Pulse Detail — Threat Intelligence

PULSE NAME

Analysis of AuraStealer, an emerging infostealer

WHITE PetrP.73 2026-03-04 Modified: 2026-04-03

513

IOCs

HIGH VOLUME

AuraStealer is a newly emerged infostealer attributed to a group of Russian-speaking developers, gaining traction in the cybercrime landscape since its appearance on hacker forums in July 2025. This malware has been associated with numerous campaigns and is reported to compete directly with existing threats such as Rhadamantys and Vidar. The malware utilizes an extensive command and control (C2) infrastructure comprising 48 domains, recently shifting from .SHOP to .CFD top-level domains (TLDs), which are more conducive to tracking by security researchers.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1497 T1041 T1030 T1573.001 T1070.001 T1074.001 T1602 T1005 T1119 T1113 T1115 T1518 T1057 T1082 T1552.001 T1539 T1555.003 T1555 T1070.004 T1480.001 T1518.001 T1497.003 T1497.001 T1562.006 T1140 T1027 T1055 T1106 T1204 T1059.001 T1204.001 T1204.002 T1566.002

MALWARE FAMILIES

AuraStealer

Indicators of Compromise (28 / 513 total)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
URL	http://130.12.180.43/files/1660276343/wi6NLkw.exe	—	2026-03-04
URL	http://176.46.157.32/files/7907140312/hgNo5Vh.exe	—	2026-03-04
URL	http://176.46.158.8/files/8052963817/6XJoqOi.exe	—	2026-03-04
URL	http://178.16.54.200/files/1763292343/LS4jHzx.exe	—	2026-03-04
URL	http://178.16.54.200/files/6420889076/i5g2Pev.exe	—	2026-03-04
URL	http://178.16.55.189/files/8052963817/8tMKDbN.exe	—	2026-03-04
URL	http://196.251.107.94:5553/hopea.exe	—	2026-03-04
URL	http://45.141.233.196/files/8052963817/u0pv9e8.exe	—	2026-03-04
URL	http://85.208.84.35/installer.exe	a73f7ff2df033591c1821fc5a74d435d5718486a3fcd9030ac8b046abef61ed7	2026-03-04
URL	http://94.154.35.115/user_profiles_photo/cptchbuildau.bin	—	2026-03-04
URL	http://slmgr.win/photoshop	—	2026-03-04
URL	http://xssforum7mmh3n56inuf2h73hvhnzobi7h2ytb3gvklrfqm7ut3xdnyd.onion/threads/141472/	—	2026-03-04
URL	https://acrimsasullanasrl.phuyufact.com/.well-known/acme-	—	2026-03-04
URL	https://acrimsasullanasrl.phuyufact.com/.well-known/acme-challenge/bl_au/BlAuDismissReminderFormatDate.exe	a3d10bfed09f482c20836670bf106c9f37ee2a9a2145d79ba78973d4ae8c90da	2026-03-04
URL	https://auracorp.cfd	—	2026-03-04
URL	https://blackbones.net/threads/aura-stealer-you-dont-need-this-just-kidding-you-do-	—	2026-03-04
URL	https://blackbones.net/threads/aura-stealer-you-dont-need-this-just-kidding-you-do-urgently.22197/unread	—	2026-03-04
URL	https://darkmarket.ca/threads/aura-stealer-vam-ehto-ne-nuzhno-shuchu-nuzhno-	—	2026-03-04
URL	https://darkmarket.ca/threads/aura-stealer-vam-ehto-ne-nuzhno-shuchu-nuzhno-srochno.113795	—	2026-03-04
URL	https://darkstash.com/threads/aura-stealer-you-dont-need-this-just-kidding-you-do-	—	2026-03-04
URL	https://darkstash.com/threads/aura-stealer-you-dont-need-this-just-kidding-you-do-urgently.12559	—	2026-03-04
URL	https://en.fofa.info/result?qbase64=aGVhZGVyPSJYLUJhY2tlbmQtU2VydmVyOiBBcGFjaGUvMi4yLjIyIC	—	2026-03-04
URL	https://foresiet.com/blog/aura-stealer-malware-analysis/	—	2026-03-04
URL	https://forum.exploit.biz/topic/263880	—	2026-03-04
URL	https://sinister.ly/Thread-AURA-Stealer-You-don-t-need-this-Just-kidding-You-do-Urgently	—	2026-03-04
URL	https://valhalla.nextron-systems.com/info/rule/MAL_Aura_Stealer_Nov25	—	2026-03-04
URL	https://www.enclave.cc/index.php?%2Ftopic%2F8849-aura-stealer-you-dont-need-this-just-	—	2026-03-04
URL	https://www.enclave.cc/index.php?%2Ftopic%2F8849-aura-stealer-you-dont-need-this-just-kidding-you-do-urgently%2F=	—	2026-03-04

References (1)

↗ https://www.intrinsec.com/wp-content/uploads/2026/02/TLP-CLEAR-AuraStealer-EN.pdf