Hello and welcome to the Monday, December 8th, 2025 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich, recording today from Jacksonville, Florida.

And this episode is brought you by the Sands.edu undercredit certificate program in cyber security fundamentals.

Xavier lately found a wave of different malicious files that all took a similar route in order to obfuscate some of the code in Auto IT3.

Auto IT3 is an automation system.

It's quite old going back to the early 2000s,

but it's still being maintained,

it's still being updated,

and it's still frequently being used to manage Windows systems

and essentially create small scripts

to automate some tasks on Windows systems.

Now, Auto IT3 has an interesting function called File Install. File install sounds a little bit like an

include function. If the script is parsed, then it's just read from the file system.

Now, what gets interesting is once you're running a compiled Auto IT script,

and that's kind of one of the advantages of Auto IT.

It's very easy to create binary executables,

so you don't, as a malware author, have to first install all of auto IT on the system,

but you just run the executable or have the victim run the executable.

So when it's compiled, then the file is included in the binary at compiled time.

But what Xavier also saw is that then a temporary file is being created

at runtime of this script, which of course then makes it easy to extract that file and

analyze it, and Xavier is going a little bit over the different obfuscation techniques being

...