Aura
Aura is a native C++ information stealer offered as a malware-as-a-service operation since July 2025. It was advertised as a post-Lumma replacement to the same buyer base after the Lumma takedown. Reported samples include versions 1.5.1 and 1.5.2, with one analyzed sample identified as SHA256 90a1fb5ef34cc6abee75e7b39166b3cbb97d5545496251ea69c4d4372aa4c3fe, build ID a05e095d-3b2d-4912-9174-a1ce01e86dda, first seen on VirusTotal on 2025-11-20.
Aura uses multiple anti-analysis and obfuscation layers. Reported techniques include patched ImageBase values, Heaven’s Gate 32-to-64-bit transitions, a 32-to-64-bit trampoline, control-flow flattening, FNV-1a API hashing, XOR-encrypted API storage, AES-256-CBC-encrypted embedded configuration, and SSE XOR-encrypted strings. It disables ASLR, DEP, and CFG in the PE header, strips the Rich header, performs binary integrity verification with MapFileAndCheckSumW, and executes anti-sandbox logic in global constructors before WinMain. Initialization-stage checks include anti-debugging, breakpoint detection, username checks, and process blacklist scans. Blacklisted analysis tools reportedly include ida64.exe, x64dbg.exe, Wireshark.exe, Fiddler.exe, procmon.exe, windbg.exe, and frida-helper binaries. It also checks usernames such as JohnDoe and HAL9TH and excludes CIS locale codes AM, BY, and GE.
Aura creates a per-build mutex in the form Global\{random_token} for single-instance enforcement. It builds a structured exfiltration report labeled AURA containing HWID, launch time, privilege status, system information, hardware details, running processes, and installed software. HWID generation includes reading MachineGuid from SOFTWARE\Microsoft\Cryptography, and it queries Windows version information from SOFTWARE\Microsoft\Windows NT\CurrentVersion.
The malware targets Windows systems and steals data from a broad set of applications. Hardcoded browser-related targets include Chrome Local State, Login Data, Web Data, Network\Cookies, History, Bookmarks, Last Version, and /MasterKey.bin. Researchers reported that most stealing targets are not embedded in the binary but are pushed from the C2 at runtime. A decrypted server configuration version 1.1.0 reportedly defined 212 stealing tasks across 172 unique targets, including 99 Chromium browser targets, 13 Gecko browser targets, 98 file-grabber tasks, one system-info task, and one screenshot task. File-grabber targets included more than 30 cryptocurrency wallets as well as FileZilla, AnyDesk, KeePass, Discord, Telegram, Steam, Uplay, OpenVPN, NordVPN, ProtonVPN, Authy Desktop, Pidgin, Psi+, and qTox. Mentioned target categories also include browsers, crypto wallets, VPN clients, password managers, and messaging applications.
Aura communicates over WinHTTP, performing heartbeat requests to /api/live and fetching tasking from /api/conf. Embedded configuration for one analyzed build listed hosts magicupdate[.]cfd, searchagent[.]cfd, and mscloud[.]cfd. As of 2026-03-28, glider[.]cfd was reported as the only Aura C2 domain with a functioning backend, while the other listed domains were DNS dead. Researchers replayed the client handshake against glider[.]cfd and decrypted 42,658 bytes of server configuration JSON. Although Aura uses AES-256-CBC for transport messages, each message reportedly prepends the 32-byte key and 16-byte IV in plaintext, leaving TLS as the only effective wire protection.
Additional behaviors include an optional human_check mode that displays a prompt requiring the user to enter a boundary-derived prefix before continuing, and an optional self_del mode that wipes the file with fsutil file setZeroData and then deletes itself via cmd.exe and del.
Observed delivery context includes ClickFix/FileFix-style social engineering campaigns. Content specifically notes a viral TikTok ClickFix campaign distributing Aura Stealer by instructing users to run malicious activation commands. Aura was also listed among final payloads observed in broader ClickFix/FileFix activity.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
19 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 technique
Execution
Stealth
6 techniques
Stealth
The binary ships with five layers of code obfuscation: a patched ImageBase that breaks static IAT analysis, a Heaven's Gate shellcode block that transitions to 64-bit mode for Chrome credential theft, a generic 32-to-64-bit trampoline, control flow flattening over an FNV-1a API hash table, and per-build AES-256-CBC config encryption. On top of that, a separate SSE XOR layer encrypts every string argument passed to the resolved APIs.
The hash table is populated during init via GetModuleHandleA("ntdll.dll") and LdrGetProcedureAddress, with API addresses stored XOR-encrypted... The binary resolves 100+ APIs at runtime through the FNV-1a hash table and CFF dispatch.
When self_del is true in the config, the binary wipes and deletes itself after exfiltration... cmd.exe /c taskkill /f /im <process> & fsutil file setZeroData offset=0 length=<size> <path> & del /f /q <path>
Every Aura sample crashes in the Triage sandbox. The anti-sandbox code runs in global constructors (_initterm_e), not in WinMain... One or more of them contain: MapFileAndCheckSumW binary integrity verification, Software breakpoint detection on return addresses, Anti-debug checks.
Credential Access
2 techniques
Credential Access
Discovery
7 techniques
Discovery
OS version data comes from the registry at SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion... The binary also calls... RegOpenKeyExW("SOFTWARE\\Microsoft\\Cryptography") + RegQueryValueExW("MachineGuid") for HWID.
Process blacklist scan via CreateToolhelp32Snapshot + Process32FirstW / Process32NextW... [Processes List] {running processes}
The binary builds a structured text document with the self-identification marker AURA... [System Info] Architecture, Language, Keyboard Layouts, Time Zone, Computer Name, User Name, Screen resolution, OS Name... [Hardware] CPU, RAM, GPUs.
The file grabber tasks target application data directories under %appdata%, %localappdata%, and %programfiles%... steal files matching glob patterns from target directories.
Every Aura sample crashes in the Triage sandbox. The anti-sandbox code runs in global constructors (_initterm_e), not in WinMain... One or more of them contain: MapFileAndCheckSumW binary integrity verification, Software breakpoint detection on return addresses, Anti-debug checks.
Collection
3 techniques
Collection
Command and Control
3 techniques
Command and Control
Heartbeat: /api/live... The binary sends a multipart POST with a single field named data containing a base64-encoded envelope... Data exfil POST /api/send.
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
Other indicator types observed in public reporting.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Native C++ information stealer sold as a service. It uses multiple obfuscation layers, anti-sandbox and anti-debug logic, runtime server-pushed tasking, and steals data from browsers, crypto wallets, VPN clients, password managers, messaging apps, and system information. It also supports screenshot capture and self-deletion.
Information-stealing malware; developer claims it includes CIS-region avoidance checks (system and IP-based) to prevent execution/operation in CIS countries.
Aura is an infostealer malware distributed via ClickFix and FileFix attacks, designed to harvest browser credentials, crypto wallets, and other sensitive data.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.