A new and previously undocumented remote access trojan (RAT) framework, dubbed Auraboros C2, has been discovered, posing a significant threat due to its open command-and-control (C2) panel that grants unauthenticated access to victim data and live surveillance capabilities. The framework also specializes in stealing browser credentials through cookie hijacking. The discovery highlights a critical vulnerability in how some malware operators manage their operations, leaving sensitive information exposed.
Researchers from Breakglass Intelligence, alerted by other security professionals, found the Auraboros C2 panel operating on a DigitalOcean server at IP address 174.138.43[.]25, accessible via plain HTTP on port 5000. Disturbingly, the panel lacks any form of login, token, or authentication, allowing anyone to view victim data and control the malware. The panel’s architecture, built with Express.js and Socket.io, was revealed by its freely downloadable 84KB JavaScript source code, showcasing its complete functionality and design.
Auraboros RAT: A Deep Dive into Its Capabilities and Open C2 Panel
The Auraboros C2 panel, despite its professional dark-themed interface featuring custom CSS and JavaScript, was found to be completely unsecured. Developed with Brazilian Portuguese as its primary language and branded as “Auraboros Advanced Defense Systems,” the panel’s inherent lack of security controls allows unrestricted access to its management functions and the sensitive data collected from compromised systems.
Analysis of the framework, which is custom-built and has not appeared in previous threat intelligence reports, revealed an extensive suite of tools targeting Windows operating systems. The Auraboros RAT provides capabilities such as screenshot capture, live webcam snapshots, clipboard data theft, and keylogging with remarkably short three-second polling intervals. It can also extract Wi-Fi passwords, browse files on victim machines, execute arbitrary shell commands, enumerate active processes, and conduct ARP and port scans.
Furthermore, the framework offers reverse SOCKS5 proxying on port 1080, over-the-air (OTA) updates for its agents, and a specialized cookie impersonation engine. Six unauthenticated API endpoints are exposed, providing access to beacon lists, command execution results, event logs, live keylogger feeds, and stolen browser credentials to any connected client. The use of Socket.io for real-time communication means that all command results are broadcast to every connected client, with no inherent session isolation between different attackers.
During the investigation, researchers found only one registered beacon, which appears to belong to the developer of the Auraboros RAT. This beacon was associated with the hostname DESKTOP-FVPFLD2 and the username “LabCasa,” indicating a home laboratory setup in Goiania, Brazil. The presence of a process named DiskIntegrityScanner.exe and the fact that the beacon had been offline for five days prior to discovery suggest this was a clean test environment used during the malware’s development and debugging phase.
DLL Sideloading and Browser Credential Theft Techniques
A notable technical aspect of the Auraboros RAT is its sophisticated method of deploying and concealing its implant on target machines, often referred to as DLL sideloading. Instead of deploying a standalone malicious executable, Auraboros leverages a legitimate-looking executable, DiskIntegrityScanner.exe, as a host. When this legitimate file is executed, it inadvertently loads a malicious DLL, which then initiates a “CollectData” routine. This routine gathers essential system information, including the machine’s hostname, username, and privilege level, before establishing a connection with the C2 server.
This DLL sideloading technique is particularly effective in evading detection, as the malicious implant operates under the guise of a seemingly benign Windows process, making it harder to spot during routine system monitoring by security personnel.
The credential theft capabilities of the Auraboros RAT are designed to target data stored in Brave and Chrome browsers by exploiting the Windows Data Protection API (DPAPI). The RAT locates the browser’s AppData profile path, retrieves the encrypted master key, and decrypts it using the Windows CryptUnprotectData function. It then accesses the encrypted Login Data SQLite database to extract stored passwords and session cookies. Evidence suggests the developer actively debugged this decryption logic, running the Brave extraction command multiple times within a short period.
Following the extraction of session cookies, the cookie impersonation engine crafts a session cloning script. This script, combined with routing traffic through the victim’s SOCKS5 proxy tunnel, allows attackers to mimic the victim’s IP address during account takeover attempts, making their malicious activity appear legitimate and originating from the compromised user.
Organizations and cybersecurity teams are advised to take immediate protective measures. This includes blocking the IP address 174.138.43[.]25 at network perimeters and actively hunting for the non-legitimate DiskIntegrityScanner.exe process on all endpoints. Monitoring outbound connections to port 9000 on DigitalOcean-hosted IPs, suspected to be the beacon callback port, and setting up alerts for reverse SOCKS5 activity on port 1080 are also crucial steps.
Further recommendations include reporting the identified infrastructure to DigitalOcean’s abuse team. Additionally, vigilance against Socket.io polling requests directed towards non-standard ports may indicate active C2 beaconing behavior from the Auraboros RAT. The ongoing analysis of such threats will be critical in developing more robust defenses against evolving malware techniques.