AuraStealer Expands to 48 C2 Domains Filling Lumma Void

A new information-stealing malware called AuraStealer has rapidly expanded its infrastructure to 48 active command-and-control domains since emerging in mid-2025, filling the gap left by the disrupted Lumma stealer infrastructure.

Security researchers at Gen Digital have mapped the growing C2 network, revealing a sophisticated operation that targets credentials from over 110 browsers, 70 applications, and 250 browser extensions including cryptocurrency wallets and two-factor authentication tools.

From Lumma's Ashes

AuraStealer first appeared on underground hacker forums in July 2025, shortly after law enforcement actions disrupted the Lumma stealer operation that had dominated the infostealer market. The timing was deliberate—Russian-speaking developers positioned AuraStealer as a direct replacement, offering similar capabilities at competitive pricing.

The malware is sold through tiered subscription packages:

• Basic: $295/month
• Advanced: $585/month with additional features
• Team Plan: Collaborative licenses for criminal organizations

This pricing model mirrors the malware-as-a-service approach that has made infostealers so prevalent. We've seen similar credential theft operations targeting enterprise environments with increasing sophistication.

What AuraStealer Targets

The malware executes comprehensive credential harvesting across multiple categories:

Browser Data

• Login credentials from 110+ browsers
• Autofill data including addresses and payment cards
• Session cookies for authenticated services
• Browser history and bookmarks

Cryptocurrency

• Wallet files from major crypto applications
• Browser extension wallets (MetaMask, Phantom, Trust Wallet)
• Private keys and seed phrases

Authentication

• 2FA tokens from authenticator apps
• Session cookies from Discord, Telegram, and Steam
• VPN configuration files containing credentials
• Password manager databases (KeePass, Bitwarden)

System Information

• Screenshots of the victim's desktop
• Clipboard contents (potentially containing passwords)
• System fingerprinting data

Technical Capabilities

AuraStealer employs several advanced techniques to evade detection:

API Hashing: The malware uses exception-driven API hashing to obfuscate system calls, making static analysis more difficult for security tools.

Heaven's Gate: AuraStealer leverages the Heaven's Gate technique for suspicious NTDLL calls, allowing 32-bit code to execute 64-bit instructions and bypass security hooks.

Anti-Debug Checks: The malware actively detects debugging environments by checking for breakpoints on return addresses, terminating execution when analysis tools are detected.

Encrypted Communications: All C2 traffic uses AES-256 encryption, preventing network-based detection of exfiltrated data.

C2 Infrastructure Analysis

Researchers identified 48 active C2 domains primarily using cheap, easily abused top-level domains:

• .SHOP domains (gamedb.shop, browsertools.shop)
• .CFD domains (auracorp.cfd, mscloud.cfd, magicupdate.cfd, clocktok.cfd)

Most domains are fronted by Cloudflare, complicating takedown efforts and masking the true hosting infrastructure. This pattern of using legitimate CDN services for malicious purposes continues to challenge defenders.

Distribution Methods

AuraStealer spreads primarily through "scam-yourself" campaigns on social platforms. The technique is effective: attackers post tutorial videos on TikTok promising free activation of paid software, cracked games, or pirated tools. Victims follow instructions that ultimately download and execute the infostealer.

This social engineering approach bypasses many technical security controls by convincing users to disable protections themselves. Similar ClickFix-style attacks have targeted macOS users with fake installers.

Detection and Defense

Organizations should implement the following defenses:

1. Monitor for C2 indicators - Block known AuraStealer domains at the network perimeter
2. Enforce browser policies - Restrict installation of unauthorized browser extensions
3. Enable MFA everywhere - Time-based tokens reduce the impact of stolen credentials
4. Deploy EDR solutions - Behavioral detection can identify infostealer activity patterns
5. User awareness training - Educate employees about fake software download scams

For those unfamiliar with how these threats operate, our malware fundamentals guide covers the basic mechanics of information stealers.

The Larger Infostealer Ecosystem

AuraStealer's rapid growth reflects the resilience of the infostealer market. When one operation falls, others emerge to fill the vacuum. The low technical barrier to entry and subscription-based pricing makes these tools accessible to criminals without coding skills.

Enterprise security teams should assume credential exposure is inevitable and design authentication systems accordingly. The Moltbook database exposure demonstrated how stolen API keys can cascade into larger breaches. Hardware security keys, phishing-resistant MFA, and continuous session monitoring offer stronger protection than password-based authentication alone.

The infostealer threat shows no signs of slowing. Security teams should expect continued innovation from malware developers targeting both consumer and enterprise credentials throughout 2026.