{ "id": "6d840c87-2a2a-44f3-8b4c-9c6beb05a17e", "created_at": "2026-04-06T00:09:35.417789Z", "updated_at": "2026-04-10T03:37:09.459697Z", "deleted_at": null, "sha1_hash": "4996f88053b529fc0e7c2b7a2604dce15f562553", "title": "Aurora: a rising stealer flying under the radar", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1489643, "plain_text": "Aurora: a rising stealer flying under the radar\r\nBy Quentin Bourgue,\u0026nbsp;Pierre Le Bourhis\u0026nbsp;and\u0026nbsp;Sekoia TDR\r\nPublished: 2022-11-21 · Archived: 2026-04-05 22:33:54 UTC\r\nTable of contents\r\nSummary\r\nContext\r\nThe evolution from botnet to stealer\r\nA popular stealer in the traffers landscape\r\nTechnical Analysis\r\nData collection\r\nFingerprint\r\nData from browsers, extensions and applications\r\nFile grabber\r\nCommand and Control communications\r\nCanal, format and structure\r\nExfiltrated data\r\nNext-stage loading\r\nConclusion\r\nAnnex\r\nAnnex 1 – Infection Chains\r\nCryptocurrency phishing site\r\n911 infection chain\r\nAnnex 2 – Collected data\r\nAnnex 3 – Aurora sample BuildID\r\nIoCs \u0026 Technical Details\r\nIoCs\r\nAurora C2\r\nAurora SHA256\r\nFake catalogue software distributing Aurora\r\nYARA\r\nMITRE ATT\u0026CK TTPs\r\nExternal References\r\nSummary\r\nIn July 2022, Sekoia.io discovered a new Golang botnet advertised by its alleged developer as Aurora botnet since April\r\n2022. Since we published an analysis of the malware and the profile of the threat actor advertising Aurora on underground\r\nforums for our clients, the botnet’s activity slowed down.\r\nSince September 2022, Aurora malware is advertised as an infostealer and several traffers teams announced they added it to\r\ntheir malware toolset. Furthermore, Sekoia.io observed an increase in the number of Aurora samples distributed in the wild,\r\nas well as C2 servers.\r\nAs the Aurora malware is widespread, not well detected, or publicly documented either, Sekoia.io analysed Aurora in depth\r\nand share the results of our investigation in this article.\r\nContext\r\nThe evolution from botnet to stealer\r\nFirst advertised on Russian-speaking underground forums in April 2022, Aurora is a multi-purpose botnet with stealing,\r\ndownloading and remote access capabilities. The botnet was sold as a Malware-as-a-Service (MaaS) by a threat actor going\r\nby the handle Cheshire.\r\nIn July 2022, we identified around 50 samples, the majority of which belonging to the  “Cheshire” and “Zelizzard” botnets,\r\nand less than a dozen C2 servers associated with Aurora botnets. In late July, the Aurora servers were no longer active, and\r\nno more recent Aurora samples were submitted on an online public repository. At the time, Sekoia.io assessed that the\r\nactivity of Aurora botnets was near at standstill.\r\nhttps://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/\r\nPage 1 of 12\n\nAdditionally, the presumed developer stopped publishing about Aurora botnet on Dark Web forums and on its Telegram\r\nchannel at the beginning of June 2022. Another publication on BHF forum in late July 2022 suggested that Cheshire\r\ndevelopers shifted to developing malware on demand. Based on these observations, we assess it is possible that the Aurora\r\nBotnet MaaS development is now abandoned.\r\nIn late August 2022, Aurora was advertised as a stealer instead of a botnet on Telegram and underground forums.\r\nFigure 1. Advertisement for Aurora stealer on XSS forum (English version), published by KO7MO on September 8, 2022\r\nA popular stealer in the traffers landscape\r\nBased on the Dark Web cybercrime forums, Sekoia.io identified 9 traffers teams that announced they added Aurora in their\r\ninfostealer arsenal. Most of them created their team after the advertisement of Aurora as a stealer, and are still very active.