Latest News
July 07, 2026 | Text: Markus Selinger | Antivirus for Windows
Cyberattacks: ransomware and infostealers hijacking a Windows automation tool
Detecting malware such as ransomware and infostealers is the first step; however, the second step is fending off the attack. Particularly when attackers co-opt legitimate Windows tools such as Autolt to carry out their misdeeds. But what happens when a security solution cannot cope with it and does not detect the attackers, or if it does, what if it cannot put a stop to them? Answers to these questions are found in the latest Advanced Threat Protection test – ATP test for short. The test uses 10 real-world scenarios to examine whether a security solution is capable of deploying its entire arsenal of additional protection tools and defending the system as promised. If it is not possible, then the ransomware or infostealer attack was successful. But not to worry here, because our test shows that the security solutions are up to the task.
Ransomware and infostealer attacks on Windows 11
17 security solutions for consumer users and corporate users show how well they can defeat dangerous attackers in the ATP test
Even experts find it difficult to keep track of things with all the hacker groups that are out there. New groups are constantly appearing on the scene and renting out their infrastructure to so-called “affiliates” (i.e., criminal partners who execute the attacks) as Ransomware-as-a-Service (RaaS). This only increases the number of threats circulating online. Of course, there are also dark web services for infostealers and other malware.
No matter whether it’s Qilin, Play, Cl0p, RansomHub or Akira, hacker groups all use the latest attack methods and delivery routes available, adapting their malware – often by employing AI technology. But they are not the only ones capable of adaptation: The Advanced Threat Protection test adapts its testing every 2 months as well and incorporates these attack methods for the malware used in the test.
High level of defense against dangerous ransomware and infostealers
The ATP test for March/April 2026 puts 17 security solutions to the advanced test under Windows 11. Included in the test for consumer users were 8 products from Avast, AVG, Bitdefender, ESET, K7 Computing, Kaspersky, McAfee and Norton. Among the products for corporate users, 9 solutions from the following vendors were put to the test: Acronis, Avast, Kaspersky (with two versions), Microworld, Net Protector, Norton, Qualys and Trellix.
The structure of the Advanced Threat Protection test is very straightforward. Each protection solution is subjected to ransomware and infostealers – 5 times each – in 10 realistic scenarios on a test computer. The lab experts employ a variety of attack methods, individually or combined in different constellations. For example, it might be an injection attack or a special PowerShell code or, like in the latest test, a hijacked tool. After all, the attackers have now often been using automated attacks using Autolt. For this reason, this tool plays a special role in this test.
Autolt: is a popular BASIC-like scripting language tool for Windows used in automating tasks such as clicks, keystrokes, window manipulation and simple installation/administrative tasks. It can also be used to compile scripts in EXE files enabling them to run without an additional Autolt installation.
Attackers use Autolt to create and distribute malicious scripts. The tool is well-known and legal to use so it doesn’t immediately trigger any alarms when it is deployed. Our attacks use Autolt scripts that implement shellcode loaders, which are designed to decode and execute malicious code directly in a computer’s RAM. These scripts are either distributed together with the Autolt interpreter or they are compiled into executable files using Aut2Exe. The Autolt-based loader simulates the behavior of ransomware or malware intent on stealing information when they are executed on the target system.
All products need to provide reliable defense against the attackers in the 10 scenarios. Just how successful they are can be seen in the graphics with the results for each product at the end of the article. The other test tables show the number of points that each solution earned regarding their protection score. The maximum score is 35 points. For each ransomware sample detected, up to 3 points are awarded, and for each infostealer, up to 4 points. There can be point deductions (even half-points) for any issues in protecting the test system.
The 10 test scenarios
All attack scenarios are documented according to the standard of the MITRE ATT&CK database. The individual sub-techniques are listed in the MITRE database for “Techniques”, for example, “T1566.001” under “Phishing: Spearphishing Attachment”. Each test step is thus defined among the experts and can be logically understood. In addition, all attack techniques are explained, along with how and why the malware infection occurs and impacts systems.
The ATP test of 8 security packages for consumer users
7 of the 8 security packages for Windows achieved the maximum score in the latest ATP test. They detected the attackers in all 10 scenarios. What’s more, they didn’t stumble over the new attack methods either. As a result, these packages were able to receive the full 35 points: Avast, AVG, Bitdefender, K7 Computing, Kaspersky, McAfee and Norton.
ESET was the only product that encountered issues in testing. It could not detect one infostealer in the test and was not able to stop it using other measures. The attacker went about its business without concern and collected the data it wanted – which meant the solution lost 4 points.
In another case involving a ransomware, the attacker was detected but not completely blocked. Parts of the attacks were blocked by downstream defense modules; however, the ransomware was triumphant and in the end it encrypted the system. A further 1.5 points were deducted from ESET’s score, leaving it with only 29.5 out of 35 possible points.
Each product that achieves the required 75 percent (at least 26.5 points) out of 35 points for the protection score in the test and regularly participates in the Windows tests also receives the “Advanced Certified” certificate from AV-TEST. In this test, all consumer user packages fulfilled the requirements earning them this certificate.
The ATP test of 9 security solutions for corporate users
Testing of the 9 corporate user solutions went exceptionally well for many of the vendors. 8 endpoint products for office computers running Windows 11 showed no weaknesses in the ATP test, successfully defeating all attackers in the 10 test scenarios. For their high level of protection, they all received the full 35 points: Acronis, Avast, Kaspersky (for both versions), Microworld, Norton, Qualys and Trellix.
The product from Net Protector failed after encountering two issues in testing. It was able to immediately detect all 10 attackers; however, it was only able to put 8 of them into quarantine. The solution only blocked one infostealer and one ransomware in part, enabling the attacks to continue. Likewise, the downstream protection modules could not completely stave off the attackers. In the end, the ransomware encrypted the data and the infostealer pilfered the data it was looking for. That is why Net Protector had 2.5 points for the one issue and 2 points for the other deducted from its overall score, which resulted in 30.5 out of 35 points for Net Protector’s protection score.
All of the solutions tested fulfilled the requirements for certification as “Advanced Approved Endpoint Protection.” For this, they need to achieve the required 75 percent (at least 26.5 points) out of 35 points for the protection score in the test and regularly participate in the bimonthly Windows tests.
The ATP test with many excellent scores
The current ATP test is evidence of the vendors’ solid R&D work on their security products for both consumer users and corporate users. 15 of the 17 security packages tested expertly handled the attacks protecting against the latest attack methods and adapted malware. They detected and removed all treats in the tests without fail.
Only two of the security packages encountered individual issues. Nevertheless, there is no room for error when it comes to ransomware and infostealers. For this, the vendors need to tweak their products.




























