{ "id": "b5a1a6b7-6713-46c0-9656-a8d062e47daa", "created_at": "2026-04-06T00:15:11.298525Z", "updated_at": "2026-04-10T03:36:48.454042Z", "deleted_at": null, "sha1_hash": "d807470f35df92442ce64dce13d331f0ab1d2bfc", "title": "AURA Stealer: A Crude Clone of LummaC2 –  Technical Analysis and Threat Breakdown", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 58516, "plain_text": "AURA Stealer: A Crude Clone of LummaC2 –  Technical Analysis\r\nand Threat Breakdown\r\nBy Foresiet\r\nPublished: 2025-07-29 · Archived: 2026-04-05 22:50:23 UTC\r\nLatest from the blog\r\nPosted on: 29 July 2025 | Author: Foresiet\r\nExecutive Summary\r\nAURA Stealer is a newly emerging information-stealing malware that presents itself as a streamlined alternative\r\nto more established stealer families such as LummaC2. Marketed as a carefully engineered solution, AURA is\r\npositioned by its developers as purpose-built for efficiency and results—eschewing unnecessary complexity in\r\nfavor of a focused and modular design.\r\nThe stealer claims support for the extraction of credentials, session data, and autofill information from over 110\r\nbrowsers and 70 applications, including cryptocurrency wallets and 2FA tools. Additionally, it is configured to\r\ntarget data from more than 250 browser extensions, with the flexibility to expand its coverage through\r\ncustomizable configuration updates—allowing threat actors to add new applications or extensions with minimal\r\neffort.\r\nA notable technical feature includes cookie harvesting from Chromium-based browsers without terminating the\r\nbrowser process, reducing user disruption and avoiding cookie invalidation. The malware leverages custom\r\nshellcode for decrypting App-Bound data, with all sensitive decryption handled server-side, limiting suspicious\r\nbehavior on the infected host.\r\nAURA also includes a built-in loader for delivering secondary payloads, and the overall binary size remains\r\nlightweight at approximately 500–700 KB, thanks to a from-scratch development approach fortified by a custom\r\nmorpher to evade static detection.\r\nWhile AURA attempts to mirror the operational blueprint of more advanced stealers, technical analysis reveals its\r\nlimited evasive capabilities and flawed implementation. Despite its marketed strengths, it remains a low-quality\r\nclone with questionable reliability in live environments.\r\nBackground and Initial Discovery\r\nThe sample was retrieved from underground forum. Tagged as Lumma, it caught our attention due to a newly\r\nsurfaced blog on Telegra.ph which openly mocked it as a “low-quality LummaC2 parody.”\r\nSHA256 Hash: bac52ffc8072893ff26cdbf1df1ecbcbb1762ded80249d3c9d420f62ed0dc202\r\nhttps://foresiet.com/blog/aura-stealer-malware-analysis/\r\nPage 1 of 7\n\nFile Type: PE32 executable\r\nPackers: LLVM Morphing Engine\r\nExecution Method: Process hollowing via rundll32.exe\r\nIntroduction to AURA Stealer\r\nAURA Stealer positions itself as a modern info-stealer offering:\r\nBrowser password harvesting\r\nCryptocurrency wallet stealing\r\nFingerprinting (OS, hardware, user)\r\nBasic evasion (anti-debug, region bypass)\r\nSubscription-based C2 infrastructure\r\nHowever, upon deeper reverse engineering, we found numerous signs of amateur development and reused\r\nmodules from LummaC2 without proper implementation.\r\nSubscription \u0026 Panel Overview\r\nAURA Stealer is offered under a subscription-based model, making it accessible to a wide range of threat actors\r\nwith varying technical and financial capabilities. According to promotional material and screenshots of the threat\r\nactor’s control panel, two subscription tiers are available. The Basic tier, priced at $2.95 per month, provides\r\naccess to harvested logs, enabling actors to view and potentially resell stolen credentials and data. The Advanced\r\ntier, offered at $5.85 per month, unlocks the full functionality of the stealer’s panel.\r\nThis includes capabilities such as a build generator, comprehensive statistics view, and full control over\r\nconfigurations allowing operators to customize payloads and monitor infection metrics with ease. The low pricing\r\nmodel suggests a deliberate attempt to attract a broader base of low-skilled cybercriminals looking for ready-to-use tools.