Posted in

Auraboros RAT Exposes Open Spyware Control Panel

by Rakesh0

Most malware tries to stay hidden.

Auraboros does something far more dangerous—it exposes itself.

A newly discovered remote access trojan (RAT) framework, Auraboros C2, was found operating with:

  • No authentication
  • No login controls
  • No access restrictions

Meaning anyone who finds its server can directly view:

live victim data, surveillance feeds, and stolen credentials.

This isn’t just a malware sample.

It’s an open surveillance dashboard running in production.

What Is Auraboros RAT?

Auraboros is a custom-built remote access trojan framework that provides attackers with full control over compromised Windows systems.

But unlike typical RATs, its command-and-control (C2) panel is:

  • Publicly accessible
  • Unprotected HTTP endpoint
  • Built on Express.js + Socket.io
  • Hosted on a cloud VPS

Key Infrastructure Details:

  • IP: 174.138.43[.]25
  • Port: 5000
  • No authentication layer
  • Full source exposed (84KB JavaScript leak)

Why This Discovery Is Unusual

Most C2 infrastructure is:

  • Hidden behind encryption
  • Protected with credentials
  • Designed to avoid detection

Auraboros is the opposite.

It openly exposes:

  • Victim lists
  • Keylogs in real-time
  • Browser credentials
  • Command execution logs
  • Live system telemetry

Core Capabilities of Auraboros RAT

Once deployed, Auraboros enables full system surveillance:

🔴 Active Monitoring Features

  • Live keylogging (3-second intervals)
  • Screenshot capture
  • Webcam snapshots
  • Clipboard theft
  • File system browsing

🔴 System Control Features

  • Remote shell execution
  • Process enumeration
  • Port scanning
  • ARP scanning
  • OTA agent updates

🔴 Network Exploitation Features

  • Reverse SOCKS5 proxy (port 1080)
  • Traffic tunneling
  • Session hijacking

The Most Dangerous Component: Cookie Hijacking Engine

Auraboros doesn’t just steal passwords.

It steals active sessions.

How it works:

  1. Extracts browser data (Chrome & Brave)
  2. Uses Windows DPAPI to decrypt credentials
  3. Copies “Login Data” SQLite database
  4. Extracts cookies and session tokens

Then it escalates:

  • Builds session cloning scripts
  • Routes traffic through SOCKS5 proxy
  • Impersonates victim’s IP address

Result: Full account takeover without login credentials.

Live Audio Streaming & Surveillance Risk

One of the most alarming features observed:

👉 Real-time audio streaming capability

Combined with:

  • Webcam access
  • Keylogging
  • Screen capture

Auraboros effectively becomes a multi-sensor surveillance platform.

Open C2 Panel: A Critical Security Failure

Researchers found:

  • No login screen
  • No token validation
  • No session isolation

Even worse:

Every connected client could see all victim activity in real time.

Exposed endpoints included:

  • Beacon lists
  • Keylogger feeds
  • Command results
  • Credential dumps

Development Clues & Attribution Signals

The only known beacon belonged to:

  • A test machine labeled “LabCasa”
  • Located in Brazil
  • Running a Windows debug setup

Key insight:

This suggests Auraboros may still be:

  • In active development
  • Or used in controlled testing environments

Delivery Mechanism: DLL Sideloading

Auraboros uses a stealthy infection method:

Execution flow:

Legitimate EXE → Loads malicious DLL → Executes CollectData routine → Registers with C2

Why this matters:

  • Hides inside trusted process names
  • Bypasses basic endpoint detection
  • Blends into normal system activity

Credential Theft via Windows DPAPI

Auraboros specifically targets:

  • Chrome browser
  • Brave browser

Attack steps:

  • Locates encrypted browser keys
  • Uses Windows CryptUnprotectData
  • Decrypts stored credentials
  • Extracts session cookies

Why This RAT Is High Risk

Auraboros combines multiple threat categories:

  • Surveillance malware
  • Credential stealer
  • Remote access tool
  • Session hijacker

Impact potential:

  • Full system compromise
  • Corporate account takeover
  • Cloud session hijacking
  • Persistent surveillance

Detection & Mitigation Guidance

🚨 Immediate actions:

  • Block IP: 174.138.43[.]25
  • Monitor port 5000 and 9000 traffic
  • Hunt for DiskIntegrityScanner.exe

🧠 Behavioral monitoring:

  • Unexpected Socket.io connections
  • Reverse SOCKS5 tunnels (port 1080)
  • Unusual browser DPAPI access

🛡️ Endpoint defenses:

  • Application control policies
  • DLL sideloading detection
  • Credential access monitoring

Common Security Mistake Exposed

Auraboros highlights a recurring issue:

Assuming cloud-hosted malware infrastructure will be secured

In reality:

  • Many attacker panels are poorly configured
  • Authentication is often missing
  • Debug builds are accidentally exposed

FAQs

What is Auraboros RAT?

A remote access trojan framework with an exposed, unauthenticated control panel.

What makes it dangerous?

It allows anyone to access live victim data without authentication.

What systems does it target?

Primarily Windows environments.

Can it steal passwords?

Yes, including browser-stored credentials and session cookies.

Does it include live surveillance?

Yes, including keylogging, webcam, and audio monitoring.

How is it delivered?

Through DLL sideloading using legitimate executables.

Conclusion: A Malware Panel With No Doors

Auraboros is not just another RAT.

It represents a dangerous trend where:

attackers accidentally (or carelessly) expose their entire infrastructure online.

Key takeaways:

  • Fully exposed C2 panel with no authentication
  • Advanced credential and session theft
  • Live surveillance capabilities
  • DLL sideloading-based persistence

Final thought:

If malware infrastructure is this exposed…

the real question is how many others are hiding in plain sight.

Subscribe

Leave a Reply

Your email address will not be published. Required fields are marked *