"A new analysis of AuraStealer from Intrinsec has uncovered 48 command-and-control (C2) domain names linked to the stealer's operations. The threat actor behind the malware has been found to use .shop and .cfd top-level domains, in addition to routing all traffic through Cloudflare as a reverse proxy to conceal the real server."
"AuraStealer first appeared on underground hacker forums in July 2025, shortly after the disruption of the Lumma Stealer as part of a law enforcement operation. It was advertised by a user named AuraCorp on the XSS forum. It comes in two subscription packages: $295/month for Basic and $585/month for Advanced."
Recent cybersecurity developments reveal significant shifts in the threat landscape. AuraStealer, a new malware stealer, emerged on underground forums following the disruption of Lumma Stealer by law enforcement. Analysis uncovered 48 command-and-control domains utilizing .shop and .cfd top-level domains, with traffic routed through Cloudflare reverse proxy for concealment. The malware operates on a subscription model with Basic ($295/month) and Advanced ($585/month) tiers. Distribution occurs primarily through ClickFix. These discoveries demonstrate how threat actors quickly adapt tactics and infrastructure following enforcement actions, while security teams continue monitoring evolving techniques and emerging campaigns.
#aurastealer-malware #command-and-control-infrastructure #threat-actor-tactics #malware-as-a-service #cybersecurity-threats
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]