HOMETHREATSAurora Stealer
APT / THREAT GROUP

Aurora Stealer

1
victims
2
aliases
Last seen:Mar 17, 2026

Intelligence Profile

First advertised as a Malware-as-a-Service (MaaS) on Russian-speaking underground forums in April 2022, Aurora Stealer is a Golang-based information stealer with downloading and remote access capabilities. The malware targets data from multiple browsers, cryptocurrency wallets, local systems, and act as a loader. During execution, the malware runs several commands through WMIC to collect basic host information, snaps a desktop image, and exfiltrates data to the C2 server within a single base64-encoded JSON file.

Threat Analysis

Aurora Stealer is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

Ransomware Victims (1)

CTIWATCH tracks 1 organizations claimed as victims by Aurora Stealer on its data leak site, with attack dates, sectors and countries.

View full victims list →

External References

Quick Facts

TypeAPT / Threat Group
Aliases2

Also Known As

Aurora Stealerwin.aurora_stealer

External Intelligence

Malpedia: win.aurora_stealer

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.