eSentire Threat Intelligence Malware Analysis: Aurora Stealer
By eSentire Threat Response Unit (TRU)
Archived: 2026-04-06 01:04:42 UTC
Since December 2022, the eSentire Threat Response Unit (TRU) has observed Aurora Stealer malware infections
in the manufacturing industry. It's distributed via fake Google Ads for Notepad++ installer. Aurora Stealer gathers
sensitive data, including cookies, autofill information, and encrypted passwords from browsers such as Opera,
Brave, Mozilla Firefox, Chrome, etc. However, it is worth noting that the stealer does not collect credentials from
Mozilla Firefox.
The malware is priced at $125USD per month, $300USD for 3 months access, and $1,000USD for lifetime access.
In order to avoid detection from antivirus scanners, the binary code is filled with junk bytes to increase the file
size.
This malware analysis delves deeper into the technical details of how the Aurora Stealer malware operates and our
security recommendations to protect your organization from being exploited.
Key Takeaways
The Aurora Stealer developer is actively working on the Aurora botnet, which includes various modules
such as the loader, DDoS (distributed denial-of-service), crypto wallet brute-force,
HVNC/HRDP/RDP/VNC, Nmap scanner.
Aurora Stealer stores its configurations in base64-encoded format.
The stealer logs are sent to a C2 via a default port 8081 in a GZIP-compressed, base64-encoded, JSON
format.
Aurora Stealer is equipped with grabber and loader modules that allow it to collect specific files and
folders, as well as introduce additional malware onto a system.
Case Study Aurora Stealer
Drive-by downloads are becoming increasingly common as attackers find new ways to access and exfiltrate
sensitive data.
Since December 2022, the eSentire Threat Response Unit (TRU) has observed several Aurora Stealer infections in
the manufacturing industries. The stealer is distributed via Google Ads as a fake Notepad++ installer,
TeamViewer, Nvidia Driver, etc. (Figures 1-3)
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer
Page 1 of 35

Figure 1: Malicious Google Ads
Figure 2: Fake Notepad++ page distributing Aurora Stealer
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer
Page 2 of 35

Figure 3: Fake TeamViewer downloader page distributing Aurora Stealer
The stealer uses the Cheshire cat from Alice in Wonderland as its mascot and began appearing for sale on Russian-speaking forums in early 2022. The stealer is written in Golang, capable of stealing over 90 crypto wallets, and
has an embedded Loader module that includes the downloader and PowerShell; the developer claims that the
stealer does not need any dependencies to function.
The stealer also has a web panel, which does not require the operator to work directly from the dedicated server
called “dedik” as slang in Russian hacking forums (Russian: дедик). The dedicated server is the one hosting the
stealer and processing the logs. The stealer is priced $125 for one month of access, $300 for 3 months of access,
and $1000 for lifetime access. The stealer does not work in Russia and CIS (Commonwealth of Independent
States) countries (Figures 4-6).
Figure 4: Aurora Stealer seller on the Russian-speaking forum
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer
Page 3 of 35

Figure 5: Aurora Stealer reseller
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer
Page 4 of 35

Figure 6: Pricing on Aurora Stealer compared to other stealers on the market
At the time of this writing, the malware developer advertised that the pre-orders come with lifetime access to
Aurora Botnet and Aurora Stealer, including all the modules such as DDoS, SiteScanner, Loader, Brute Force,
PowerShell/CMD execution, etc. (Figure 7).
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer
Page 5 of 35

Figure 7: Pre-order advertisement on Aurora Stealer's Telegram channel
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer
Page 6 of 35

The cost for the pre-order is $1000. The botnet is a separate panel that allows an attacker to execute remote
commands and perform specific tasks on the hosts, remote in using hVNC/HRDP/RDP/VNC (Figures 8-10).
Figure 8: Botnet panel (1)
Figure 9: Botnet panel (2)
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer
Page 7 of 35

Figure 10: Botnet panel (3)
The Aurora stealer login can also be seen in Figure 11. A snippet of the Aurora manual for setting up and
leveraging the malware can be seen in Figure 12.
Figure 11: Aurora Stealer authentication panel
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer
Page 8 of 35

