Aurora Stealer
Intelligence Profile
First advertised as a Malware-as-a-Service (MaaS) on Russian-speaking underground forums in April 2022, Aurora Stealer is a Golang-based information stealer with downloading and remote access capabilities. The malware targets data from multiple browsers, cryptocurrency wallets, local systems, and act as a loader. During execution, the malware runs several commands through WMIC to collect basic host information, snaps a desktop image, and exfiltrates data to the C2 server within a single base64-encoded JSON file.
Threat Analysis
Aurora Stealer is a malware family tracked by threat intelligence researchers and catalogued in the Malpedia dataset. It represents a distinct malicious software lineage with identifiable code characteristics, behaviors, and victimology.
Ransomware Victims (18)
CTIWATCH tracks 18 organizations claimed as victims by Aurora Stealer on its data leak site, with attack dates, sectors and countries.
View full victims list →