{ "id": "9dca71f3-5543-418a-ab56-8d77e5f95180", "created_at": "2026-04-06T00:14:09.420209Z", "updated_at": "2026-04-10T13:12:04.560568Z", "deleted_at": null, "sha1_hash": "4aa74525b31d6c90e741fc82c46b6964c118f44e", "title": "New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 729747, "plain_text": "New version of AZORult stealer improves loading features, spreads\r\nalongside ransomware in new campaign | Proofpoint US\r\nBy July 30, 2018 Proofpoint Staff\r\nPublished: 2018-07-30 · Archived: 2026-04-05 13:49:00 UTC\r\nOverview\r\nAZORult is a robust information stealer \u0026 downloader that Proofpoint researchers originally identified in 2016 as part of a\r\nsecondary infection via the Chthonic banking Trojan. We have since observed many instances of AZORult dropped via\r\nexploit kits and in fairly regular email campaigns as both a primary and secondary payload.\r\nRecently, AZORult authors released a substantially updated version, improving both on its stealer and downloader\r\nfunctionality. It is noteworthy that within a day of the new update appearing on underground forums, a prolific actor used\r\nthe new version in a large email campaign, leveraging its new capabilities to distribute Hermes ransomware. It is always\r\ninteresting to see malware campaigns where both a stealer and ransomware are present, as this is less common [1], and\r\nespecially disruptive for recipients who initially may have credentials, cryptocurrency wallets, and more stolen before losing\r\naccess to their files in a subsequent ransomware attack.\r\nAZORult Forum Advertisement\r\nOn July 17, a major update to the AZORult credential stealer and downloader was advertised on an underground forum. The\r\nchange log for the new version -- Version 3.2 -- is shown below. The conditional loader feature, based on the presence of\r\ncookies, cryptocurrency wallets, and other parameters, is particularly noteworthy.\r\n**************\r\nChange log text:\r\nUPD v3.2\r\n[+] Added stealing of history from browsers (except IE and Edge)\r\n[+] Added support for cryptocurrency wallets: Exodus, Jaxx, Mist, Ethereum, Electrum, Electrum-LTC\r\n[+] Improved loader. Now supports unlimited links. In the admin panel, you can specify the rules for how the loader\r\nworks. For example: if there are cookies or saved passwords from mysite.com, then download and run the file\r\nlink[.]com/soft.exe. Also there is a rule \"If there is data from cryptocurrency wallets\" or \"for all\"\r\n[+] Stealer can now use system proxies. If a proxy is installed on the system, but there is no connection through it, the\r\nstealer will try to connect directly (just in case)\r\n[+] Reduced the load in the admin panel.\r\n[+] Added to the admin panel a button for removing \"dummies\", i.e. reports without useful information\r\n[+] Added to the admin panel guest statistics\r\n[+] Added to the admin panel a geobase\r\n**************\r\nCampaign Analysis\r\nOn July 18, 2018, one day after the AZORult update above was announced, we observed a campaign delivering thousands of\r\nmessages targeting North America that used the new version of AZORult. The messages used employment-related subjects\r\nsuch as “About a role” and “Job Application”. The attached documents used file names in the format of\r\n“firstname.surname_resume.doc”.\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside\r\nPage 1 of 5\n\nFigure 1: Email used in the July 18 campaign\r\nThe documents in this campaign were password-protected. The password was included in the body of the original email and,\r\nin this case, was ‘789’, as visible in Figure 1 above. This technique is an attempt to evade various antivirus engines, since\r\nthe document itself is not malicious until the password is entered successfully. Once potential victims enter the password,\r\nthey also need to enable macros for the document to download AZORult, which in turn downloads the Hermes 2.1\r\nransomware payload.\r\nFigure 2: Document attachment used in the July 18 campaign\r\nWe attribute this campaign to an actor we track as TA516. In 2017 we presented research on TA516 and ways in which this\r\nactor used documents with similar resume lures to download banking Trojans or a Monero miner. Improved means of\r\nstealing cryptocurrency wallets and credentials in the new version of AZORult might also provide a connection to TA516’s\r\ndemonstrated interests in cryptocurrencies.\r\nMalware Analysis\r\nOnce the recipient opens the password-protected document and enables the embedded macros, the macros download\r\nAZORult. While there were many code changes to the malware, we focused on analyzing the updated command and control\r\n(C\u0026C) communication protocol.\r\nThe following POST is an initial client-to-server communication, where the client sends an initial checkin request and the\r\nserver responds with data XOR-encoded with a 3-byte key (The XOR key in this case was \\x0d0ac8). If we decode this data,\r\nthe server response begins with a base64-encoded configuration block.