\r\nTraffers Team Malware arsenal Launch date Last observed activity\r\nSpaceTeam Aurora 18/11/2022 25/11/2022\r\nBrazzzersLogs Aurora, Raccoon 14/11/2022 14/11/2022\r\nDevilsTraff Aurora, Raccoon 30/10/2022 14/11/2022\r\nBartLogs Aurora 25/10/2022 25/10/2022\r\nRavenLogs Aurora, Redline 17/10/2022 24/11/2022\r\nGfbg6 Aurora 14/09/2022 24/10/2022\r\nSAKURA Aurora 10/08/2022 04/11/2022\r\nHellRide Aurora 09/07/2022 21/11/2022\r\nYungRussia Aurora 05/04/2022 31/10/2022\r\nTable 1. List of monitored traffers teams that announced distributing Aurora stealer, as of November 25, 2022 (updated)\r\nAt the time of writing, BrazzzersLogs Team is the most recently created traffers team that publicly announced their use of\r\nAurora stealer on the Lolz Guru cybercrime forums. Based on the illustration promoting their team, the threat group rates\r\nRaccoon stealer and Aurora equally.\r\nhttps://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/\r\nPage 2 of 12\n\nFigure 2. Advertisement aiming at recruiting traffers in BrazzzersLogs Team and rating Raccoon and Aurora stealer\r\n(Source: Lolz Guru forum)\r\nThe adoption of Aurora stealer by several traffers teams suggests that the malware gained in popularity among threat actors.\r\nIn October and November 2022, several hundreds of collected samples and dozens of active C2 servers contributed to\r\nconfirm Sekoia.io previous assessment that Aurora stealer would become a prevalent infostealer. Additionally, Sekoia.io\r\nobserved multiple chains of infection leading to the execution of Aurora stealer. These infection chains leveraged phishing\r\npages impersonating download pages of legitimate software, including cryptocurrency wallets or remote access tools, and\r\nthe 911 method making use of YouTube videos and SEO-poised fake cracked software download websites. Analysis of two\r\ninfection chains is provided in Annex 1.\r\nBased on these observations, we assess that several threat actors distribute Aurora Stealer, each with its own delivery\r\ntechniques.\r\nTechnical Analysis\r\nAs previously introduced, Aurora is a Golang information stealer. Following is an overview of the Aurora stealer\r\ncapabilities: data collection, exfiltration to its C2 server and load of the next-stage payload.\r\nData collection\r\nFingerprint\r\nAurora mainly uses the lxn/win library to interact with the Windows API, this library relies on Windows Management\r\nInstrumentation Command (WMIC). \r\nTo fingerprint the host, Aurora executes three commands on the infected host:\r\nhttps://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/\r\nPage 3 of 12\n\nwmic os get Caption\r\nwmic path win32_VideoController get name\r\nwmic cpu get name\r\nFigure 3. Aurora commands executed on the infected host in Sekoia.io XDR\r\nLike previously analysed stealers, Aurora also takes one screenshot of the infected host.\r\nData from browsers, extensions and applications\r\nTo collect information, Aurora targets multiple web browsers, as well as browser extensions including those managing\r\ncryptocurrency wallets and applications such as Telegram.\r\nTargeted extensions are listed in the sample, applications, web browsers are written in the sample (see Annex 2). The\r\nmalware uses the function walk of the built-in module path to loop over files and directories until it matches a filename or\r\ndirectory name of one of the targeted applications or extensions.\r\nFile grabber\r\nThe grabber configuration is simple, the stealer gathers a list of directories to search for files of interest.\r\nFigure 4. Disassembly code of grabber functionality\r\nCommand and Control communications\r\nCanal, format and structure\r\nThe malware communicates using TCP connection on ports 8081 and 9865 – 8081 being the most widespread open port.