Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Top 10 Next-Generation Firewall Solutions for 2026
July 6, 2026
Microsoft Device Code Phishing Attack Steals Tokens via Login Page
July 6, 2026
Critical Gemini Live Voice flaw lets attackers inject tools via misconfigured tokens
July 6, 2026
Home/Threats/Auraboros RAT Exposes Live Audio, Keylogging, and Cookie Hijacking
Threats

Auraboros RAT Exposes Live Audio, Keylogging, and Cookie Hijacking

Key Takeaways The previously unknown Auraboros RAT has been discovered, featuring extensive surveillance and data theft capabilities. Its command-and-control (C2) panel operates without any...

Marcus Rodriguez
Marcus Rodriguez
April 22, 2026 4 Min Read
47 0

Key Takeaways

  • The previously unknown Auraboros RAT has been discovered, featuring extensive surveillance and data theft capabilities.
  • Its command-and-control (C2) panel operates without any authentication, leaving victim data and operational controls openly accessible.
  • The RAT targets Windows systems, employing DLL sideloading for stealth and specifically designed to hijack browser credentials and session cookies from Brave and Chrome.
  • No active victims were identified beyond the developer’s test environment, but the threat is significant due to its sophisticated features and the C2 panel’s complete lack of security.

Auraboros RAT: A New Threat with Open C2 Access

A novel and formidable remote access trojan (RAT) framework, dubbed Auraboros C2, has emerged, presenting a significant cybersecurity risk. This previously undocumented RAT grants attackers broad access to victim data, enables live surveillance, and facilitates the theft of browser credentials, including session cookies. The findings were detailed in a recent report.

Table Of Content

  • Key Takeaways
  • Auraboros RAT: A New Threat with Open C2 Access
  • Technical Deep Dive into the Auraboros C2
  • Extensive Capabilities and Open Endpoints
  • DLL Sideloading and Browser Credential Theft
  • What You Should Do

Alarmingly, the entire command-and-control (C2) dashboard for Auraboros operates over unencrypted HTTP, completely devoid of login requirements, tokens, or any form of authentication. This critical security flaw exposes all victim data and control functionalities to anyone capable of reaching the server’s designated port.

Technical Deep Dive into the Auraboros C2

The malware’s C2 panel is hosted on a DigitalOcean server, specifically at IP address 174.138.43[.]25, and runs on port 5000. It leverages an Express.js and Socket.io backend, indicating a modern web technology stack.

The panel’s interface is professionally designed with a dark theme, custom CSS, and JavaScript, and features branding in Brazilian Portuguese that reads “Auraboros Advanced Defense Systems.” Despite its polished appearance, this sophisticated facade belies a complete absence of security controls, leaving both management functions and sensitive victim data entirely exposed. Furthermore, the full 84KB JavaScript source code of the panel was freely downloadable, laying bare the framework’s entire architecture.

Breakglass Intelligence analysts, in collaboration with security researchers @Fact_Finder03 and @4_n_0_n_1_3_3_7, first identified the Auraboros C2 after it was flagged on social media. Investigators successfully downloaded the panel’s source, connected to its real-time Socket.io transport, and thoroughly enumerated its command set without needing any credentials. Their analysis confirmed that Auraboros is a custom-built framework, with no prior mentions in threat intelligence reports, vendor advisories, or public research.

Extensive Capabilities and Open Endpoints

The Auraboros framework boasts an extensive array of capabilities specifically designed to compromise Windows systems. These include, but are not limited to, capturing screenshots, taking webcam snapshots, stealing clipboard contents, performing live keylogging with rapid three-second polling intervals, extracting Wi-Fi passwords, enabling file browsing, executing arbitrary shell commands, enumerating processes, conducting ARP and port scans, establishing reverse SOCKS5 proxying on port 1080, delivering over-the-air (OTA) agent updates, and a specialized engine for cookie impersonation.

Compounding the C2 panel’s inherent insecurity, six unauthenticated API endpoints further expose critical data such as beacon lists, command results, event logs, live keylogger feeds, and stolen browser credentials to any connected client. Additionally, the Socket.io transport broadcasts all real-time command results to every connected client without any session isolation, allowing any observer to monitor ongoing operations.

During the investigation, only a single registered beacon was discovered, believed to belong to the developer’s own test machine. This beacon, identified as hostname DESKTOP-FVPFLD2 with the username “LabCasa” (Portuguese for “home lab”), was running a process named DiskIntegrityScanner.exe on a Lenovo laptop located in Goiania, Brazil. The beacon had been offline for five days at the time of discovery, and the test machine contained no saved passwords, suggesting it was a clean laboratory environment used solely for development and testing purposes.

DLL Sideloading and Browser Credential Theft

A notable technical aspect of Auraboros is its method of implant delivery and concealment. Instead of deploying a standalone malicious executable, the framework employs DLL sideloading. It utilizes a seemingly benign executable, DiskIntegrityScanner.exe, as a host process. When executed, this legitimate-looking file loads a malicious DLL, which then immediately initiates a “CollectData” routine. This routine harvests critical system information, including the machine’s hostname, username, and privilege level, before registering with the C2 server. This technique effectively hides the implant behind a legitimate process in the Windows task list, making it significantly harder to detect through routine monitoring.

The credential theft mechanism specifically targets Brave and Chrome browsers, leveraging the Windows Data Protection API (DPAPI). The implant first determines the browser’s AppData profile path, locates the encrypted master key, and decrypts it using the Windows CryptUnprotectData function. Subsequently, it copies the Login Data SQLite database to extract stored passwords and session cookies. Test logs indicated that the developer executed the Brave extraction command 18 times within a single afternoon, suggesting active debugging of the DPAPI decryption logic.

The sophisticated cookie impersonation engine then takes these stolen cookies, generates a session cloning script, and routes the attacker’s traffic through the victim’s SOCKS5 proxy tunnel. This ensures that during account takeover attempts, the attacker’s browser appears to originate from the victim’s IP address, bypassing many common security measures.

What You Should Do

  • Immediately block the IP address 174.138.43[.]25 at your network perimeter.
  • Conduct thorough endpoint scans for the presence of DiskIntegrityScanner.exe, as it is not a legitimate Windows binary and indicates compromise.
  • Monitor outbound network connections to port 9000 on DigitalOcean-hosted IP addresses, as this is suspected to be the beacon callback port for Auraboros.
  • Implement alerts for any reverse SOCKS5 proxy activity detected on port 1080 within your network.
  • Report the identified malicious infrastructure to DigitalOcean’s abuse team at [email protected].
  • Configure network monitoring to detect Socket.io polling requests directed to non-standard ports, which could signify active C2 beaconing.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwareSecurityThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

The Phishing Defense Layer Top CISOs Never Miss

Next Post

Claude Mythos AI Uncovers 271 Zero-Days in Firefox

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
OpenSSH 9.7 Fixes Critical Vulnerabilities, Adds New Features
July 6, 2026
Critical Microsoft Edge Bug (CVE-2024-XXXX) Lets Attackers Run Code Remotely
July 6, 2026
Windows 11 24H2, 25H2 Bug Triggers Black Screens, Start Menu Failure
July 6, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us