\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside\r\nPage 2 of 5\n\nFigure 3: Initial client beacon followed by the encoded server response\r\nFigure 4: Initial client beacon followed by the server response (decoded by us manually)\r\nAs Figure 4 shows, there is a base64 string (configuration block) included in the server response between the “\u003cc\u003e” and\r\n“\u003c/c\u003e” tags. It decodes to the following, revealing cryptocurrency strings of interest:\r\n++++-+++++\r\nF      123    %DSK_23%\r\n*wallet*.txt,*seed*.txt,*btc*.txt,,*key*.txt,*2fa*.txt,*2fa*.png,*2fa*.jpg,*auth*.jpg,*auth*.png,*crypto*.txt,*coin*.txt,*poloniex*,*kraken*,*okex*,*bin\r\n10     +      -     \r\nI      \u003cREMOVED, IP ADDRESS OF THE INFECTED CLIENT\u003e:\u003cCOUNTRY OF THE INFECTED CLIENT\u003e\r\nWe can also see another encoded block after the base64 string  (only the beginning of the block is shown for brevity). This is\r\nyet another XOR-encoded data block, where the key is 4 bytes. Decoding this second encoded data block reveals additional\r\nconfiguration information and executable files such as mozglue.dll, nssdbm3.dll, softokn3.dll, ucrtbase.dll, or\r\nvcruntime140.dll. While the purpose of these executables is not known, we do not see any reason to send these other than to\r\nperhaps delay reverse engineering and analysis.\r\nNext, after the initial exchange between the infected machine and the C\u0026C server, the infected machine sends a report\r\ncontaining the stolen information. Again the report is XOR-encoded with the same 3-byte key; a portion of  the decoded\r\nversion is shown in Figure 5. The stolen information is organized into sections:\r\ninfo: basic computer information such as Windows version and computer name\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside\r\nPage 3 of 5\n\npwds: this section contains stolen passwords (not confirmed)\r\ncoks: cookies or visited sites\r\nfile: contents of the cookies files and a file containing more system profiling information including machine ID,\r\nWindows version, computer name, screen resolution, local time, time zone, CPU model,  CPU count,  RAM, video\r\ncard information, process listing of the infected machine, and software installed on the infected machine.\r\nFigure 5: A report of stolen information sent by the infected machine (only a snippet is shown here)\r\nFinally, after the initial beaconing, receiving a configuration, and exfiltrating stolen information from the infected machine,\r\nAZORult may download the next payload. For example, in the campaign described at the beginning of this post, AZORult\r\ndownloads Hermes 2.1 ransomware  after it exfiltrates the victim’s data and credentials.\r\nConclusion\r\nAs in legitimate software development, malware authors regularly update their software to introduce competitive new\r\nfeatures, improve usability, and otherwise differentiate their products. The recent update to AZORult includes substantial\r\nupgrades to malware that was already well-established in both the email and web-based threat landscapes. It is noteworthy\r\nthat within a day of the new update appearing on underground forums, a prolific actor used the new version in a large email\r\ncampaign, leveraging its new capabilities to distribute Hermes ransomware.\r\nThe potential impact of this type of attack is considerable:\r\n1. The campaigns sent thousands of messages\r\n2. AZORult malware, with its capabilities for credential and cryptocurrency theft, brings  potential direct financial\r\nlosses for individuals as well as the opportunity for actors to establish a beachhead in affected organizations\r\n3. Additional direct financial losses and business disruption via infection with Hermes ransomware.\r\nReferences\r\n[1] https://www.malware-traffic-analysis.net/2017/01/27/index2.html\r\n[2] https://malware.dontneedcoffee.com/2018/03/CVE-2018-4878.html#gf-sundown\r\n[3] https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-distribute-chthonic-banking\r\nIndicators of Compromise (IOCs)\r\nIOC\r\nIOC\r\nType\r\nDescription\r\nccf1f4d83023c51a75ba008cbd25167c2a1e55f6a8617fe004b63dcd4acc0de4 SHA-256 Malicious document\r\nhxxp://205.185.121[.]209/azo.exe URL\r\nDocument payload\r\n(AZORult)\r\n3809394dceddbe1419e964cd08397e5fed4a0bbefc8be466f33614bac8794243 SHA-256 AZORult\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside\r\nPage 4 of 5\n\nhxxp://briancobert[.]com/index.php URL AZORult C\u0026C\r\nhxxp://205[.]185.121[.]209/5.exe URL\r\nAZORult payload\r\n(Hermes)\r\n6071511eea15d5b1d9d8bf9803ad71b3fe65c455b77d683a3aaf887fa54cb447 SHA-256 Hermes\r\nET and ETPRO Suricata/Snort/ClamAV Signatures\r\n2025885 || ET TROJAN AZORult Variant.4 Checkin\r\nSource: https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MITRE" ], "origins": [ "web" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside" ], "report_names": [ "new-version-azorult-stealer-improves-loading-features-spreads-alongside" ], "threat_actors": [ { "id": "9b34a837-9f3f-4451-b8bf-adf424655df5", "created_at": "2023-01-06T13:46:39.310096Z", "updated_at": "2026-04-10T02:00:03.283332Z", "deleted_at": null, "main_name": "TA516", "aliases": [], "source_name": "MISPGALAXY:TA516", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aeda543e-ce27-41a9-9719-d6e2941b7dbf", "created_at": "2022-10-25T16:07:24.57632Z", "updated_at": "2026-04-10T02:00:05.038892Z", "deleted_at": null, "main_name": "TA516", "aliases": [ "SmokingDro" ], "source_name": "ETDA:TA516", "tools": [ "AZORult", "AndroKINS", "Chthonic", "Dofoil", "PandaBanker", "PuffStealer", "Rultazo", "Sharik", "Smoke Loader", "SmokeLoader", "Zeus Panda", "ZeusPanda" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434449, "ts_updated_at": 1775826724, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4aa74525b31d6c90e741fc82c46b6964c118f44e.pdf", "text": "https://archive.orkl.eu/4aa74525b31d6c90e741fc82c46b6964c118f44e.txt", "img": "https://archive.orkl.eu/4aa74525b31d6c90e741fc82c46b6964c118f44e.jpg" } }