Last seven days
- First activity
- Jul 16, 2026
- Last activity
- Jul 16, 2026
- Feed role
- C2
- Host form
- 0 IP / 4 hostnames
AuraStealer is an emerging malware-as-a-service (MaaS) Windows infostealer active since mid-2025 and promoted on underground forums since July 2025, including XSS, Exploit, Darkmarket, Blackbones, Sinister, Enclave, and Darkstash.
Profile source: Mallory opens in a new tabAuraStealer
AuraStealer is an emerging malware-as-a-service (MaaS) Windows infostealer active since mid-2025 and promoted on underground forums since July 2025, including XSS, Exploit, Darkmarket, Blackbones, Sinister, Enclave, and Darkstash. Reporting describes it as developed and actively maintained by Russian-speaking individuals and positioned as a competitor to LummaC2 after Lumma’s disruption. It is sold via subscription tiers, including Basic at $295/month and Advanced at $585/month, with a management panel that supports build generation, dashboards, log filtering, geographic views, and Telegram bot integration. The panel was initially Russian-only and later supported both Russian and English.
AuraStealer targets Windows 7 through Windows 11 and is described as a C++ infostealer with builds around 500–700 KB. It is marketed as capable of stealing data from more than 110 browsers, over 70 applications, and more than 250 browser extensions. Reported theft targets include browser credentials, cookies, session tokens, cryptocurrency wallet data, 2FA-related data, password manager databases including KeePass and Bitwarden, VPN configuration files, clipboard contents, screenshots, and session cookies or tokens associated with services such as Discord, Telegram, Steam, and other applications. Its execution flow includes contacting configured C2 servers, retrieving additional collection directives, collecting data, and exfiltrating it.
Observed delivery is primarily through social-engineering-driven ClickFix or “Scam-Yourself” campaigns, especially TikTok videos disguised as software or product activation tutorials that instruct victims to run malicious elevated PowerShell commands. Additional distribution methods mentioned in reporting include cracked games or software, Visual Basic scripts, self-extracting archives, Donut shellcode loaders, malicious .NET DLLs, DLL sideloading, process injection into legitimate Windows binaries such as regasm.exe and SndVol.exe, a loader called Soulbind, a fake cleaning tool named Gcleaner, and delivery alongside GlassWorm via a malicious VS Code extension.
AuraStealer uses extensive anti-analysis and obfuscation. Reported techniques include indirect control-flow obfuscation, string encryption, constant obfuscation, anti-debugging, anti-tamper checks, anti-VM checks, anti-sandbox checks, geolocation filtering, and exception-driven API hashing. It resolves APIs via PEB walking and uses custom exception handling that deliberately triggers access violations to dispatch WinAPI calls. Reported anti-tamper behavior includes use of MapFileAndCheckSumW to detect modification. It may display a “code entry” dialog when run without a protective layer to hinder sandboxing. Anti-sandbox checks include Sleep-tampering detection and checks for Defender emulation artifacts such as JohnDoe and HAL9TH. Configuration is embedded in the binary and encrypted with AES-CBC.
For command and control, reporting states AuraStealer uses endpoints such as /api/live, /api/conf, and /api/send, checks connectivity via 1.1.1.1:53, and encrypts traffic with AES-CBC before Base64 encoding. Intrinsec identified 48 C2 domains from more than 200 VirusTotal samples and reported use of low-cost .SHOP and .CFD domains, often fronted by Cloudflare as a reverse proxy, with newer versions shifting toward .CFD.
AuraStealer also reportedly includes a Chromium Application-Bound Encryption bypass. Described behavior includes spawning a browser in headless mode in suspended state, injecting code, and invoking IElevator::Decrypt using NTDLL syscalls such as NtCreateSection, NtMapViewOfSection, and NtCreateThreadEx, with Heaven’s Gate used for 64-bit compatibility and evasion.
High-confidence campaign context links AuraStealer to widespread TikTok-based Scam-Yourself distribution and other loader-based delivery chains in the wild. No specific actor attribution beyond Russian-speaking developers/operators is directly supported by the provided content.
Samples
0c934139d196693ff8a59c43f7af15869407bf411764c6f432534814276f75d1 437142a647257c6f4b6ceafcef63a448a3013759a241d85733ffd55ab1c55e6d 54942b5bcfc9add448903934fc61f4e02bf2dc6378a65f0aa4af346e858fe9d3 68ef1bd02e7d475c4cc170c3c0c1f601bc4e5c40a1fc7132d9dd35ae7762ba7a d8124a523f64d1662304c5f2bda383e547d488e277b02e414c82ea7f85dd29c4 MITRE ATT&CK
Reporting
We compared the observed TTPs against published reporting for the following families and found no technical match: Lumma, StealC, Vidar, EDDIESTEALER, Glove Stealer, Katz Stealer, Marco Stealer, Shuyal, AuraStealer, Torg Grabber, VoidStealer, Phemedrone, Metastealer, Xenostealer, ACRStealer, DumpBrowserSecrets, DeepLoad, Storm.
So far, only a handful of families have been observed employing it – namely, Lumma, Rhadamanthys, Remus, and more recently also AuraStealer.
Analysis of AuraStealer, an emerging infostealer
Compared to the previous payloads... as well as StealC, Rhadamanthys, and AuraStealer — which have been observed delivered in the same campaign...
A new information-stealing malware called AuraStealer has been making its presence felt across the cybersecurity landscape since mid-2025.
AuraStealer has emerged as a dangerous malware-as-a-service targeting Windows systems from Windows 7 to Windows 11. This infostealer spreads primarily through Scam-Yourself campaigns on platforms like TikTok, where victims encounter tutorial videos promoting free activation of paid software.
TikTok’s “Scam-Yourself” Trap: How AuraStealer Malware Tricks Users into Hacking Their Own PCs
AuraStealer Spotted in the Wild — An emerging malware-as-a-service (MaaS) information stealer called AuraStealer has been distributed via Scam-Yourself campaigns, where victims are lured by TikTok videos disguised as product activation guides.
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.