Azorult
AZORult is a commodity Windows information stealer first observed in the wild around 2016 and sold on underground forums for about $100, with references to Delphi-based and later C++ variants. It is also referred to in the provided content as PuffStealer and Ruzalto. Its core capability is credential and data theft: it can steal credentials from web browsers, parse browser databases, collect cookies, web form/autofill data, and harvest credentials from files associated with applications such as Skype, Telegram, Steam, Outlook, Thunderbird, FileZilla, and Pidgin. The content also states it can steal cryptocurrency-related data including bitcoin wallet.dat files and wallet information, Skype message history/chat histories, desktop files, installed program lists, running process lists, and host information such as username, computer name, OS, RAM, and installed software. For host profiling, it checks the Windows Registry key Software\Microsoft\Windows\CurrentVersion\Uninstall to enumerate installed software.
The malware has been associated with multiple criminal delivery ecosystems and campaigns. Proofpoint reported a campaign abusing PayPal money requests in which an obfuscated JavaScript downloader fetched Chthonic, which then downloaded AZORult as a second-stage payload; the reported AZORult C2 URL in that campaign was 91.215.154[.]202/AZORult/gate.php, and the AZORult payload SHA256 was 10d159b0ddb92e9f4b395e90f9cfaa554622c4e77f66f7da176783777db5526a. The content also notes AZORult delivery via fake Google sites and HTML smuggling, FakeUpdates activity, and infrastructure previously serving Smoke Loader. It has been used by Nigerian BEC actors tracked as SilverTerrier and by the Nigerian TMT group, alongside other commodity stealers and RATs, to steal credentials from browsers, email clients, and FTP clients and support mailbox compromise and fraud.
The provided content also describes an 'Azorult loader' variant or loader chain on Windows. In that reporting, an AutoIt-compiled loader drops the AZORult payload and additional tools, performs sandbox checks, exits on Windows XP, attempts to uninstall Microsoft Security Client if msseces.exe is running, disables registry keys related to Windows Defender and other AV products, tampers with or deletes AV-related services, modifies firewall rules, blocks SMB ports 445 and 139, alters the hosts file to redirect AV, coin-miner, and some GitHub sites to localhost, and imports a malicious AppLocker XML policy intended to deny execution of security software. That loader chain also dropped RMS Remote Manipulator System components, NirSoft WebBrowserPassView, enabled RDP, created scheduled tasks for persistence, and created a hidden local user account named John. Splunk-associated content further links AZORult to registry abuse behaviors such as disabling Windows Security/Defender notifications and enabling Remote Assistance.
A separate Trend Micro detection in the content, Trojan.Win32.AZORUIT.A, is described as arriving via other malware or malicious downloads and persisting as a Windows service named localNETService with dropped file %ProgramData%\localNETService\localNETService.exe, temporary .dat files, registry keys under HKLM\SOFTWARE\localNETService and HKLM\SYSTEM\ControlSet001\services\localNETService, and scheduled tasks masquerading as GoogleUpdateTaskMachineUA and GoogleUpdateTaskMachineCore that invoke %ProgramFiles%\Google\Update\GoogleUpdate.exe. Because that detection name differs from the standard AZORult naming, it should be treated as related reporting in the provided content rather than definitive canonical naming.
Overall, the content consistently characterizes AZORult as a widely used commercial info-stealer focused on browser, application, and cryptocurrency theft, often delivered as part of broader malware chains and used by financially motivated threat actors.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Windows Office Product Spawned Uncommon Process ... CVE-2023-21716 Word RTF Heap Corruption, CVE-2023-36884 Office and Windows HTML RCE Vulnerability ...
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Unit 42 identified ten strains of info-stealers popular with SilverTerrier: AgentTesla, Atmos, AzoRult, ISpySoftware, ISR Stealer, KeyBase, LokiBot, Pony, PredatorPain, and Zeus.
The group relied exclusively on a variety of publicly available spyware and Remote Access Trojans (RATs), including AgentTesla, Lokibot, AzoRult, Pony, and NetWire.
In early 2017, CrydBrox offered an updated variant of the AZORult malware that included .bit support... The AZORult sample ... first checks if the C2 domain contains the string ".bit" and ... will query ... hard-coded OpenNIC IP addresses to try to resolve the domain.
Techniques & procedures
30 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique"It looks like the attacker compromised the website... and is using it for distributing AzoRult."
