The notorious Azorult malware has resurfaced on the dark web again, demonstrating a renewed and sophisticated approach. First identified in 2016, Azorult operates as a powerful information-stealing threat, specializing in the extraction of sensitive data such as browsing history, login credentials, and cryptocurrency details.
Cyble Research & Intelligence Labs (CRIL) recently found several PDF files leading to a final payload for Azorult. This is a trimmed-down version of the report shedding light on the Azorult campaign, including the techniques, features, infection chain, and evasive techniques employed by information stealers.
Azorult, a malware variant originating from Russian underground forums, functions both as an information stealer and a downloader for additional threats. Its primary objective is to clandestinely harvest a diverse range of sensitive information from compromised systems, making it a persistent and formidable adversary.
According to CRIL, the discovery of multiple link samples distributing Azorult has unveiled an ongoing campaign with a focus on compromising unsuspecting users. In the latest iteration of the Azorult campaign, the initial attack vector involves a zip file containing a malicious shortcut file masquerading as a PDF document.
This deceptive shortcut file, laced with an obfuscated PowerShell script, triggers a chain of events leading to the deployment of the Azorult payload.
The Azorult campaign follows a meticulous multistage infection chain, orchestrated with precision to avoid detection. The malicious shortcut file, upon execution, drops and executes a batch file through the task scheduler.
Subsequent stages include downloading an additional loader from a remote server, injecting shellcode into memory, and ultimately executing the Azorult malware. Notably, all stages occur within the system’s memory, leaving no traces on the disk and effectively evading detection.
The intricacy of the campaign becomes apparent as we analyze the PowerShell scripts involved. The malicious scripts download auxiliary loaders, dynamically identify specific fields within assemblies, and execute a loader responsible for fetching configuration data from a command-and-control server. The campaign’s complexity lies in its ability to adapt dynamically, making analysis and detection challenging.
The loader executable, known as “helper.exe,” undergoes several checks to ensure it operates in a legitimate environment. Language code checks and virtual environment verifications contribute to the loader’s evasion capabilities.
The loader extracts a unique machine identifier, communicates with C&C servers, and proceeds with malicious activities based on the received configuration.
The ultimate payload, a 32-bit Azorult .Net executable, exhibits a range of malicious activities. These include generating cryptographic keys, performing system checks, and targeting crypto wallets, browsers, and various applications.
Azorult goes beyond data theft by capturing screenshots of the system, creating a comprehensive profile of the compromised system.
The resurgence of the Azorult malware in this complex campaign highlights the ongoing threat it poses to cybersecurity. With its ability to adapt, employ obfuscation techniques, and execute entirely within the system’s memory, Azorult remains a formidable adversary.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
TCE weekly roundup covers cybersecurity threats, AI misuse, supply chain attacks, and global incidents shaping today’s evolving cyber risk landscape.
The pitch for "Active Listening," an AI-powered advertising service that listened to consumers' real-world conversations through their smartphones and smart…
The report stressed that organizations need clearer governance policies around AI usage as adoption continues accelerating across workplaces.
Microsoft confirms active exploitation of CVE-2026-41091 and CVE-2026-45498 in Defender, raising CVSS-based risks and urgent KEV listing concerns.
The French and Dutch law enforcement seized a large-scale virtual private network (VPN) service catering to cybercriminals, offering services to…
Cisco addressed CVE-2026-20223, a CVSS 10.0 Secure Workload REST API vulnerability linked to CWE-306 authentication failures.
This website uses cookies. By continuing to use this website you are giving consent to cookies being used.
Read More