Select Page

A nascent Go-based malware known as Aurora Stealer is being increasingly deployed as part of multiple campaigns designed to steal sensitive information from compromised hosts.

“These infection chains leveraged phishing pages impersonating download pages of legitimate software, including cryptocurrency wallets or remote access tools, and the 911 method making use of YouTube videos and SEO-poised fake cracked software download websites,” cybersecurity firm SEKOIA¬†said.

First advertised on Russian cybercrime forums in April 2022 by a threat actor calling themselves Cheshire, Aurora was offered as a commodity malware for other threat actors, describing it as a “multi-purpose botnet with stealing, downloading and remote access capabilities.”

In the intervening months, the malware has been scaled down to a stealer that can harvest files of interest, data from 40 cryptocurrency wallets, and applications like Telegram.

Aurora also comes with a loader that can deploy a next-stage payloading using a PowerShell command.

images from Hacker News