Autohk

Category: packer · Aliases: None known · Sample count (EMBER 2018): 120 · Enrichment: curated_sourced · Updated: 2026-06-09

Overview

The "AutoHK" malware family refers to a broad category of malicious programs that utilize AutoHotkey (AHK), a legitimate and open-source scripting language designed for keyboard shortcuts and Windows automation. Attackers frequently abuse AutoHotkey to create, bundle, and execute malicious scripts while attempting to evade detection by security software. By packaging malicious AHK scripts with the AutoHotkey interpreter into a single executable file, attackers can obfuscate their code and bypass simple signature-based antivirus detection. These scripts are often used for keylogging, taking screenshots, and data exfiltration.

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_AUTOHK {
    meta:
        description = "Detects Autohk (packer)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "autohk" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Autohk Activity
id: 5b31cac10dcf0956ad3141fea9815844
status: experimental
description: Detects generic indicators of the autohk malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*autohk*"
    condition: selection
level: medium

References & External Analysis

Frequently Asked Questions

Why is AutoHotkey flagged as malware?

Because AutoHotkey is widely used by attackers to bundle and execute malicious scripts, security tools sometimes flag harmless AutoHotkey scripts as "AutoHK" malware as a false positive.

How do attackers abuse AutoHotkey?

Attackers compile malicious scripts into a single executable file alongside the legitimate AutoHotkey interpreter, masking the malware as a standard application to evade static analysis.

Related Families (Category: packer)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/autohk.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.