\r\nExfiltrated data are in JSON format. \r\n All messages abide by the same structure, each keys are described below: \r\nBrowser: name of the browser where data was collected (ex: Mozilla, Chromium, etc.);\r\nCache: content of the stolen file encoded in base64;\r\nFileName: name of the stolen file (e.g. cookies.sqlite, Login Data);\r\nGRB: likely the grabber configuration. Of note, Sekoia.io only observed the value “null”;\r\nInfo: host fingerprint information, including:\r\nName: a random name defined by threat actor;\r\nBuildID: name of the build, the value often matches a threat actor’s Telegram account;\r\nOS: Windows version;\r\nhttps://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/\r\nPage 4 of 12\n\nHWID: hardware ID;\r\nGPU: graphical card information;\r\nCPU: CPU name and vendor;\r\nRAM: amount of memory;\r\nLocation: execution path of Aurora sample;\r\nScreen: size of the screen of the infected host;\r\nIP: expecting the IP address of the infected host but the value is always an empty string.\r\nMasterKey: encryption key used to read the data of the stolen file, for instance some browsers store the saved\r\npassword encrypted;\r\nPath: always empty string;\r\nType: type of the exfiltrated data (Browser-Mozilla, Screenshot, etc.).\r\nHere is an example of the fingerprint data exfiltrated to the C2 Aurora Server: \r\nFigure 5. Exfiltrated fingerprint data of infected host\r\nExfiltrated data\r\nThe logic of Aurora in terms of network communication is straightforward, if a file name matches the stealer logic, the file is\r\nencoded in base64 and sent to the C2, following the message structure detailed in the previous section.\r\nFigure 6: Summary of network communication with the C2 of a host infected by Aurora\r\nThe analysed stealer always exfiltrated the screenshot first, and then the stolen files.\r\nNext-stage loading\r\nAurora’s promoter claims the stealer has a file grabber and a loader capabilities. During the investigation, only the loader\r\ncapabilities were observed (see Annex 1).\r\nAurora loader is straightforward, it downloads a remote payload using net_http_Get from the built-in library net/http, then\r\nthe file is written on the disk in the temporary directory with a random name. The stealer executes the next stage using the\r\nfollowing PowerShell command:\r\npowershell.exe start-process “C:\\Users\\Admin\\AppData\\Local\\Temp\\oH7P8GCPXQ.exe”\r\nFigure 7. Disassembly code of the loader functionality\r\nConclusion\r\nhttps://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/\r\nPage 5 of 12\n\nAurora is another infostealer targeting data from browsers, cryptocurrency wallets, local systems, and acting as a\r\nloader. Sold at a high price on market places, collected data is of particular interest to cybercriminals, allowing them to\r\ncarry out follow-up lucrative campaigns, including Big Game Hunting operations.\r\nAs multiple threat actors, including traffers teams, added the malware to their arsenal, Aurora Stealer is becoming a\r\nprominent threat. As observed by Sekoia.io, cybercriminal threat actors widely distribute it using multiple infection\r\nchains including phishing websites masquerading legitimate ones, YouTube videos and fake “free software catalogue”\r\nwebsites.\r\nTo provide our customers with actionable intelligence, Sekoia.io analysts will continue to monitor emerging and prevalent\r\ninfostealers, including Aurora.\r\nAnnex\r\nAnnex 1 – Infection Chains\r\nHere are two infection chains distributing the Aurora stealer in the wild. \r\nCryptocurrency phishing site\r\nAurora stealer is distributed using a phishing site impersonating Exodus Wallet (cryptocurrency wallet) hosted on\r\nhxxps://mividajugosa[.]com/.