Security Advisory: Discovery of “Auraboros,” an Unauthenticated, High-Capability RAT Framework
In a significant finding for the threat intelligence community, a previously undocumented Remote Access Trojan (RAT) framework, dubbed Auraboros, has been discovered with a fully exposed command-and-control (C2) infrastructure. Unlike many leaked or “cracked” malware kits, Auraboros displays a level of development polish suggesting a bespoke, high-end toolkit. Most alarmingly, the control interface—designed for live audio streaming, intensive keylogging, and session hijacking—is accessible over the public internet with zero authentication requirements.
The interface, identified as the “Auraboros C2 Station,” is a sophisticated single-page application (SPA) that renders victim telemetry and real-time control modules immediately upon loading, without a single prompt for credentials, tokens, or multi-factor authentication.
Technical analysis of the stack reveals a modern web architecture: the backend utilizes Express.js paired with Socket.io for real-time communication. The frontend is delivered as a single 133,975-byte JavaScript bundle serving a Brazilian Portuguese interface (lang="pt-BR"). Notably, the server configuration utilizes a permissive CORS policy (Access-Control-Allow-Origin: *), and all traffic is transmitted over unencrypted plain HTTP.
The branding, which includes “© 2026 Auraboros Advanced Defense Systems,” points toward a commercial-grade effort rather than a repurposed open-source tool. Security researcher @Fact_Finder03 first flagged the exposed panel at 174.138.43[.]25:5000, with subsequent analysis by @4_n_0_n_1_3_3_7 revealing additional activity on port 9000.
| Attribute | Technical Detail |
|---|---|
| Target URL | http[:]//174.138.43[.]25:5000/ |
| Backend Stack | Express.js + Socket.io |
| Frontend Stack | Bootstrap 5.3, JetBrains Mono |
| Authentication | None (Unauthenticated) |
| CORS Policy | Wildcard (*) |
The Developer’s Beacon: A High-Fidelity Leak
A critical observation during the inspection of the /api/beacons endpoint was the presence of a single active profile. The telemetry describes a Lenovo laptop located in Goiânia, Brazil, operating under the hostname DESKTOP-FVPFLD2 and user "LabCasa". The hardware profile is remarkably detailed: a 12th Gen Intel Core i5-1235U, 24 GB of RAM, and a 464 GB disk, routed through a Claro/NET Brazil IPv6 address (2804:3d90::/32). This strongly suggests that the “victim” beaconed is, in fact, the developer’s own hardware used for testing.
The malicious process is disguised as DiskIntegrityScanner.exe, a classic masquerading technique designed to blend into standard system processes. Interestingly, logs indicate the machine has been offline for five days, suggesting the platform is currently in a controlled development phase rather than an active, widespread campaign.
Surveillance Capabilities and Command Vocabulary
Reverse engineering the 84 KB JavaScript control logic reveals a deep command vocabulary delivered via POST /api/command. The framework isn’t just a basic remote shell; it is a comprehensive surveillance suite. Key features include:
- Real-Time Audio: Through Socket.io, the
audio_startandaudio_stopcommands manage a live stream of raw microphone data (emitted asaudio_chunk_{targetId}events), complete with a real-time visualizer in the C2 dashboard. - Active Keylogging: A dedicated listener polls
/api/keylog/{id}every three seconds to capture keystrokes. - Visual Intelligence: Periodic screenshot captures and webcam snapshots.
- Advanced Credential Theft: The framework targets browser-stored secrets in Chrome and Brave. It utilizes the Windows DPAPI to resolve profile paths, locate the encrypted master key, and decrypt it via
CryptUnprotectDatato extract passwords and cookies.
Perhaps its most lethal feature is the multi-cookie impersonation operation. By combining stolen session cookies with a built-in reverse SOCKS5 tunnel (on port 1080), the operator can replay victim sessions from the victim’s own IP address, effectively bypassing many modern identity protection mechanisms.
Implant Architecture and Stealth Mechanisms
Deep-dive analysis into the /api/logs/ endpoint reveals that the Auraboros implant is architected as a DLL-based payload rather than a standalone executable. This allows the attacker to use DLL sideloading techniques; when DiskIntegrityScanner.exe is executed, the malicious DLL attaches to the process, triggering a CollectData routine that fingerprints the host hardware and privileges before registering back to the C2.
To maintain operational security, the framework includes a “self-destruct” capability. During testing, certain steal_brave commands triggered an “evaporation” sequence, where the agent performs on-disk cleanup and terminates its own process to leave minimal forensic footprints.
Infrastructure Vulnerabilities and Risk Assessment
The Auraboros infrastructure is currently hosted on a DigitalOcean VPS, exposing ports 22 (SSH), 1080 (SOCKS5), 5000 (C2), and 9000 (potential beacon listener). However, the lack of security hygiene is profound:
- Total Lack of Encryption: All six documented API endpoints serve sensitive data—including live keylogs and decrypted browser credentials—over unencrypted HTTP.
- Unauthenticated Access: Any entity scanning the host can access the entire dashboard.
- Information Leakage: Because Socket.io broadcasts
command_resultevents to all connected clients, any third party can passively monitor the operator’s actions and victim outputs in real time.
Conclusion: While Auraboros currently poses as much risk to its own developers as it does to potential targets due to its unhardened state, the sophistication of its feature set—particularly the SOCKS5-coupled cookie hijacking—indicates a highly capable, deployment-ready RAT. Once basic authentication and TLS are implemented, it will represent a significant threat to enterprise and individual security.