Figure 12: Snippet of the manual on how to set up the stealer
So, how does it spread?
Aurora Stealer is spread via installs (Russian: инсталл), also known as Pay-Per-Install (PPI) services, traffers
(Russian: трафферы), or Google Ads. Pay-Per-Install (PPI) is a type of online advertising model where
advertisers pay publishers a commission for every installation of their software or application that occurs as a
result of the publisher's promotion. The end-user would be redirected to an attacker’s landing page (Russian slang:
ленд), where they download the malicious stealer payload.
The installs can also spread the stealer via the already infected hosts. The hosts can be infected with other malware
families such as RATs (Remote Access Trojans). One of the popular install services that Aurora Stealer uses is
InstallLabs (Figure 13).
Traffers are groups of people that are responsible for spreading the stealers via the links to the download pages via
social media platforms such as Facebook and YouTube. The worker (Russian: воркер) is the individual within the
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer
Page 9 of 35

traffics group that is responsible for spreading the stealer.
Figure 13: InstallLabs ad on Russian-speaking forum
How can the stealer remain undetected?
To evade antivirus scanners, the attacker(s) usually fill the stealer binary with junk bytes to increase the file size,
archive, and password-protect it. Aurora Stealer allows users to pack or add junk bytes into the build (stealer
payload) to increase the file size for detection and sandbox evasion (Figure 14).
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer
Page 10 of 35

Figure 14: Build panel
The increase in the file size can significantly impact the stealer execution rate (Russian: отстук). The stealer
execution rate is used to assess the quality of data transmission from the sender to the server. The better the quality
of data transmission, the higher likelihood that the attacker receives all the stolen logs.
The attacker(s) can bypass SmartScreen controls by purchasing an EV certificate. SmartScreen is a security
feature in Microsoft Windows that warns users about potentially unsafe websites and downloads. It uses a
database of known threats and machine learning algorithms to identify new and suspicious behavior.
An EV (Extended Validation) certificate is a type of digital certificate used to authenticate and secure online
communication. It verifies the identity of a website's owner and displays a green address bar in the browser to
indicate that the site is trustworthy. Commonly used by financial and e-commerce websites, EV certificates are
considered the highest level of validation and can be expensive to purchase (Figure 15).
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer
Page 11 of 35

Figure 15: EV Certificate is being sold on Telegram
EV certificates can also be used to bypass User Account Control (UAC) alerts, which is a security feature in
Windows operating systems that helps prevent unauthorized changes to a computer. When a user attempts to
perform an action that requires elevated permissions, such as installing software or changing system settings, a
UAC alert appears on the screen, asking the user to confirm the action.
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer
Page 12 of 35

The Case of a Cheshire Cat
The infection starts with the basic reconnaissance commands spawning from wmic.exe and cmd.exe (Figure 16):
wmic os get Caption – returns the name of the operating system installed on the computer.
Cmd/C “wmic cpu get name” – returns the processor’s name on the computer.
cmd /C “wmic path win_32_VideoController get name” – returns the name of the video controller on
the computer.
Figure 16: Infection chain
As mentioned before, the stealer binary is written in Go Programming language, the stealer binary without any
size pumping and crypting, which involves obfuscating and encrypting the binary, is 2.96 MB in size.
The Aurora developer(s) offer their own crypting service for $40/1 crypt, $300/10 crypts (Figure 17).
Figure 17: Crypt pricing
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer
Page 13 of 35

The function responsible for enumerating the GPU, CPU, and the caption of the operating system (gets the OS
information) is shown in Figures 18-20. The gathered information is then sent to the stealer’s panel and is
contained in a text file named “UserInformation”.
Figure 18: Enumeration function (1)
Figure 19: Enumeration function (2)
Figure 20: Enumeration function (3)
The stealer mainly uses win, the Windows API package for Go, to perform specific tasks such as taking the
screenshot of the host using the APIs such as CompatibleBitmap, CreateCompatibleDC, GetDC, and BitBlt
(Figure 21).
Figure 21: Screenshot capture function
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer
Page 14 of 35

The stealer retrieves the GUID of the infected machine via querying for the MachineGuid parameter under
SOFTWARE\Microsoft\Cryptography (Figure 22).
Figure 22: Function responsible for getting the MachineGuid
The functions shown below are responsible for getting the infected machine's screen size and containing the Build
ID, Build Group. The collected information is also written in the “UserInformation” text file (Figure 23).
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer
Page 15 of 35

