The Rise of AuraStealer: A New Infostealer in Cybercrime
In the ever-evolving landscape of cybercrime, a new infostealer has surfaced, known as “AuraStealer.” This malware is quickly gaining traction among threat actors, bolstered by an expanding customer base, 48 identified command-and-control (C2) domains, and various ongoing campaigns that exploit popular platforms, including TikTok and sites offering cracked software.
AuraStealer made its debut in Russian-language cybercrime forums in mid-2025, positioning itself as a successor to LummaC2 following its takedown. This strategic launch indicates a calculated move to fill the void left behind by the once-popular malware. The adoption rate of AuraStealer has been promising, as it has attracted a steady stream of customers migrating from other well-known stealers like StealC, Vidar, and Rhadamantys. This quick uptake in the cybercriminal ecosystem showcases the malware’s potential viability.
The AuraStealer is marketed under a subscription model, featuring both “Basic” and “Advanced” tiers. The selling team, known as “AuraCorp,” markets themselves as seasoned professionals with 5 to 11 years of experience, signifying a level of credibility within the underground circles. However, early versions of the malware have been characterized as less mature than established competitors. Analysts have noted a rapid pace of development, with frequent feature updates aimed at enhancing its capabilities.
According to reports from Intrinsec, these findings were shared with their clients in January 2026, through their Cyber Threat Intelligence service, which offers contextualized and actionable intelligence to help organizations understand and counteract cyber threats. The ongoing development of AuraStealer includes plans to implement code virtualization techniques, making reverse engineering considerably more difficult for cybersecurity professionals.
Infrastructure and Domain Mapping
Researchers have meticulously mapped out 48 distinct C2 domains associated with AuraStealer, most of which utilize inexpensive and easily exploited top-level domains like .SHOP and .CFD. Notable domains include auracorp.cfd, mscloud.cfd, gamedb.shop, and several others, advantageously fronted by Cloudflare. This setup allows malicious actors to obscure the actual backend servers, complicating efforts to dismantle their operations.
Further investigation reveals that while each domain uses unique Cloudflare origin certificates, they all resolve to a shared backend infrastructure that seems to be built on outdated technologies, including Apache 2.2.22 and PHP 5.4.45. This reliance on legacy systems not only highlights a lack of sophistication in some aspects but also opens up vulnerabilities that could be exploited by savvy cybersecurity defenders.
Through careful analysis, researchers have been able to correlate malware configurations and HTTP headers, revealing clusters of domains connected to specific versions of AuraStealer. The transition from early versions utilizing mainly .SHOP domains to the newer versions favoring .CFD addresses suggests an infrastructure rotation that is typical among malicious operations seeking to evade detection.
Delivery Methods and Campaigns
AuraStealer is distributed utilizing flexible delivery chains that seamlessly combine social engineering tactics with various loaders. One notable method involves “ClickFix” scams on TikTok, where short videos promise free activations for popular software and services. Victims are misled into executing remote PowerShell scripts, unknowingly downloading the AuraStealer payload.
Additionally, AuraStealer has been disseminated through bogus tools, self-extracting archives, and generic loaders that inject the malware into legitimate Windows processes. Several campaigns utilize Donut shellcode loaders or “Soulbind” loaders to fetch AuraStealer from attacker-controlled IP addresses, which also serve various other malware families.
Robust Anti-Analysis Features
AuraStealer’s operators maintain a sophisticated infection management system through a web panel hosted at auracorp.cfd. This dashboard facilitates functions such as build generation, log filtering, and Telegram bot integration for real-time exfiltration alerts. The login workflow employs a JavaScript proof-of-work challenge, effectively blocking most automated scanners and brute-force attempts.
On the endpoint level, AuraStealer’s latest iteration employs extensive obfuscation techniques that make detection and analysis challenging. Measures such as indirect control flow, API hashing, and integrity checks are in place to thwart debugging and analysis efforts. The stealer strategically halts execution on systems located in specific regions, hinting at deliberate targeting choices.
Once successfully executed, AuraStealer can harvest sensitive credentials and data from over 100 web browsers and more than 70 applications, including cryptocurrency wallets, VPN clients, and other security tools. The exfiltrated data is then sent over encrypted HTTPS to multiple backend endpoints within its C2 infrastructure.
Conclusion
As AuraStealer continues to evolve with an expanding feature set and a growing infrastructure, it poses a significant threat in the realm of cybercrime. Its rapid development and strategic operations indicate that it is well-equipped to remain a relevant player in credential theft, prompting a need for organizations to track and defend against its persistent campaigns. The dynamic nature of AuraStealer exemplifies the ongoing challenges faced by cybersecurity professionals in combatting increasingly sophisticated malware.