Previous data protection advice has proven useless against this new wave of predators.
Following the takedown of the Lumma Stealer infrastructure in 2025, the data-stealing malware market began to rapidly change. The vacated space was filled by new and established tools, and the battle for control over the distribution of infostealers intensified among malware authors. Amid these changes, experts turned their attention to a relatively new project called AuraStealer, which has already been involved in several attacks.
AuraStealer first appeared on hacker forums in July 2025. The malware quickly began spreading in the underground community and is attempting to establish itself as a popular data-stealing tool. AuraStealer competes with families such as Rhadamanthys and Vidar , which have gained ground in the shadow market since the closure of Lumma.
A report by Intrinsec describes the malware architecture and command-and-control infrastructure. The team identified 48 domain names of command-and-control servers through which operators obtain stolen information and manage infected systems. Analysis of the network infrastructure revealed a significant shift in the domain zones used. Initial campaigns used domains ending in .shop, but later, operators began actively registering addresses in the .cfd zone. This migration helps conceal the infrastructure and makes blocking more difficult.
The study's authors also described a method for tracking control servers using online search engines. This approach allows for the discovery of new infrastructure domains, even when operators regularly change addresses.
The technical analysis covered the control panel and the main malicious module. The program code demonstrates the operating logic typical of infostealers. The malware collects data from browsers, extracts saved accounts, intercepts information from cryptocurrency wallets , and transmits the collected data to the operators' servers. The report lists over 340 indicators of compromise that allow detection of AuraStealer activity on corporate networks.
To prepare the report, Intrinsec's team of analysts combined security monitoring data, incident investigations, and proprietary analysis methods, including honeypots, reverse engineering , and analysis of attacker network infrastructure.
The authors believe that the emergence of new infostealers after Lumma's closure demonstrates the rapid adaptation of the underground market. New projects are attempting to fill the vacated positions, while malware operators are actively modernizing their infrastructure to maintain resilience to blocking and investigation.
Following the takedown of the Lumma Stealer infrastructure in 2025, the data-stealing malware market began to rapidly change. The vacated space was filled by new and established tools, and the battle for control over the distribution of infostealers intensified among malware authors. Amid these changes, experts turned their attention to a relatively new project called AuraStealer, which has already been involved in several attacks.
AuraStealer first appeared on hacker forums in July 2025. The malware quickly began spreading in the underground community and is attempting to establish itself as a popular data-stealing tool. AuraStealer competes with families such as Rhadamanthys and Vidar , which have gained ground in the shadow market since the closure of Lumma.
A report by Intrinsec describes the malware architecture and command-and-control infrastructure. The team identified 48 domain names of command-and-control servers through which operators obtain stolen information and manage infected systems. Analysis of the network infrastructure revealed a significant shift in the domain zones used. Initial campaigns used domains ending in .shop, but later, operators began actively registering addresses in the .cfd zone. This migration helps conceal the infrastructure and makes blocking more difficult.
The study's authors also described a method for tracking control servers using online search engines. This approach allows for the discovery of new infrastructure domains, even when operators regularly change addresses.
The technical analysis covered the control panel and the main malicious module. The program code demonstrates the operating logic typical of infostealers. The malware collects data from browsers, extracts saved accounts, intercepts information from cryptocurrency wallets , and transmits the collected data to the operators' servers. The report lists over 340 indicators of compromise that allow detection of AuraStealer activity on corporate networks.
To prepare the report, Intrinsec's team of analysts combined security monitoring data, incident investigations, and proprietary analysis methods, including honeypots, reverse engineering , and analysis of attacker network infrastructure.
The authors believe that the emergence of new infostealers after Lumma's closure demonstrates the rapid adaptation of the underground market. New projects are attempting to fill the vacated positions, while malware operators are actively modernizing their infrastructure to maintain resilience to blocking and investigation.