Figure 23: Function containing the Build Group, Build ID, and functions responsible for getting the
screen size
Aurora Stealer gathers sensitive data, including cookies, autofill information, and encrypted passwords from
browsers such as Opera, Brave, Mozilla Firefox, Chrome, etc. The gathered information is temporarily stored
under the %temp% folder (Figure 24). However, it is worth noting that the stealer does not collect credentials
from Mozilla Firefox.
Figure 24: Temporarily stored data under %temp%
Under the function main_getMasterKey, we can see the references to os_crypt, encrypted_key, and DPAPI (Figure
25).
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer
Page 16 of 35

Figure 25: References to os_crypt, encrypted_key, DPAPI
DPAPI (Data Protection Application Programming Interface) is used, for example, to store cookies and password
information for Chrome browsers DPAPI uses APIs CryptProtectData and CryptUnprotectData to encrypt and
decrypt data accordingly.
Chrome stores the DPAPI-encrypted AES key, which is the Master Key under os_encrypted.encrypted_key in a
base64-encoded format. To be able to decrypt the saved credentials and cookies, Aurora Stealer needs to decode
the base64-encoded string and call the CryptUnprotectData function, then remove the padding from the master
key.
Aurora Stealer has multiple Grabber functions that are responsible for collecting additional data such as crypto
wallets, screenshots, files, Telegram, etc. (Figure 26)
Figure 26: Main grabber functions
The stealer also grabs the files from the folder “Windows.old” which stores the backup copy of the previous
Windows installation if applicable (Figure 27).
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer
Page 17 of 35

Figure 27: Grabber function to collect the backup files from the previous version of Windows
This grabber function searches for crypto wallets under AppData\Roaming (Figure 28), for example, for leveldb
files that store the private keys:
AppData\Roaming\Guarda\Local Storage\leveldb
AppData\Roaming\atomic\Local Storage\leveldb
Figure 28: Grabber function responsible for crypto wallet search
Below is the grabber function for the Telegram tdata folder that would let the attacker authenticate into the
victim’s Telegram on the Desktop version by placing the tdata folder in the same folder as the Telegram client
(Figure 29).
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer
Page 18 of 35

Figure 29: Snipper of Grabber function that searches for Telegram tdata
Just like other stealers such as Redline, Raccoon Stealer, and Vidar Stealer, Aurora Stealer has two modules:
grabber and loader. The grabber module retrieves the files or folders specified by an attacker. The gathered
files/folders would then be archived in a zip file named temp.zip, stored under %userprofile% (Figure 30-31).
The “END_PACKET_ALL_SEND” message is likely used for debugging logs.
Figure 30: Grabber module (1)
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer
Page 19 of 35

Figure 31: Grabber module (2)
The stealer stores the loader (Figure 32), grabber, and the general configuration information within the build in the
base64-encoded form (Figure 33). The loader module has two options:
Download and Run – the attacker specifies the direct download link to the additional payload.
PowerShell – the attacker specifies the PowerShell command to run on the host.
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer
Page 20 of 35

Figure 32: Loader module
Figure 33: Loader configuration
The Loader module, where:
DW is the downloader parameter.
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer
Page 21 of 35

PS is the PowerShell parameter.
UnicID is the unique identifier.
Argument contains the loader task.
The loader downloader module pulls an executable from the file hosting server at the end of the stealer execution
and places it under the %temp% folder. The stealer executes the secondary payload using “start-process”
Powershell cmdlet, as shown in Figure 34.
Figure 34: Loader Downloader module
The Grabber module configuration contains the path specified by an attacker to grab certain files/folders from.
“FoF” parameter is likely the marker for whether the file folder grabber is specified (Figure 35).
Figure 35: Grabber configuration
Aurora Stealer stores its build configuration at the end of the binary in the base64-encoded format (Figure 36).
However, the configuration will likely be stripped if the stealer is encrypted.
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer
Page 22 of 35

