HOMETHREATSAurora Stealer
MALWARE FAMILY

Aurora Stealer

Internal ID: win.aurora_stealer
18
victims
1
aliases
Last seen:Mar 17, 2026

Intelligence Profile

First advertised as a Malware-as-a-Service (MaaS) on Russian-speaking underground forums in April 2022, Aurora Stealer is a Golang-based information stealer with downloading and remote access capabilities. The malware targets data from multiple browsers, cryptocurrency wallets, local systems, and act as a loader. During execution, the malware runs several commands through WMIC to collect basic host information, snaps a desktop image, and exfiltrates data to the C2 server within a single base64-encoded JSON file.

Threat Analysis

Aurora Stealer is a malware family tracked by threat intelligence researchers and catalogued in the Malpedia dataset. It represents a distinct malicious software lineage with identifiable code characteristics, behaviors, and victimology.

Ransomware Victims (18)

CTIWATCH tracks 18 organizations claimed as victims by Aurora Stealer on its data leak site, with attack dates, sectors and countries.

View full victims list →

External References

Quick Facts

TypeMalware Family
Aliases1

Also Known As

win.aurora_stealer

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.