Malicious actors utilize 'AuraStealer' malware along with 48 Command & Control servers for active campaigns.

An emerging piece of malicious software known as AuraStealer is active in various parts of the cyber security field starting around mid-year 2025.

Created and regularly updated by a team composed primarily of Russians, this malicious software surfaced on darknet hacking platforms during July 2025, coinciding with the collapse of the Lumina theft program's network which created an apparent void within the illegal data-stealing sector.

A malicious entity swiftly filled this void by introducing AuraStealer, which competes directly with LummaC2 through its paid service offering, advanced dashboard features, and growing community of users.

On July 8, 2025, an initial promotion of the malware occurred on the XSS forum using the handle "AuraCorp," featuring a comprehensive post in Russian that outlined its capabilities, accompanied by screenshot panels and provided terms of service information.

A similar announcement appeared subsequently across Exploitsite on August 7th, 2025, alongside DarkMarket on November 29th of the same year; it also spread widely through various online platforms such as BlackBones, Sinister, Enclaves, and DarkStashes during December 2025.

A message translated into Russian was shared via XSS for promotion of the newly released AuraStealer malware (source: Intrinsec).

A message translated into Russian was shared via XSS for promotion of the newly released AuraStealer malware (source: Intrinsec).

A developer asserts that their software was crafted using skilled experts' work and has access capabilities across at least eleventy different web browsers, seventy diverse application programs, and twohundred fifty distinct browser plug-ins, thereby positioning itself as an expansive danger intentionally conceived.

google

Analytical experts pinpointed AuraStealer as an escalating menace supported by a sophisticated control center network. The study identified 48 instances of C2 domains associated with AuraStealer activities by analyzing more than 200 files uploaded onto VirusTotal.

A malicious entity employs multiple tactics. STORE and. The CFD domain names fall into two categories; they're relatively affordable yet frequently exploited by budget-conscious users. The performer conceals their true infrastructure by directing every connection via Cloudflare in an attempt to mask it.

Experts observed that the communication network framework is moving towards this direction. HEAD OUT TO SHOPPING NOW. In contemporary malicious software variants, CFD environments indicate ongoing development activities.

Mapping of AuraStealer samples and C2 domains

Mapping of AuraStealer samples and C2 domains

The malware dashboard offers all necessary tools for campaign management—creating audiences, applying filters, displaying geographical insights in charts, integrating bots via Telegram for accessing compromised information.

Available subscriptions consist of both a basic package priced at $295 per month and an advanced option costing $585 monthly.

AuraStealer packages (Source - Intrinsec)

AuraStealer packages (Source – Intrinsec)

A developer announced that past users of platforms like Lumma, StealC, Vidar, and Rhadamanthys are migrating there, and several active campaigns can be found online.

A wide array of information gathered by malicious software includes login details for browsers, digital currency wallets, two-factor authentication codes, Discord, Telegram, and Steam sessions, virtual private network settings, encrypted passwords stored in applications such as KeePass and Bitwarden, text copied into the user's keyboard buffer, and images captured on their device.

ClickFix and Loader-Based Delivery Chains

The AuraStealer typically targets users via a psychological manipulation method.