Since September 2022, Aurora malware is advertised as an infostealer and several traffers teams announced they added it to their malware toolset. Furthermore, SEKOIA.IO observed an increase in the number of Aurora samples distributed in the wild, as well as C2 servers.
First advertised on Russian-speaking underground forums in April 2022, Aurora is a multi-purpose botnet with stealing, downloading and remote access capabilities. The botnet was sold as a Malware-as-a-Service (MaaS) by a threat actor going by the handle Cheshire.
In July 2022, Sekoia identified around 50 samples, the majority of which belonging to the “Cheshire” and “Zelizzard” botnets, and less than a dozen C2 servers associated with Aurora botnets. In late July, the Aurora servers were no longer active, and no more recent Aurora samples were submitted on an online public repository. At the time, SEKOIA.IO assessed that the activity of Aurora botnets was near at standstill.
Additionally, the presumed developer stopped publishing about Aurora botnet on Dark Web forums and on its Telegram channel at the beginning of June 2022. Another publication on BHF forum in late July 2022 suggested that Cheshire developers shifted to developing malware on demand. Based on these observations, Sekoia assess it is possible that the Aurora Botnet MaaS development is now abandoned.
In late August 2022, Aurora was advertised as a stealer instead of a botnet on Telegram and underground forums.