\r\nInfection Chain \u0026 Execution Flow\r\nUpon execution, AURA Stealer initiates its infection chain by spawning a hollowed rundll32.exe process, a\r\ncommonly abused Windows binary used to masquerade malicious activity under legitimate system processes.\r\nWithin this process, the malware allocates a read-write-execute (RWX) memory region, where it injects custom\r\nshellcode. This shellcode is then executed to begin the core data harvesting routine.\r\nBehavioral analysis reveals a typical execution pattern seen in commodity stealers, lacking advanced techniques\r\nsuch as memory encryption, API unhooking, or multi-stage loaders. Dynamic sandbox testing indicates that\r\nAURA does not implement sophisticated memory protection mechanisms or deep obfuscation layers, making it\r\ndetectable by behavioral and heuristic-based solutions.\r\nhttps://foresiet.com/blog/aura-stealer-malware-analysis/\r\nPage 2 of 7\n\nDespite using process hollowing a well-known stealth technique AURA’s implementation isrudimentary,\r\nindicating minimal effort to bypass modern endpoint defenses.\r\nStatic Analysis\r\nStatic analysis of the AURA Stealer payload dumped using Scylla and disassembled in IDA uncovers several\r\nnotable characteristics that reflect both the tool’s simplicity and its targeted design.\r\nThe malware leverages the nlohmann::json C++ library, commonly used for lightweight JSON parsing, to handle\r\nconfiguration data and manage structured communication with its command-and-control (C2) infrastructure.\r\nString obfuscation is handled through classic XOR-based encryption routines, a low-effort technique that adds\r\nminimal complexity to reverse engineering but is often sufficient to evade basic static signatures.\r\nOne of the more technical evasion tactics includes resolving all API imports dynamically via\r\nLdrGetProcedureAddress, instead of the conventional GetProcAddress. This subtle deviation is aimed at\r\nbypassing import-based detection heuristics and static analysis tools that rely on import tables.\r\nHardcoded string artifacts discovered within the binary include process and module names such as Ollydbg.exe,\r\nWookx.dll, and avghookx.dll, suggesting rudimentary anti-debugging and anti-analysis checks. These are likely\r\nused to detect and avoid execution in monitored or sandboxed environments.\r\nAdditionally, the binary contains regional geofiltering logic, with hardcoded ISO country codes for several CIS-region countries, including Russia (RU), Kazakhstan (KZ), and Uzbekistan (UZ). This implies a deliberate choice\r\nto avoid infecting systems within those jurisdictions, a common practice among threat actors operating from or\r\ncatering to post-Soviet regions, possibly to avoid local law enforcement scrutiny.\r\nAnti-Debugging \u0026 Anti-Analysis Techniques\r\nAURA Stealer employs a limited but deliberate set of anti-debugging and anti-analysis techniques aimed at\r\nevading detection and frustrating manual analysis. Among the first mechanisms observed is debugger detection,\r\nspecifically targeting tools such as OllyDbg, identified by checking for the presence of associated processes or\r\nwindow titles.\r\nThe malware also performs regional avoidance checks, skipping execution on systems located in CIS countries\r\nsuch as Russia, Kazakhstan, and Uzbekistan—reinforcing the hypothesis that the developers aim to avoid drawing\r\nattention from local authorities.\r\nAnother technique involves the use of the Windows API function MapFileAndCheckSumW, typically used for\r\nvalidating file integrity. In this context, it’s repurposed as a lightweight integrity check to detect tampering or\r\nruntime manipulation, such as code injection or binary modification.\r\nhttps://foresiet.com/blog/aura-stealer-malware-analysis/\r\nPage 3 of 7\n\nAdditional anti-analysis methods include window title string checks (to detect analysis tools) and registry key\r\nlookups associated with sandbox environments or virtual machines.\r\nWhile these mechanisms demonstrate basic awareness of reverse engineering environments, they lack depth and\r\nsophistication. Most of the checks can be bypassed with simple binary patching, sandbox evasion scripts, or\r\ndebugger cloaking tools—underscoring AURA’s relatively low barrier to analysis.\r\nhttps://foresiet.com/blog/aura-stealer-malware-analysis/\r\nPage 4 of 7\n\nThis screenshot confirms successful binary unpacking. It shows restored imports from KERNEL32.dll, including\r\nfunctions like ExitProcess, CreateFileW, CreateThread, and others—indicating typical stealer capabilities (file\r\naccess, thread management, process control).