Figure 36: Configuration blob
We wrote the configuration extractor script in Python for Aurora Stealer that looks for base64-encoded patterns
within the binary.
The function main_ConnectToServer attempts to connect to the C2 server while printing the log messages, it
sleeps after attempting to reconnect for one second and retries if the connection is unsuccessful (Figure 37).
Figure 37: main_ConnectToServer function
If the connection is successful, the function exits with code “666” and log message “BLACK ZONE”.
main_PathTrans function is responsible for replacing the strings such as ^user^, ^document^, and ^desktop^
within the Grabber configuration with the paths of Desktop, Document, and %userprofile% (Figure 38).
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer
Page 23 of 35

Figure 38: main_PathTrans function
March 2023 Update
In March 2023, the stealer developer released the first update since October 2022, as shown in Figure 39.
Figure 39: March update
One of the major changes is the stealer’s capabilities to grab FTP (FileZilla) and RDP credentials as well as the
ability to change the ports to the stealer’s panel and C2 communications and specify extensions, disk drives for the
grabber module (Figure 40-41).
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer
Page 24 of 35

Figure 40: Port settings in the panel
Figure 41: Snippet of the FTP grabber
Besides the WMIC commands mentioned at the beginning of this report, the stealer developer added two new
commands to run upon the execution of the malware:
cmd.exe /c "wmic csproduct get uuid": the command retrieves the universally unique identifier (UUID)
of the computer's system product
systeminfo: The command is used to display detailed information about the operating system, hardware,
and software components of a Windows computer system
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer
Page 25 of 35

Upon the execution of the stealer, PowerShell processes are spawned to copy the browsing data such as cookies,
history, and credentials to AppData\Local\Temp directory under a randomly named folder, the example command:
powershell "" "copy \"C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\Login
Data\" \"C:\Users\<username>\AppData\Local\Temp\<random_folder>\""
C2 Communication & Stealer Logs
Aurora Stealer uses port 8081 for default communication with the C2 server, so prior to the stealer installation on
the attacker’s server, it’s required to enable port 8081 through the firewall for the incoming traffic (Figure 42).
Figure 42: Stealer logs sent to the C2 server
The stealer logs are sent to the C2 server in JSON format, GZIP-compressed and base64-encoded. The stealer logs
are stored in the Aurora build folder in the format [Country]HWID_BuildID (Figure 43-44).
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer
Page 26 of 35

Figure 43: Stealer logs
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer
Page 27 of 35

Figure 44: Stealer logs (UserInformation file)
The cache folder contains the database files extracted from the infected host with cookies and credentials in the
encrypted format as well as debug logs (Figure 45).
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer
Page 28 of 35

Figure 45: Cache folder
The stealer can also be configured to send stealer logs via Telegram where CDD is the “Cookies Detected” and
PDD is the “Passwords detected”.
The attacker(s) can also configure to receive the stealer logs via Telegram (Figure 46).
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer
Page 29 of 35

Figure 46: Telegram notification settings
How eSentire is Responding
Our Threat Response Unit (TRU) combines threat intelligence gained from research and security incidents to
create practical outcomes for our customers. We are taking a comprehensive response approach to combat modern
cybersecurity threats by deploying countermeasures, such as:
Performing global threat hunts for indicators associated with Aurora Stealer.
Implementing threat detections to identify malicious command execution and ensure that eSentire has
visibility and detections are in place across eSentire MDR for Endpoint.
Our detection content is supported by investigation runbooks, ensuring our SOC (Security Operations Center)
analysts respond rapidly to any intrusion attempts related to known malware Tactics, Techniques, and Procedures.
In addition, TRU closely monitors the threat landscape, constantly addresses capability gaps, and conducts
retroactive threat hunts to assess customer impact.
Recommendations from eSentire's Threat Response Unit (TRU)
We recommend implementing the following controls to help secure your organization against Aurora Stealer
malware:
Confirm that all devices are protected with Endpoint Detection and Response (EDR) solutions
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer
Page 30 of 35

