AV TEST
  • Tests
    • Home users
      • Windows Antivirus
      • MacOS Antivirus
      • Android Antivirus
    • Business users
      • Windows Antivirus
      • MacOS Antivirus
      • Android Antivirus
    • Internet of Things
      • Smart Home
      • IP cameras
      • Smart Watches & Fitness-Tracker
      • Other
      • All IoT tests
    • IT security product overview
  • News
    • All news
    • Awards
    • Antivirus for Android
    • Antivirus for MacOS
    • Antivirus for Windows
    • Commissioned tests
    • Repair tests for Windows
    • Research
    • Internet of Things
    • Parental control
    • VPN tests
    • More tests
    • Other
  • Services
  • Resources
    • About the Institute
      • Institute
      • Certification
      • Test procedures
      • Jobs
    • Statistics
      • AV-ATLAS.org
      • Malware
      • Spam
    • Media
      • Press
      • Test Results
      • Publications
    • Newsletter
    • FAQ
  • Contact
    • Contact
    • Terms and conditions
    • Legal notice
    • Privacy policy

©  2026 AV-TEST  | SITS Deutschland GmbH

AV TEST AV TEST
  • Tests
    • Home users
    • Business users
    • Internet of Things
    • IT security product overview
    • Windows Antivirus
    • MacOS Antivirus
    • Android Antivirus
    • Windows Antivirus
    • MacOS Antivirus
    • Android Antivirus
    • Smart Home
    • IP cameras
    • Smart Watches & Fitness-Tracker
    • Other
    • All IoT tests

    Get in touch

    Please use the contact form below for inquiries to the AV-TEST Institute.

    Kontakt
  • News
    • All news
    • Awards
    • Antivirus for Android
    • Antivirus for MacOS
    • Antivirus for Windows
    • Commissioned tests
    • Repair tests for Windows
    • Research
    • Internet of Things
    • Parental control
    • VPN tests
    • More tests
    • Other
    Service

    Network Threat Protection -
    Tested and certified by AV-TEST

    LEARN MORE >

    Get in touch

    Please use the following contact form for inquiries to the AV-TEST Institute.

    Kontakt
  • Services
  • Resources
    • About the Institute
    • Statistics
    • Media
    • Newsletter
    • FAQ
    • Institute
    • Certification
    • Test procedures
    • Jobs
    • AV-ATLAS.org
    • Malware
    • Spam
    • Press
    • Test Results
    • Publications

    Subscribe to the
    AV-TEST Newsletter

    Learn more
  • Contact
    • Contact
    • Terms and conditions
    • Legal notice
    • Privacy policy
  • IOT-TESTS.ORG
  • AV-ATLAS.ORG

Latest News

July 07, 2026 | Text: Markus Selinger | Antivirus for Windows

Cyberattacks: ransomware and infostealers hijacking a Windows automation tool

Detecting malware such as ransomware and infostealers is the first step; however, the second step is fending off the attack. Particularly when attackers co-opt legitimate Windows tools such as Autolt to carry out their misdeeds. But what happens when a security solution cannot cope with it and does not detect the attackers, or if it does, what if it cannot put a stop to them? Answers to these questions are found in the latest Advanced Threat Protection test – ATP test for short. The test uses 10 real-world scenarios to examine whether a security solution is capable of deploying its entire arsenal of additional protection tools and defending the system as promised. If it is not possible, then the ransomware or infostealer attack was successful. But not to worry here, because our test shows that the security solutions are up to the task.

Ransomware and infostealer attacks on Windows 11 17 security solutions for consumer users and corporate users show how well they can defeat dangerous attackers in the ATP test

Ransomware and infostealer attacks on Windows 11

17 security solutions for consumer users and corporate users show how well they can defeat dangerous attackers in the ATP test

Even experts find it difficult to keep track of things with all the hacker groups that are out there. New groups are constantly appearing on the scene and renting out their infrastructure to so-called “affiliates” (i.e., criminal partners who execute the attacks) as Ransomware-as-a-Service (RaaS). This only increases the number of threats circulating online. Of course, there are also dark web services for infostealers and other malware.

No matter whether it’s Qilin, Play, Cl0p, RansomHub or Akira, hacker groups all use the latest attack methods and delivery routes available, adapting their malware – often by employing AI technology. But they are not the only ones capable of adaptation: The Advanced Threat Protection test adapts its testing every 2 months as well and incorporates these attack methods for the malware used in the test.

High level of defense against dangerous ransomware and infostealers

The ATP test for March/April 2026 puts 17 security solutions to the advanced test under Windows 11. Included in the test for consumer users were 8 products from Avast, AVG, Bitdefender, ESET, K7 Computing, Kaspersky, McAfee and Norton. Among the products for corporate users, 9 solutions from the following vendors were put to the test: Acronis, Avast, Kaspersky (with two versions), Microworld, Net Protector, Norton, Qualys and Trellix.

Security packages for Windows 11 in the ATP test

7 of the 8 security packages tested aced testing with no mistakes and defended the system against all attacks, earning 35 points for the protection score

Security solutions for companies put to the ATP test

Nearly all of the endpoint security solutions for Windows 11 attained flawless test results and earned the maximum amount of points in testing

prev slider
next slider

The structure of the Advanced Threat Protection test is very straightforward. Each protection solution is subjected to ransomware and infostealers – 5 times each – in 10 realistic scenarios on a test computer. The lab experts employ a variety of attack methods, individually or combined in different constellations. For example, it might be an injection attack or a special PowerShell code or, like in the latest test, a hijacked tool. After all, the attackers have now often been using automated attacks using Autolt. For this reason, this tool plays a special role in this test.

