Aurora Stealer Malware

A nascent Go-based malware known as Aurora Stealer is being increasingly deployed as part of multiple campaigns designed to steal sensitive information from compromised hosts.

"These infection chains leveraged phishing pages impersonating download pages of legitimate software, including cryptocurrency wallets or remote access tools, and the 911 method making use of YouTube videos and SEO-poised fake cracked software download websites," cybersecurity firm SEKOIA said.

First advertised on Russian cybercrime forums in April 2022 by a threat actor calling themselves Cheshire, Aurora was offered as a commodity malware for other threat actors, describing it as a "multi-purpose botnet with stealing, downloading and remote access capabilities."

In the intervening months, the malware has been scaled down to a stealer that can harvest files of interest, data from 40 cryptocurrency wallets, and applications like Telegram.

Aurora also comes with a loader that can deploy a next-stage payloading using a PowerShell command.

Aurora Stealer Malware

The cybersecurity company said at least different cybercrime groups, called traffers, who are responsible for redirecting user's traffic to malicious content operated by other actors, have added Aurora to their toolset, either exclusively or alongside RedLine and Raccoon.

"Aurora is another infostealer targeting data from browsers, cryptocurrency wallets, local systems, and acting as a loader," SEKOIA said. "Sold at a high price on market places, collected data is of particular interest to cybercriminals, allowing them to carry out follow-up lucrative campaigns, including Big Game Hunting operations."

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.


The development also comes as researchers from Palo Alto Networks Unit 42 detailed an enhanced version of another stealer called Typhon Stealer.

The new variant, dubbed Typhon Reborn, is designed to steal from cryptocurrency wallets, web browsers, and other system data, while removing previously existing features like keylogging and cryptocurrency mining in a likely attempt to minimize detection.

"Typhon Stealer provided threat actors with an easy to use, configurable builder for hire," Unit 42 researchers Riley Porter and Uday Pratap Singh said.

"Typhon Reborn's new anti-analysis techniques are evolving along industry lines, becoming more effective in the evasion tactics while broadening their toolset for stealing victim data."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.