Unmasking a Multi-Stage Loader: AutoIt Abuse Leading to Vidar Stealer Command-and-Control Communication

LevelBlue documents a multi-stage Loader/Dropper infection where MicrosoftToolkit.exe is abused to spawn a command shell, rename and execute disguised .dot files as .bat scripts, extract payloads, and run an AutoIt-compiled loader (Replies.scr) which loads an encrypted payload (D) and contacts Vidar-associated C2 infrastructure (including telegram.me, steamcommunity.com, and gz.technicalprorj.xyz). The report details process discovery and termination, anti-analysis and cleanup routines, observed WinINet-based C2 beacons, provides IOCs and MITRE ATT&CK mappings, and recommends isolation, reimaging, credential resets, MFA, and hunting queries.