← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Breaking Aura: five obfuscation layers & hates sandboxes
WHITE PetrP.73 2026-04-04 Modified: 2026-04-04
20
IOCs
MEDIUM VOLUME
Aura is a sophisticated C++ information stealer that emerged as a service since July 2025, intended to replace the previously dismantled Lumma malware. It has recorded 104 unique samples as of November 2025, all with a high detection score of 10/10 classified under the name aura_stealer. The malware embeds complex anti-sandbox mechanisms that result in crashes during analysis, making detection and behavior understanding more difficult. VirusTotal reports a detection rate of 53 out of 75.
reverse-engineeringmalwarestealerencryptionobfuscationheavenchromefnv1a hashapislayeraes256cbcgate shellcodec2 servergate x64browsercryptosandboxvirustotalstackinfoglobalbackendatomicbitcoinexodusravenanydeskdiscordtelegramsteambasiliskcloudflare
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (3 / 20 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain
TYPEINDICATORDESCRIPTIONCREATED
URL https://magicupdate.cfd 2026-04-04
URL https://mscloud.cfd 2026-04-04
URL https://searchagent.cfd 2026-04-04
References (1)
↗ https://www.derp.ca/research/aura-stealer-reverse-engineering/