Threat Actors Deploy ‘AuraStealer’ Infostealer with 48 C2 Domains and Active Campaigns

A new information-stealing malware called AuraStealer has been making its presence felt across the cybersecurity landscape since mid-2025.

Developed and actively maintained by a group of Russian-speaking individuals, the malware first appeared on underground hacker forums in July 2025, shortly after the disruption of the Lumma stealer infrastructure left a notable gap in the infostealer market.

The threat actor moved quickly to fill that gap, positioning AuraStealer as a direct competitor to LummaC2, complete with a subscription model, a polished management panel, and an active user base that continues to expand.

The malware was first promoted on the XSS forum on July 8, 2025, under the username “AuraCorp,” with a lengthy post written in Russian that detailed the malware’s features, included panel screenshots, and even listed a user agreement.

The same message was later posted on Exploit on August 7, 2025, followed by Darkmarket on November 29, and then on multiple English-language forums including Blackbones, Sinister, Enclave, and Darkstash in December 2025.

The developer claims the tool is built by experienced professionals and can harvest data from over 110 browsers, more than 70 applications, and over 250 browser extensions, making it a broad-reaching threat by design.

Intrinsec analysts identified AuraStealer as a rapidly growing threat backed by a well-structured command-and-control (C2) infrastructure. Their research uncovered 48 C2 domain names linked to AuraStealer operations, extracted from over 200 samples found on VirusTotal.

The threat actor uses both .SHOP and .CFD top-level domains, both of which are inexpensive and commonly abused by low-budget operators. To hide the real server, the actor routes all traffic through Cloudflare as a reverse proxy.

Analysts noted that the C2 infrastructure appears to be shifting from .SHOP to .CFD domains in more recent malware versions, signaling an operation that is actively evolving.

The malware panel gives buyers everything they need to manage campaigns — build generation, log filtering, dashboards showing geographic breakdowns, and Telegram bot integration for receiving stolen data.

It is sold in two subscription packages: $295/month for Basic and $585/month for Advanced.

The developer has openly stated that former users of Lumma, StealC, Vidar, and Rhadamanthys are now switching over, and multiple campaigns have already been confirmed in the wild.

The range of data the malware collects is striking — browser credentials, cryptocurrency wallet data, 2FA tokens, session cookies from Discord, Telegram, and Steam, VPN configuration files, password manager databases from tools like KeePass and Bitwarden, clipboard contents, and screenshots of the victim’s screen.

ClickFix and Loader-Based Delivery Chains

AuraStealer primarily reaches victims through a social engineering technique called ClickFix.

Security researchers documented a notable campaign in October 2025 where malicious TikTok videos posed as tutorials for activating popular software like Windows, Microsoft 365, Adobe Photoshop, and Spotify.

Viewers were told to open PowerShell with administrator privileges and run a short one-line command. That command quietly downloaded and executed an AuraStealer sample on the target’s machine without any visible warning.

Alongside TikTok lures, the malware has been distributed through a wide range of loaders and downloaders.

In various cases, AuraStealer was injected into legitimate Windows processes like regasm.exe and SndVol.exe using Visual Basic scripts, self-executing archives, and Donut shellcode loaders.

In other instances, a loader known as “Soulbind” retrieved and executed the payload from remote servers. Malicious .NET DLLs, DLL sideloading techniques, and a fake cleaning tool called Gcleaner have also been used across different campaigns.

Security teams should block PowerShell execution triggered by social media content or unofficial software activation sites. Endpoint solutions must be configured to detect and alert on process injection into legitimate Windows system binaries.

All 48 known C2 domains documented in this report should be blocked at the network perimeter without delay.

Employee awareness training is essential to help users identify ClickFix-style social engineering attacks, especially those delivered through video platforms like TikTok.

Restricting administrative PowerShell access and enabling application allow-listing can significantly reduce the risk of infection across the organization.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Threat Actors Deploy ‘AuraStealer’ Infostealer with 48 C2 Domains and Active Campaigns appeared first on Cyber Security News.