Adobe, and Maersk in fraudulent emails, tricking them into clicking on lookalike pages that are designed to capture victims' Microsoft 365 usernames and passwords.
“The emails contained a PDF attachment…”, “The email contained a hyperlink that directed users to download a malicious Excel file.”
“abused an open redirector on what appeared to be a legitimate Google Business page. It redirected users to historyofpia[.]com…”
Execution
2 techniques“If executed, this JavaScript file downloaded…”, “If the user opened the Excel file… enable macros…”, “If launched by the user, the .lnk file uses PowerShell…”
Earlier this April, the Redmond-based company warned of several phishing campaigns leveraging tax-related themes to deploy malware such as Latrodectus, AHKBot, GuLoader, and BruteRatel C4 (BRc4). The phishing pages, it added, were delivered via RaccoonO365
Collection
1 technique“AHKBot… downloading the Screenshotter module… capture screenshots… upload screenshots.”
Command and Control
1 technique“Latrodectus… features dynamic command-and-control (C2) configurations…”, “Both Looper and Screenshotter used the C2 IP address 181.49.105[.]59”
IOCs tracked for this family
9 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware deployed via phishing campaigns delivered through RaccoonO365.
AutoHotKey-based malware using a simple looping script to fetch/execute additional AHK scripts from C2; observed deploying a screenshot-capture module and exfiltrating screenshots to C2.
Second-stage AutoHotkey-based modular downloader/spy platform that pulls plugins from C2 to perform screen capture, keylogging, password theft, domain discovery, hVNC deployment, and delivery of additional payloads (including a Cobalt Strike loader and a commercial RAT).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.