AuraStealer Spreads Via TikTok Videos Posing as Software Tutorials

A new infostealer called AuraStealer is carving out market share in the crowded credential theft landscape. Backed by 48 active command-and-control domains and a distribution strategy that exploits TikTok's reach, the malware targets Windows systems to harvest credentials, cryptocurrency wallets, and two-factor authentication tokens.

The stealer emerged on Russian-language cybercrime forums in mid-2025, positioning itself as a successor to LummaC2 following last year's law enforcement actions against that operation. The "AuraCorp" team behind it offers subscriptions at Basic and Advanced tiers—a business model that's become standard in the malware-as-a-service economy.

What AuraStealer Steals

The malware casts a wide net across victim systems:

• Browser credentials from Chrome, Firefox, Edge, and other Chromium-based browsers
• Cryptocurrency wallet data and private keys
• Two-factor authentication tokens and backup codes
• Session cookies from Discord, Telegram, and Steam
• VPN configuration files (including WireGuard and OpenVPN)
• Password manager databases from KeePass, Bitwarden, and similar tools
• Clipboard contents
• Screenshots of active sessions

The cryptocurrency focus is particularly aggressive. AuraStealer can extract wallet files, seed phrases, and authentication tokens—everything needed to drain accounts before victims realize they're compromised.

Distribution Through Social Engineering

What sets AuraStealer apart is its creative distribution. Threat actors behind the malware have embraced "scam-yourself" campaigns on social media platforms, particularly TikTok.

The scheme works like this: malicious TikTok videos pose as tutorials for activating popular software—Windows, Microsoft 365, Adobe Photoshop, Spotify. The videos direct viewers to open PowerShell with administrator privileges and run a short command. That command downloads and executes the AuraStealer payload.

It's social engineering that exploits desperation. People searching for pirated software or activation bypasses are primed to follow risky instructions. The format—short video tutorials with step-by-step commands—removes friction from the infection process.

This distribution method mirrors tactics we've seen with other infostealers, including the ClickFix campaigns spreading through compromised websites.

Technical Sophistication

AuraStealer isn't just another commodity stealer. Researchers from INTRINSEC documented several advanced evasion techniques:

• Exception-driven API hashing - Obscures Windows API calls to evade static analysis
• Heaven's Gate technique - Transitions between 32-bit and 64-bit execution to complicate debugging
• Anti-breakpoint checks - Detects debugger presence by monitoring return addresses
• String encryption - Hides indicators of compromise from automated scanning

The malware targets Windows 7 through Windows 11, covering the vast majority of the Windows install base.

Infrastructure

Security researchers mapped 48 C2 domains associated with AuraStealer operations. The infrastructure favors cheap, easily abused top-level domains—primarily .shop and .cfd registrations that cost pennies and face minimal scrutiny.

Known C2 domains include:

• auracorp[.]cfd
• mscloud[.]cfd
• magicupdate[.]cfd
• gamedb[.]shop
• browsertools[.]shop
• clocktok[.]cfd

The distributed infrastructure makes takedowns difficult. When one domain gets blocked, operators simply rotate to another from their stable.

The Infostealer Economy

AuraStealer's emergence reflects the resilience of the infostealer ecosystem. Law enforcement has notched significant wins—Operation Endgame recently dismantled infrastructure behind Rhadamanthys, VenomRAT, and Elysium, seizing over 1,000 servers. But new offerings quickly fill gaps left by takedowns.

The malware-as-a-service model keeps the ecosystem churning. Developers build the tools, affiliates distribute them, and victims' credentials flow to markets where they're monetized. Low barriers to entry mean there's always someone ready to launch the next operation.

Defending Against Infostealers

Organizations and individuals can reduce risk from AuraStealer and similar threats:

1. Never run commands from social media - Legitimate software doesn't require PowerShell commands from TikTok videos
2. Use hardware security keys - Time-based OTP codes can be stolen; hardware keys can't
3. Enable browser password protection - Chrome and other browsers offer options to require authentication before revealing saved passwords
4. Segment cryptocurrency storage - Keep significant holdings in hardware wallets disconnected from internet-connected systems
5. Monitor for credential exposure - Services like Have I Been Pwned can alert you when credentials appear in dumps

For enterprise security teams, endpoint detection and response (EDR) tools should flag the techniques AuraStealer employs. Network monitoring for connections to known C2 infrastructure provides another detection layer.

The broader lesson: infostealers remain one of the most active threat categories. They're cheap, effective, and directly monetizable. Until that equation changes, we'll keep seeing new entrants competing for market share in the credential theft economy.