Researchers discovered a campaign that distributed a credential stealer. Researchers also learned that the main code components of this campaign is written in AHK. By tracking the campaign components, it is found out that its activity has been occurring since early 2020. The malware infection consists of multiple stages that start with a malicious Excel file. In turn, this file contains an AHK script compiler executable, a malicious AHK script file, and a Visual Basic for Applications (VBA) AutoOpen macro.
Among the downloaded components by the downloader client, researchers observed a stealer written in AHK. This script is responsible for harvesting credentials from various browsers and exfiltrating them to the attacker.