Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/Threats/Researches Detailed AuraStealer Obfuscation, Anti-Analysis and Data Theft Capabilities
Threats

Researches Detailed AuraStealer Obfuscation, Anti-Analysis and Data Theft Capabilities

AuraStealer has emerged as a dangerous malware-as-a-service, actively targeting Windows systems from Windows 7 through Windows 11. This infostealer spreads primarily through Scam-Yourself campaigns...

Emy Elsamnoudy
Emy Elsamnoudy
January 8, 2026 3 Min Read
50 0

AuraStealer has emerged as a dangerous malware-as-a-service, actively targeting Windows systems from Windows 7 through Windows 11.

This infostealer spreads primarily through Scam-Yourself campaigns on platforms like TikTok, where victims encounter tutorial videos promoting free activation of paid software.

The malware is developed in C++ with a build size between 500 to 700 KB and claims to steal data from more than 110 browsers, 70 applications including wallets and two-factor authentication tools, and over 250 browser extensions through its customizable configuration system.

The threat operates through multiple delivery methods including cracked games, malicious software downloads, and multi-stage execution flows involving custom loaders and DLL sideloading techniques.

Offered through a tiered subscription model with prices ranging from $295 to $585 per month, AuraStealer provides cybercriminals with a dedicated web panel for managing stolen data.

The malware originally supported Russian only but has since been updated to include English language support, suggesting developers operate within Russian-speaking cybercriminal communities.

Despite its sophisticated design, the stealer contains several flaws that create detection opportunities for security defenders.

Visualized exception-driven API hashing (Source - Gendigital)
Visualized exception-driven API hashing (Source – Gendigital)

Gendigital researchers identified that AuraStealer uses advanced evasion tactics to avoid detection and analysis. The malware performs extensive checks before executing, including geolocation verification to avoid running in CIS countries and Baltic states.

It evaluates system characteristics like memory capacity and processor count to detect virtual machines, expecting at least four processors or 200 running processes to proceed with execution.

AuraStealer promoted on an underground forum (Source - Gendigital)
AuraStealer promoted on an underground forum (Source – Gendigital)

The stealer also displays a dialog box requiring users to enter a randomly generated code when running without protective layers, effectively halting automated sandbox analysis while forcing distributors to package the malware with additional protective layers.

Indirect Control Flow Obfuscation and String Encryption Techniques

The malware implements indirect control flow obfuscation by systematically replacing direct jumps and calls with indirect ones where target addresses are computed only at runtime.

This method disrupts static analysis tools like IDA Pro by leaving disassemblers with seemingly unrelated basic blocks.

The obfuscation mechanism uses various patterns ranging from simple arithmetic sums to complex conditional instructions like cmovz where target addresses depend on return values of multiple preceding function calls.

To hide its functionality, AuraStealer employs exception-driven API hashing through a custom exception handler that deliberately triggers access violations, intercepting them to dispatch appropriate function addresses from precomputed lookup tables.

Disassembled code of the WinMain function (Source - Gendigital)
Disassembled code of the WinMain function (Source – Gendigital)

String obfuscation uses stack-based XOR encryption where encrypted strings and corresponding XOR keys are concatenated in memory from constant values before being decrypted.

The malware performs anti-tampering checks using MapFileAndCheckSumw function to verify file checksums against values stored in the PE header, terminating execution if modifications are detected.

AuraStealer installs custom exception handlers during initialization routines before reaching WinMain, making detection easily overlooked.

The stealer targets sensitive data from Chromium and Gecko-based browsers, cryptocurrency wallets, active session tokens from Discord, Telegram and Steam, two-factor authentication tokens, password manager databases including KeePass and Bitwarden, VPN configurations, clipboard contents, and screenshots while allowing custom configuration modules for wildcard-based file searches.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

MalwarePatchSecurityThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

Hackers Can Leverage Kernel Patch Protection to Hide Process from Task Manager

Next Post

Cisco Snort 3 Detection Engine Vulnerability Leaks Sensitive Data

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us