← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Breaking Aura: five obfuscation layers & hates sandboxes
Aura is a sophisticated C++ information stealer that emerged as a service since July 2025, intended to replace the previously dismantled Lumma malware. It has recorded 104 unique samples as of November 2025, all with a high detection score of 10/10 classified under the name aura_stealer. The malware embeds complex anti-sandbox mechanisms that result in crashes during analysis, making detection and behavior understanding more difficult. VirusTotal reports a detection rate of 53 out of 75.
MITRE ATT&CK & Malware Families
Indicators of Compromise (20)
| TYPE | INDICATOR | DESCRIPTION | CREATED | |
|---|---|---|---|---|
| FileHash-MD5 | 1cb7010fa29c1205e95faaaf21e5a21c | — | 2026-04-04 | |
| FileHash-MD5 | 27762898363fc2084cc39783771183c1 | MD5 of 90a1fb5ef34cc6abee75e7b39166b3cbb97d5545496251ea69c4d4372aa4c3fe | 2026-04-04 | |
| FileHash-SHA1 | 2e7c5073949300070ccca94f1c925d00f3035351 | SHA1 of 90a1fb5ef34cc6abee75e7b39166b3cbb97d5545496251ea69c4d4372aa4c3fe | 2026-04-04 | |
| FileHash-SHA256 | 90a1fb5ef34cc6abee75e7b39166b3cbb97d5545496251ea69c4d4372aa4c3fe | — | 2026-04-04 | |
| URL | https://magicupdate.cfd | — | 2026-04-04 | |
| URL | https://mscloud.cfd | — | 2026-04-04 | |
| URL | https://searchagent.cfd | — | 2026-04-04 | |
| domain | armydevice.shop | — | 2026-04-04 | |
| domain | browsertools.shop | — | 2026-04-04 | |
| domain | gamedb.shop | — | 2026-04-04 | |
| domain | glider.cfd | — | 2026-04-04 | |
| domain | glossmagazine.shop | — | 2026-04-04 | |
| domain | magicupdate.cfd | — | 2026-04-04 | |
| domain | mscloud.cfd | — | 2026-04-04 | |
| domain | mushub.cfd | — | 2026-04-04 | |
| domain | opencamping.shop | — | 2026-04-04 | |
| domain | sakuratea.cfd | — | 2026-04-04 | |
| domain | searchagent.cfd | — | 2026-04-04 | |
| domain | searchservice.cfd | — | 2026-04-04 | |
| domain | unknowntool.shop | — | 2026-04-04 |