Implement a Phishing and Security Awareness Training (PSAT) Program that educates and informs your
employees on emerging threats in the threat landscape.
Encourage your employees to use password managers instead of using the password storage feature
provided by web browsers. Use master passwords where it’s applicable.
While the TTPs used by threat actor(s) grow in sophistication, they lead to a certain level of difficulties at which
critical business decisions must be made. Preventing the various attack technique and tactics utilized by the
modern threat actor requires actively monitoring the threat landscape, developing and deploying endpoint
detections, and the ability to investigate logs & network data during active intrusions.
eSentire’s TRU is a world-class team of threat researchers who develop new detections enriched by original threat
intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid
response to advanced threats.
If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and
put your business ahead of disruption.
Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an
eSentire Security Specialist.
Yara rule
rule AuroraStealer {
 meta:
 author = "eSentire Threat Intelligence"
 description = "Detects the Build/Group IDs if present / detects an unobfuscated AuroraSteale
 date = "3/24/2023"
 strings:
 $b1 = { 48 8D 0D ?? ?? 04 00 E8 ?? ?? EF FF }
 $b2 = { 48 8D 0D ?? ?? 05 00 E8 ?? ?? EF FF }
 $ftp = "FOUND FTP"
 $go = "Go build ID"
 $machineid = "MachineGuid"
 condition:
 3 of them
}
MITRE ATT&CK
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer
Page 31 of 35

MITRE
ATT&CK Tactic
ID
MITRE
ATT&CK
Technique
Description
MITRE ATT&CK Tactic
Reconnaissance
ID
T1592
MITRE ATT&CK
Technique
Gather Victim
Host Information
Description
During initial execution, Aurora Stealer gathers
the information on the OS, processor name and
video controller
MITRE ATT&CK Tactic
Initial Access
ID
T1189
MITRE ATT&CK
Technique
Drive-by
Compromise
Description
Aurora Stealer is delivered via a website hosting a
fake software installer
MITRE ATT&CK Tactic
Defense Evasion
ID
T1027.001
MITRE ATT&CK
Technique
Binary Padding
Description
Aurora Stealer contains the file pump feature upon
creating the build to add null bytes to the stealer
payload
MITRE ATT&CK Tactic
Credential Access
ID
T1555
T1555.003
MITRE ATT&CK
Technique
Credentials from
Web Browsers
Description
Aurora Stealer steals sensitive data from browsers
including credentials, cookies and saved credit
cards as well as FTP and RDP credentials
MITRE ATT&CK Tactic
Discovery
ID
T1082
MITRE ATT&CK
Technique
System
Information
Discovery
Description
The stealer enumerates the host for hardware and
geographical information as well as the screen size
MITRE ATT&CK Tactic ID MITRE ATT&CK
Technique
Description
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer
Page 32 of 35

Collection T1113 Screen Capture The stealer takes the screenshot from the infected
machine and sends it to the C2
MITRE ATT&CK Tactic
Exfiltration
ID
T1020
MITRE ATT&CK
Technique
Automated
Exfiltration
Description
The stealer automatically exfiltrates the gathered
files to C2. File grabbing options can be
customized by an attacker
Indicators of Compromise
Name Indicators
Aurora Stealer 306fc85ff1c7e06f631c37d60d4ad98b
Aurora Stealer da1548613d5fa9520931952675f92ca9
Aurora Stealer 16b349b80ef9e6d6a86e768b4e01fc4c
Aurora Stealer aa349ad45bb48e85b5cd1b55308ae835353859219f28ece9685c8ae552e8e63a
C2 212.87.204.93:8081
C2 185.106.93.245:8081
C2 185.106.93.135:8081
C2 195.123.218.52:8081
Appendix
https://www.esentire.com/security-advisories/increased-activity-in-google-ads-distributing-information-stealers
https://twitter.com/1ZRR4H/status/1618136958596960256?s=20&t=UWEJ4jIxIg4XXv384Ibwow
https://www.passcape.com/index.php?section=docsys&cmd=details&id=28#14
https://learn.microsoft.com/en-us/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata
https://learn.microsoft.com/en-us/windows/win32/api/dpapi/nf-dpapi-cryptunprotectdata
https://unit42.paloaltonetworks.com/credential-gathering-third-party-software/
https://github.com/RussianPanda95/Configuration_extractors/blob/main/aurora_config_extractor.py
To learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next
Level MDR, connect with an eSentire Security Specialist now.
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer
Page 33 of 35

GET STARTED
ABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your
organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7
Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and
works as an extension of your security team to continuously improve our Managed Detection and Response
service. By providing complete visibility across your attack surface and performing global threat sweeps and
proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending
your organization against known and unknown threats.
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer
Page 34 of 35

Source: https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer
Page 35 of 35