\r\nC2 Infrastructure \u0026 Network Activity\r\nAURA Stealer communicates with its command-and-control (C2) infrastructure primarily over HTTP, using\r\nplaintext POST requests to exfiltrate victim data. Upon execution, the malware sends a system fingerprint to its\r\nC2 domain—http://glossmagazine.shop/—which typically includes OS version, browser count, installed\r\napplications, and other environment details. The C2 responds with instructions in JSON format, enabling real-time\r\ntasking such as additional payload delivery or configuration updates.\r\nAnalysis reveals that this infrastructure is reused across multiple campaigns, some of which appear to overlap with\r\nLummaC2 operations, indicating either shared infrastructure, kit reselling, or actor crossover. The consistent reuse\r\nof infrastructure suggests operational laziness or an attempt to rapidly deploy campaigns without concern for\r\nattribution risks.\r\nSeveral additional domains have been observed in association with AURA-related stealer activity and panel\r\nlogins:\r\nsoftytoys[.]shop\r\nauracorp[.]cc\r\nsecondhandcloth[.]shop\r\narmydevice[.]shop\r\nopencamping[.]shop\r\nglossmagazine[.]shop\r\nhttps://foresiet.com/blog/aura-stealer-malware-analysis/\r\nPage 5 of 7\n\nThese domains serve either as C2 endpoints or as web panels for actor access to logs, build generation, and\r\ncampaign management. The use of low-cost, disposable .shop and .cc domains aligns with trends seen in other\r\nstealer-as-a-service operations, reflecting a focus on low overhead and ease of replacement upon takedown or\r\nblacklisting.\r\nAURA vs. LummaC2: Comparison\r\nAURA attempts to mimic Lumma but fails in reliability and stealth.\r\nConclusion\r\nhttps://foresiet.com/blog/aura-stealer-malware-analysis/\r\nPage 6 of 7\n\nAURA Stealer positions itself as a competitor to LummaC2, mimicking its branding, architecture, and\r\nsubscription model but falls significantly short in terms of quality and sophistication. The malware suffers from\r\npoor operational security (OPSEC), basic anti-analysis measures, and weak implementation of core stealer\r\nfunctionalities. These flaws make it easier to reverse-engineer, detect, and mitigate, especially for organizations\r\nwith mature threat detection capabilities.\r\nDespite its shortcomings, AURA still presents a real threat to unprotected systems, particularly those lacking\r\nendpoint detection and response (EDR) solutions or relying solely on signature-based antivirus. Its low cost, ease\r\nof use, and active promotion make it appealing to low-skill threat actors looking to harvest credentials, cookies,\r\nand other sensitive information at scale.\r\nSecurity teams are advised to track associated domains, monitor for typical process injection patterns (e.g.,\r\nhollowed rundll32.exe), and apply behavioral detection rules tailored to info-stealer activity. Early identification\r\nand proactive blocking can prevent compromise, even from unsophisticated threats like AURA.\r\nAbout us!\r\nForesiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection\r\nSaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against\r\ndata breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and\r\nsupply chain assessment, enhancing your organization’s defense mechanisms. Attack surface management is a key\r\ncomponent of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is\r\nassured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party\r\nregulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious\r\nemails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.\r\nSource: https://foresiet.com/blog/aura-stealer-malware-analysis/\r\nhttps://foresiet.com/blog/aura-stealer-malware-analysis/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://foresiet.com/blog/aura-stealer-malware-analysis/" ], "report_names": [ "aura-stealer-malware-analysis" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434511, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d807470f35df92442ce64dce13d331f0ab1d2bfc.pdf", "text": "https://archive.orkl.eu/d807470f35df92442ce64dce13d331f0ab1d2bfc.txt", "img": "https://archive.orkl.eu/d807470f35df92442ce64dce13d331f0ab1d2bfc.jpg" } }