Initial Access
3 techniquesSpecifically, we observed emails with the subject “You’ve got a money request” that came from PayPal. The sender does not appear to be faked: instead, the spam is generated by registering with PayPal (or using stolen accounts) and then using the portal to “request money.”
Additionally, the branding of trusted organizations (for example the World Health Organization (WHO)) is abused in order to build credibility and trust in order to have people, for example, open malicious attachments or web pages.
PayPal’s money request feature allows adding a note along with the request, where the attacker crafted a personalized message and included a malicious URL.
Execution
2 techniquesBy relying on basic social engineering – an attack technique that takes advantage of human traits such as curiosity, trust and greed in order to obtain confidential information or to have the victim perform a certain action – it is suffice to say that certain threat actors (both criminal and nation state) are exploiting these unprecedented times for various nefarious means.
If the user then opens the JavaScript file, it downloads an executable from wasingo[.]info/2/flash.exe.
Persistence
1 techniqueStealth
3 techniquesTo keep them under the antivirus radar, Nigerian actors techniques use "crypters" - software tools designed to encrypt, obfuscate, and modify malware.
The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.
The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'
Defense Impairment
1 techniqueCredential Access
3 techniquesInformation stealers seem to be the preferred type of malware to help in their fraudulent email attacks... The attacker can pilfer data about the targets and use it to create efficient messages for diverting transactions or asking money to be sent to fraudsters' account.
AADInternals can gather unsecured credentials for Azure AD services, such as Azure AD Connect, from a local machine. Agent Tesla has the ability to extract credentials from configuration or support files. APT3 has a tool that can locate credentials in files on the file system such as those from Firefox or Chrome.
The content repeatedly describes threat actors and malware stealing usernames, passwords, cookies, session tokens, and other saved credentials from web browsers such as Chrome, Firefox, Internet Explorer, Edge, Opera, Safari, and Yandex.
Discovery
8 techniquesThe content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."
The content repeatedly describes actors and malware using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, netsh interface show, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, and network adapter/interface details.
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking admin status, and enumerating user sessions.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
Multiple malware and threat groups are described as collecting/deriving local system time, date, timestamp, tick count, or time zone (e.g., "used time /t and net time \ip/hostname for system time discovery"; "collects the timestamp from the victim’s machine"; "can collect the time zone information from the system").
Examples include "Bazar can also check if the Russian language is installed on the infected machine and terminate if it is found," "DropBook has checked for the presence of Arabic language," and "Maze has checked the language of the infected system using the GetUSerDefaultUILanguage function."
Collection
3 techniquesIt can enumerate the users on the system, get passwords in web browsers, email and FTP clients, and collect local files from the victim machine.
"Agent Tesla can capture screenshots of the victim’s desktop"; "AppleSeed can take screenshots on a compromised host"; "APT28 has used tools to take screenshots from victims"; "Cobalt Strike's Beacon payload is capable of capturing screenshots"; "PowerSploit's Get-TimedScreenshot Exfiltration module can take screenshots at regular intervals"; "Hydraq includes a component based on the code of VNC that can stream a live feed of the desktop"
Desktop files grabber. Collects files with specified extensions from Desktop. Filter by file size. Recursively searches files in folders.
Command and Control
3 techniquesThis executable is Chthonic, a variant of the Zeus banking Trojan. The command and control (C&C) for this instance is kingstonevikte[.]com.
"Smoke Loader sends the encrypted data to C2 by HTTP POST... C2 server replies HTTP 404..." and "AzoRult accesses... www.jma-go[.]jp/java/java9356/index.php"
If the user then opens the JavaScript file, it downloads an executable from wasingo[.]info/2/flash.exe... It is also interesting that Chthonic downloads a second-stage payload, a previously undocumented malware “AZORult”
Exfiltration
1 techniqueThe stolen credentials were then sent to predefined email addresses controlled by the attackers, enabling unauthorized access to victims’ accounts and systems.
Impact
1 techniqueScammers running business email compromise (BEC) fraud have grown in number, attack more often, and turn to remote access trojans as the preferred malware type to accompany their raids.
Other
1 techniqueIOCs tracked for this family
725 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
107 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Associated Analytic Story Azorult
Credential and information stealer referenced in the analytic story list.
Associated Analytic Story Azorult
Associated Analytic Story Azorult
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.