← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Breaking Aura: five obfuscation layers & hates sandboxes
WHITE PetrP.73 2026-04-04 Modified: 2026-04-04
20
IOCs
MEDIUM VOLUME
Aura is a sophisticated C++ information stealer that emerged as a service since July 2025, intended to replace the previously dismantled Lumma malware. It has recorded 104 unique samples as of November 2025, all with a high detection score of 10/10 classified under the name aura_stealer. The malware embeds complex anti-sandbox mechanisms that result in crashes during analysis, making detection and behavior understanding more difficult. VirusTotal reports a detection rate of 53 out of 75.
reverse-engineeringmalwarestealerencryptionobfuscationheavenchromefnv1a hashapislayeraes256cbcgate shellcodec2 servergate x64browsercryptosandboxvirustotalstackinfoglobalbackendatomicbitcoinexodusravenanydeskdiscordtelegramsteambasiliskcloudflare
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (1 / 20 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA1 2e7c5073949300070ccca94f1c925d00f3035351 SHA1 of 90a1fb5ef34cc6abee75e7b39166b3cbb97d5545496251ea69c4d4372aa4c3fe 2026-04-04
References (1)
↗ https://www.derp.ca/research/aura-stealer-reverse-engineering/