AuraStealer Infostealer Targeting Users with 48 C2 Domains in Ongoing Campaigns
Threat actors are actively deploying a new infostealer dubbed “AuraStealer,” backed by a growing customer base, 48 identified command‑and‑control (C2) domains, and multiple ongoing campaigns abusing popular platforms like TikTok and cracked‑software sites.
AuraStealer emerged on Russian‑language cybercrime forums in mid‑2025, positioning itself as a successor and competitor to LummaC2 in the wake of Lumma’s 2025 takedown.
The malware is sold under a subscription model with “Basic” and “Advanced” tiers, advertised by the “AuraCorp” team, who claim 5–11 years of experience and a professional development pipeline.
Researchers note that, while early versions were less mature than established stealers like Rhadamantys and Vidar, development is fast and feature updates are frequent.

According to forum posts and interviews, AuraStealer’s authors claim to have quickly attracted customers migrating from Lumma, StealC, Vidar, and Rhadamantys, suggesting rapid adoption in the cybercriminal ecosystem.
For this report, shared with our clients in January 2026, Intrinsec relied on its Cyber Threat Intelligence service, which provides its customers with high value-added, contextualized and actionable intelligence to understand and contain cyber threats.
The project roadmap also includes adding code virtualization to make reverse engineering significantly harder in future versions.
AuraStealer Infostealer
Analysts have mapped 48 AuraStealer C2 domains, mostly using the cheap and easily abused .SHOP and .CFD top‑level domains.
These domains, including auracorp.cfd, mscloud.cfd, magicupdate.cfd, gamedb.shop, browsertools.shop, and clocktok.cfd, are fronted by Cloudflare, which acts as a reverse proxy to hide the true backend server.
Each domain uses a distinct Cloudflare origin certificate, but all resolve to the same backend stack, likely a single server running outdated components such as Apache 2.2.22, PHP 5.4.45, CodeIgniter 3.1.11 and Symfony 3.4.26.

By correlating malware configurations, HTTP headers and internet‑wide search engines, researchers observed domain clusters tied to specific malware versions.
Early versions (1.0.x–1.2.x) primarily used .SHOP domains, while the latest 1.5.2 samples lean toward .CFD addresses, indicating a probable infrastructure rotation from .SHOP to .CFD over time.
LuxHost and Nicenic appear as registrars or DNS providers for parts of this infrastructure, further linking the clusters to a common operator.
The same login page has been found in the screenshot history of the 21 C2 domain names extracted from the configuration of more than 200 hundred AuraStealer samples found in the VirusTotal database.

AuraStealer campaigns rely on flexible delivery chains that combine social engineering with commodity loaders. One prominent vector is “ClickFix” TikTok scams: short videos promise free activation of Windows, Microsoft 365, Adobe products, Netflix or Spotify and instruct victims to run a one‑line PowerShell command as administrator.
The command fetches and executes a remote PowerShell script that ultimately downloads an AuraStealer payload, such as from file‑epq.pages.dev/updater.exe.
Beyond TikTok, AuraStealer has been distributed through self‑extracting archives, fake cleaning tools like “Gcleaner,” and generic loaders that inject the stealer into legitimate Windows processes such as regasm.exe and SndVol.exe.
Several campaigns use Donut shellcode loaders or “Soulbind” loaders, which in turn download AuraStealer from attacker‑controlled IP addresses like 94.154.35.115 and 130.12.180.43 hosts that also serve other families including Stealc, Rhadamanthys, Vidar, SalatStealer, NJRAT and multiple RATs.
Aggressive anti‑analysis
AuraStealer operators manage infections through a web panel hosted at auracorp.cfd, featuring dashboards, build generation, log filtering and Telegram bot integration for exfiltration alerts.

The login workflow embeds a JavaScript proof‑of‑work puzzle that forces the browser to compute a SHA‑256 hash with 16 leading zeros before the form is accepted, blocking most automated scanners, basic scripts and mass brute‑force attempts.
Code snippets in the panel include Russian strings, reinforcing attribution to Russian‑speaking actors.
On the endpoint, version 1.5.2 employs extensive obfuscation and anti‑analysis techniques: indirect control‑flow, exception‑driven API hashing, XOR‑encrypted strings, VM and sandbox checks, debugger detection, integrity checks, and even “hidden” stack corruption when hooks or breakpoints are detected.
The stealer halts execution on systems geolocated to certain CIS regions, indicating deliberate targeting choices.
Once checks pass, AuraStealer harvests credentials and data from over 100 browsers and 70 applications, including cryptocurrency wallets, 2FA tools, VPN clients, password managers and remote access software, then exfiltrates everything over AES‑CBC‑encrypted HTTPS to three dedicated endpoints (apilive, apiconf, apisend) on its rotating C2 infrastructure.
With its expanding feature set, growing infrastructure and active campaigns, AuraStealer is rapidly evolving from an upstart infostealer into a significant credential‑theft threat that defenders must start tracking closely.