Aurora first made news headlines in December 2022 when it was used as the final payload for fake software installer campaigns.1 It recently resurfaced, now being spread via malvertisements that redirected users to a supposed Windows security update page. Should their download finish, they end up with Aurora-infected computers.2
Malwarebytes Labs identified 23 indicators of compromise (IoCs), which we subjected to an expansion analysis that found:
- Nearly 600 domains that shared the IoCs’ IP hosts, two of which turned out to be malicious
- 60 domains that contained strings also found among the IoCs
- 160+ subdomains that ended with login.php akin to the data stealer’s control panel address, two of which turned out to be malware hosts
Download a sample of the threat research materials now or contact us to access the complete set of research materials.
-  https://main.whoisxmlapi.com/threat-reports/is-aurora-as-stealthy-as-its-operators-believe?mc=circleid
-  https://www.malwarebytes.com/blog/threat-intelligence/2023/05/fake-system-update-drops-new-highly-evasive-loader