Autolt: is a popular BASIC-like scripting language tool for Windows used in automating tasks such as clicks, keystrokes, window manipulation and simple installation/administrative tasks. It can also be used to compile scripts in EXE files enabling them to run without an additional Autolt installation.

Attackers use Autolt to create and distribute malicious scripts. The tool is well-known and legal to use so it doesn’t immediately trigger any alarms when it is deployed. Our attacks use Autolt scripts that implement shellcode loaders, which are designed to decode and execute malicious code directly in a computer’s RAM. These scripts are either distributed together with the Autolt interpreter or they are compiled into executable files using Aut2Exe. The Autolt-based loader simulates the behavior of ransomware or malware intent on stealing information when they are executed on the target system.

All products need to provide reliable defense against the attackers in the 10 scenarios. Just how successful they are can be seen in the graphics with the results for each product at the end of the article. The other test tables show the number of points that each solution earned regarding their protection score. The maximum score is 35 points. For each ransomware sample detected, up to 3 points are awarded, and for each infostealer, up to 4 points. There can be point deductions (even half-points) for any issues in protecting the test system.

The 10 test scenarios

All attack scenarios are documented according to the standard of the MITRE ATT&CK database. The individual sub-techniques are listed in the MITRE database for “Techniques”, for example, “T1566.001” under “Phishing: Spearphishing Attachment”. Each test step is thus defined among the experts and can be logically understood. In addition, all attack techniques are explained, along with how and why the malware infection occurs and impacts systems.

prev slider
next slider

The ATP test of 8 security packages for consumer users

7 of the 8 security packages for Windows achieved the maximum score in the latest ATP test. They detected the attackers in all 10 scenarios. What’s more, they didn’t stumble over the new attack methods either. As a result, these packages were able to receive the full 35 points: Avast, AVG, Bitdefender, K7 Computing, Kaspersky, McAfee and Norton.

ESET was the only product that encountered issues in testing. It could not detect one infostealer in the test and was not able to stop it using other measures. The attacker went about its business without concern and collected the data it wanted – which meant the solution lost 4 points.

In another case involving a ransomware, the attacker was detected but not completely blocked. Parts of the attacks were blocked by downstream defense modules; however, the ransomware was triumphant and in the end it encrypted the system. A further 1.5 points were deducted from ESET’s score, leaving it with only 29.5 out of 35 possible points.

Each product that achieves the required 75 percent (at least 26.5 points) out of 35 points for the protection score in the test and regularly participates in the Windows tests also receives the “Advanced Certified” certificate from AV-TEST. In this test, all consumer user packages fulfilled the requirements earning them this certificate.

The ATP test of 9 security solutions for corporate users

Testing of the 9 corporate user solutions went exceptionally well for many of the vendors. 8 endpoint products for office computers running Windows 11 showed no weaknesses in the ATP test, successfully defeating all attackers in the 10 test scenarios. For their high level of protection, they all received the full 35 points: Acronis, Avast, Kaspersky (for both versions), Microworld, Norton, Qualys and Trellix.

The product from Net Protector failed after encountering two issues in testing. It was able to immediately detect all 10 attackers; however, it was only able to put 8 of them into quarantine. The solution only blocked one infostealer and one ransomware in part, enabling the attacks to continue. Likewise, the downstream protection modules could not completely stave off the attackers. In the end, the ransomware encrypted the data and the infostealer pilfered the data it was looking for. That is why Net Protector had 2.5 points for the one issue and 2 points for the other deducted from its overall score, which resulted in 30.5 out of 35 points for Net Protector’s protection score.

All of the solutions tested fulfilled the requirements for certification as “Advanced Approved Endpoint Protection.” For this, they need to achieve the required 75 percent (at least 26.5 points) out of 35 points for the protection score in the test and regularly participate in the bimonthly Windows tests.

The ATP test with many excellent scores

The current ATP test is evidence of the vendors’ solid R&D work on their security products for both consumer users and corporate users. 15 of the 17 security packages tested expertly handled the attacks protecting against the latest attack methods and adapted malware. They detected and removed all treats in the tests without fail.

Only two of the security packages encountered individual issues. Nevertheless, there is no room for error when it comes to ransomware and infostealers. For this, the vendors need to tweak their products.

Consumer Users 04/2026

Corporate Solutions 04/2026

Current
test results

  • Windows
  • MacOS
  • Android
  • Archive

  • Windows
  • MacOS
  • Android
  • Archive

  • Smart Home
  • IP-Cameras
  • Smart Watches
  • Other
Service

Network Threat Protection - Tested and certified by AV-TEST

Learn more
Service

Threat Intelligence Platform by AV-TEST

Start AV-ATLAS.org
Service

AV-TEST and the Cyber Resilience Act

Learn more

Subscribe to the AV-TEST Newsletter

Sign up now
Subscribe to the AV-TEST Newsletter
Sign up now
AV TEST

Get in touch

For inquiries to the AV-TEST Institute, please use the contact form below.

To the contact form

Sitemap

  • Institute
  • Tests
  • News
  • Certification
  • Publications
  • Contact

Contact

  • SITS Deutschland GmbH
  • Klewitzstraße 7
  • 39112 Magdeburg, Germany
  • E-Mail: info@av-test.com
  • Telefon: +49 391 6075460
  • Fax: +49 391 6075469

Terms and Conditions | Privacy policy | Legal Notice

©  2026 AV-TEST  | SITS Deutschland GmbH