\r\nFigure 8. Phishing webpage impersonating the Exodus Wallet download page (mividajugosa[.]com)\r\nClicking on the “Download” button at the top right initiates the download of a ZIP “ExodusWeb3.zip” (SHA256:\r\n2e9dbda19d9c75a82dabac8ffba5ea76689ada81639867c41c395a29aeaba788) that contains the executable\r\n“ExodusWeb3.exe” (SHA256: 9db1744112aea85c625cd046fc737bf28bef254bebfbf7123df6844f62167759) detected as\r\nAurora stealer. It communicates to its C2 server on 79.137.195[.]171:8081.\r\n911 infection chain\r\nThis infection consists in the following steps:\r\n1. A YouTube video on a stolen account describing how to install a cracked software for free and providing a link;\r\nhttps://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/\r\nPage 6 of 12\n\n2. From the link provided in the YouTube video, the victim can access a “free software catalogue” website (e.g.\r\nwinsofts[.]cloud);\r\nFigure 9. Fake free software catalogue website (winsoft[.]cloud) luring the user to download Aurora sample\r\n3. The payload is hosted on a legitimate file sharing platform and embeds Aurora Stealer. The user downloads it,\r\ndecompresses the archive and executes the file “setup.exe”.\r\n4. Aurora sample communicates to its C2 on 45.15.156[.]97:8081 and downloads a second-stage payload\r\n(oH7P8GCPXQ.exe).\r\nRelated URLs:\r\nYouTube videos: hxxps://www.youtube[.]com/watch?v=oy7NPaccBnk\r\nMalicious free software catalogue website: hxxps://winsofts[.]cloud/\r\nNext-stage payload:\r\nhxxps://cdn.discordapp[.]com/attachments/1037000444813254768/1042401882041237524/Adobe_Acrobat.zip\r\nFile hashes:\r\nDownloaded archive (Adobe_Acrobat.zip)\r\nSHA256: 88e02def17fda0021d4dba5ea812772c542b0fa6ca8930bcf06c42375c00bd29\r\nAurora sample (setup.exe)\r\nSHA256: 47332ce5b904b959aa814ddfde8662931fdfb5233422dc45053ad04cffc44fb4\r\nNext-stage payload (oH7P8GCPXQ.exe)\r\nSHA256: 8e24e96e1e87cf00e27c3a3745414636fbf6e148077c0f6815a2b87bacf85c8d\r\nEmulating this infection chain on a system monitored by Sekoia.io XDR resulted in raising 5 security alerts, as shown\r\nhereunder.\r\nThe CTI detection rule detected communications with the Aurora C2 server and the malicious domain hosting the\r\nfake free software catalogue.\r\nThe correlation rule detected the sequence of Aurora fingerprinting commands using WMIC.\r\nOther generic detection rules detected the change in the Windows Defender configuration to exclude the location\r\n“C:\\Program Data\\” (via the Windows Defender event ID 5007 and via the executed command line). This behaviour\r\nhttps://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/\r\nPage 7 of 12\n\ncorresponds to the next-stage payload dropped by the Aurora sample.\r\nFigure 10. Security alerts raised by Sekoia.io XDR following the execution of Aurora Stealer sample\r\nAnnex 2 – Collected data\r\nCryptocurrency desktop wallets:\r\nPath of targeted file Cryptocurrency wallet desktop application\r\n\\Armory Armory\r\n\\bytecoin Bytecoin\r\n\\Electrum\\wallets Electrum\r\n\\Ethereum\\keystore Ethereum\r\n\\Exodus\\exodus.wallet Exodus\r\n\\Guarda\\Local Storage\\leveldb Guarda\r\n\\com.liberty.jaxx\\IndexedDB Jaxx Liberty\r\n\\Zcash Zcash\r\nCryptocurrency browser extensions:\r\nExtension id Cryptocurrency wallet browser extensions\r\naeachknmefphepccionboohckonoeemg Coin98\r\naiifbnbfobpmeekipheeijimdpnlpgpp Terra Station\r\namkmjjmmflddogmhpjloimipbofnfjih Wombat\r\naodkkagnadcbobfpggfnjeongemjbjca BOLT X\r\nbfnaelmomeimhlpmgjnjophhpkkoljpa Phantom\r\nblnieiiffboillknjnepogjhkgnoapac Equal\r\ncgeeodpfagjceefieflmdfphplkenlfk EVER\r\ncjelfplplebdjjenllpjcblmjkfcffne Jaxx Liberty\r\ndngmlblcodfobpdpecaadgfbcggfjfnm Maiar DeFi\r\nffnbelfdoeiohenkjibnmadjiehjhajb Yoroi\r\nfhbohimaelbohpjbbldcngcnapndodjp Binance\r\nhttps://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/\r\nPage 8 of 12\n\nfhilaheimglignddkjgofkcbgekhenbh Oxygen\r\nfihkakfobkmkjojpchpfgcmhfjnmnfpi