AuraStealer

AuraStealer is an emerging malware-as-a-service (MaaS) information stealer active since mid-2025 and promoted on underground forums since July 2025. It is described as being developed and actively maintained by Russian-speaking individuals and positioned as a competitor to LummaC2 after Lumma’s disruption. AuraStealer targets Windows systems, with reporting specifically stating support from Windows 7 through Windows 11.

The malware is written in C++ and has been described as a 500–700 kB infostealer. It is marketed as capable of stealing data from more than 110 browsers, over 70 applications, and more than 250 browser extensions. Reported theft targets include browser credentials, cookies, cryptocurrency wallet data, 2FA-related data, session cookies or tokens for services such as Discord, Telegram, and Steam, VPN configuration files, password manager databases including KeePass and Bitwarden, clipboard contents, screenshots, and files selected through configurable search modules. It can also retrieve additional collection directives from C2 and execute additional payloads.

AuraStealer uses substantial anti-analysis and evasion mechanisms. Reported techniques include indirect control-flow obfuscation, string and constant obfuscation, anti-debugging, anti-tamper checks, anti-VM and anti-sandbox checks, geolocation filtering, and exception-driven API hashing. It installs a custom exception handler before WinMain, deliberately triggers access-violation exceptions to dispatch WinAPI calls, and uses PEB walking plus hash-based API resolution. It also performs an anti-tampering check with MapFileAndCheckSumW and may display a code-entry dialog when run without a protective layer to hinder sandboxing. For Chromium data theft, AuraStealer reportedly includes an Application-Bound Encryption bypass by spawning a browser in headless mode, injecting code, and invoking IElevator::Decrypt using NTDLL syscalls and Heaven’s Gate.

Its configuration is embedded in the binary and encrypted with AES-CBC. Network communications are also described as AES-CBC encrypted and Base64-encoded. Reported C2 workflow includes connectivity checks to 1.1.1.1:53 and use of /api/live, /api/conf, and /api/send endpoints. Intrinsec identified 48 AuraStealer C2 domains from more than 200 VirusTotal samples, noting use of low-cost .SHOP and .CFD domains and Cloudflare reverse proxying, with newer versions shifting toward .CFD.

AuraStealer is sold via subscription and includes a management panel for campaign operations and stolen-data handling. Reported pricing includes a Basic tier at $295/month and an Advanced tier at $585/month, with a temporary two-week Trial tier also observed. The panel supports build generation, log filtering, dashboards with geographic breakdowns, and Telegram bot integration. Reporting states the offering was initially Russian-language and later expanded to Russian and English.

Observed delivery is primarily through social-engineering-driven ClickFix or Scam-Yourself campaigns. Multiple reports describe TikTok videos masquerading as software activation or product activation tutorials that instruct victims to run elevated PowerShell commands, effectively causing users to infect their own systems. Additional observed delivery methods include cracked games or software, Visual Basic scripts, self-extracting archives, Donut shellcode loaders, malicious .NET DLLs, DLL sideloading, process injection into legitimate Windows binaries such as regasm.exe and SndVol.exe, a loader called Soulbind, a fake cleaning tool named Gcleaner, and delivery alongside GlassWorm via a malicious VS Code extension.

High-confidence infrastructure and operational details directly mentioned in the content include underground promotion under the username AuraCorp on XSS on July 8, 2025, later posts on Exploit, Darkmarket, Blackbones, Sinister, Enclave, and Darkstash, and C2 domain patterns using .SHOP and .CFD behind Cloudflare. The malware has been repeatedly associated with TikTok-based Scam-Yourself campaigns and broader cracked-software distribution.