BitApp\r\nfnjhmkhhmkbjkkabndcnnogagogbneec Ronin\r\nfnnegphlobjdpkhecapkijjdkgcjhkib Harmony\r\nhmeobnfnfcmdkdcmlblgagmfpfboieaf XDEFI\r\nhnfanknocfeofbddgcijnmhnfnkdnaad Coinbase\r\nhpglfhgfnhbgpjdenjgmdgoeiappafln Guard\r\nibnejdfjmmkpcnlpebklmnkoeoihofec TronLink\r\njbdaocneiiinmjbjlgalhcelgbejmnid Nifty\r\nkncchdigobghenbbaddojjnnaogfppfj iWallet\r\nkpfopkelmapcoipemfendmdcghnegimn Liquality\r\nlpfcbjknijpeeillifnkikgncikgfhdo Nami\r\nmgffkfbidihjpoaomajlbgchddlicgpn Pali\r\nnanjmdknhkinifnkgdcggcfnhdaammmj Guild\r\nnkbihfbeogaeaoehlefnkodbefgpgknn MetaMask\r\nnkddgncdjgjfcddamfgcmfnlhccnimig Saturn\r\nnlbmnnijcnlegkjjpcfjclmcfggfefdm MEW CX\r\nodbfpeeihdkbihmopkbjmoonfanlbfcl Brave\r\npdadjkfkgcafgbceimcpbkalnfnepbnk KardiaChain\r\nOther application:\r\nPath of targeted file Application\r\n\\AppData\\Roaming\\Telegram Desktop\\tdata Telegram\r\nAnnex 3 – Aurora sample BuildID\r\n@im_HiLLi, @dddaw22123, @t0mi0k4, Zack, DEV, @feozz, @huy, @dgdima, @mutedall, @huy, @HelixHuntter,\r\n5397150605_99, @tipok734, @Ggtwp, 11, @t0mi0k4, shellar, @dzynO1k, shellarlogs, @sou_bss, DEV, zack, INSTALLS,\r\nyjrc, shellar, egorix, DEV, 123\r\nIoCs \u0026 Technical Details\r\nIoCs\r\nThe list of IoCs is available on Sekoia.io github repository.\r\nAurora C2\r\n138.201.92[.]44:8081\r\n146.19.24[.]118:8081\r\n167.235.233[.]95:9865\r\n185.173.36[.]94:8081\r\n185.209.22[.]98:8081\r\n193.233.48[.]15:9865\r\n37.220.87[.]2:8081\r\n45.137.65[.]190:8081\r\n45.144.30[.]146:8081\r\n45.15.156[.]115:8081\r\n45.15.156[.]22:8081\r\n45.15.156[.]33:8081\r\nhttps://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/\r\nPage 9 of 12\n\n45.15.156[.]80:8081\r\n45.15.156[.]97:8081\r\n45.15.157[.]137:8081\r\n49.12.222[.]119:8081\r\n49.12.97[.]28:8081\r\n5.9.85[.]111:8081\r\n65.108.253[.]85:8081\r\n65.109.25[.]109:8081\r\n78.153.144[.]31:8081\r\n79.137.195[.]171:8081\r\n81.19.140[.]21:8081\r\n82.115.223[.]218:8081\r\n85.192.63[.]114:8081\r\n89.208.104[.]160:8081\r\n95.214.55[.]225:8081\r\nAurora SHA256\r\na485913f71bbd74bb8a1bdce2e2c5d80c107da7d6c08bf088599c1ee62ccb109\r\nf6b17c5c0271074fc27c849f46b70e25deafa267a060c35f1636ab08dda237d6\r\n51a2fe0ea58a7a656bc817e91913f6d6c50e947823b96a3565e7593eea2fd785\r\n73485bc0ca251edcca9e4c279cbc4876b1584fb981a5607a4bdeae156a70d082\r\n2bdba09d02482f3016df62a205a456fc5e253f5911543bf40da14a59ad2bc566\r\n459a8faa7924a25a15f64c34910324baed5c24d2fe68badd9a4a320628c08cb8\r\naa504264669e5bdbda0aac3ada1cd16964499c92d2b48d036a16ba22d79f44f6\r\n4b5450b61a1be5531d43fe36f731c78a28447b85f2466b4389ea7bbb09ecec9c\r\n04b2edcc9d62923a37ef620f622528d70edab52ccd340981490046ad3aa255e5\r\na4a3a66aee74f3442961a860b8376d2a2dc2cf3783b0829f6973e63d6d839e5b\r\nA query to find more Aurora samples on VirusTotal based on the specific behavior:\r\nbehavior_processes:\"wmic os get Caption\" behavior_processes:\"wmic path win32_VideoController get name\"\r\nbehavior_processes:\"wmic os get Caption\"\r\nMore IoCs are available in the Sekoia.io CTI.\r\nFake catalogue software distributing Aurora\r\nCracked software\r\nwebsite\r\nPayload URL\r\nhxxps://winsofts[.]cloud/ hxxps://cdn.discordapp[.]com/attachments/1037343714319794236/1037352224650690650/Adobe_Photoshop\r\nhxxps://allsofts[.]cloud/ hxxps://cdn.discordapp[.]com/attachments/1036703574828269658/1037132394534281266/Adobe_Premiere_P\r\nhxxps://alls0ft[.]cloud/ hxxps://cdn.discordapp[.]com/attachments/1036677135621951653/1037145460089040916/Adobe_Photoshop\r\nhxxps://onesoftware[.]site/ hxxps://cdn.discordapp[.]com/attachments/1041004296050835459/1041454535836696656/onesoftware.site.zi\r\nhxxps://unisoft[.]store/ hxxps://cdn.discordapp[.]com/attachments/1028937934763720724/1038878571302756372/Adobe_Photoshop\r\nhxxps://freesoft[.]digital/ hxxps://cdn.discordapp[.]com/attachments/1041004296050835459/1041740296993636372/FreeSoft.zip\r\nhxxps://cheatcloud[.]info/ hxxps://www.dropbox[.]com/s/dl/0wzz3wsk5sy7kck/Fortnite%20Hack%20%231.zip\r\nYARA\r\nrule infostealer_win_aurora {\r\n meta:\r\n malware = \"Aurora\"\r\n description = \"Finds Aurora samples based on characteristic strings\"\r\n source = \"SEKOIA.IO\"\r\n reference = \"https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/\"\r\n classification = \"TLP:CLEAR\"\r\n strings:\r\n $str00 = \"I'm a teapot\" ascii\r\nhttps://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/\r\nPage 10 of 12\n\n$str01 = \"wmic cpu get name\" ascii\r\n $str02 = \"wmic path win32_VideoController get\" ascii\r\n $str03 = \"SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Time Zones\" ascii\r\n $str04 = \"Exodus\\\\exodus.wallet\" ascii\r\n $str05 = \"PaliWallet\" ascii\r\n $str06 = \"cookies.sqlite\" ascii\r\n $str07 = \"Startup\\\\Documents\\\\User Data\" ascii\r\n $str08 = \"atomic\\\\Local Storage\\\\leveldb\" ascii\r\n $str09 = \"com.liberty.jaxx\\\\IndexedDB\" ascii\r\n $str10 = \"Guarda\\\\Local Storage\\\\leveldb\" ascii\r\n $str11 = \"AppData\\\\Roaming\\\\Telegram Desktop\\\\tdata\" ascii\r\n $str12 = \"Ethereum\\\\keystore\" ascii\r\n $str13 = \"Coin98\" ascii\r\n $str14 = \".bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.xml.zip\" ascii\r\n $str15 = \"type..eq.main.Grabber\" ascii\r\n $str16 = \"type..eq.main.Loader_A\" ascii\r\n $str17 = \"type..eq.net/http.socksUsernamePassword\" ascii\r\n $str18 = \"powershell\" ascii\r\n $str19 = \"start-process\" ascii\r\n $str20 = \"http/httpproxy\" ascii\r\n condition:\r\n uint16(0)==0x5A4D and 15 of them and filesize \u003e 4MB\r\n}\r\nMITRE ATT\u0026CK TTPs\r\nExecution T1059.003 – Command and Scripting Interpreter: Windows Command Shell\r\nExecution T1047 – Windows Management Instrumentation\r\nDefence Evasion T1027 – Obfuscated Files or Information\r\nDefense Evasion T1140 – Deobfuscate/Decode Files or Information\r\nCredential Access T1539 – Steal Web Session Cookie\r\nCredential Access T1555.003 – Credentials from Password Stores: Credentials from Web Browsers\r\nDiscovery T1012 – Query Registry\r\nDiscovery T1082 – System Information Discovery\r\nDiscovery T1083 – File and Directory Discovery\r\nDiscovery T1614 – System Location Discovery\r\nCollection T1005 – Data from Local System\r\nCollection T1113 – Screen Capture\r\nCollection T1119 – Automated Collection\r\nCommand and Control T1071.001 – Application Layer Protocol: Web Protocols\r\nCommand and Control T1105 – Ingress Tool Transfer\r\nCommand and Control T1571 – Non-Standard Port\r\nExfiltration T1041 – Exfiltration Over C2 Channel\r\nExternal References\r\nhttps://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem/\r\nChat with our team!\r\nWould you like to know more about our solutions?\r\nDo you want to discover our XDR and CTI products?\r\nDo you have a cybersecurity project in your organization?\r\nMake an appointment and meet us!\r\nThank you for reading this blogpost. You can also consult the following articles:\r\nDiscover our:\r\nCTI platform\r\nXDR platform\r\nSOC platform\r\nTools for SOC analyst\r\nSIEM solution\r\nhttps://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/\r\nPage 11 of 12\n\nShare\r\nCTI Cybercrime Dark Web Stealer\r\nShare this post:\r\nSource: https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/\r\nhttps://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/" ], "report_names": [ "aurora-a-rising-stealer-flying-under-the-radar" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434175, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4996f88053b529fc0e7c2b7a2604dce15f562553.pdf", "text": "https://archive.orkl.eu/4996f88053b529fc0e7c2b7a2604dce15f562553.txt", "img": "https://archive.orkl.eu/4996f88053b529fc0e7c2b7a2604dce15f562553.jpg" } }