A previously undocumented remote access trojan (RAT) framework called Auraboros C2 has surfaced, exposing an alarming level of open access to victim data, live surveillance capabilities, and browser credential theft.
The entire command-and-control (C2) dashboard operates over plain HTTP with no login, no token, and no authentication of any kind, making victim data accessible to anyone who can reach the server’s port.
The malware’s C2 panel, hosted on a DigitalOcean server at IP address 174.138.43[.]25, runs on port 5000 using an Express.js and Socket.io backend.
The panel was built with Brazilian Portuguese as its language, carrying branding that reads “Auraboros Advanced Defense Systems,” and shows a polished dark-themed interface with custom CSS and JavaScript.
Despite the professional appearance of the dashboard, no security controls were applied to restrict access to its management functions or victim data.
The full 84KB JavaScript source was freely downloadable by any visitor, revealing the complete architecture of the framework.
Breakglass Intelligence analysts and researchers identified the Auraboros C2 after being tipped off by security researchers @Fact_Finder03 and @4_n_0_n_1_3_3_7, who flagged the live panel on social media.
Investigators downloaded the panel source, connected to its real-time Socket.io transport, and enumerated its full command set without any credentials.
Their analysis confirmed that the framework is custom-built and had not appeared in any prior threat intelligence report, vendor advisory, or public research.
The framework carries an extensive set of capabilities targeting Windows systems.
It supports screenshot capture, webcam snapshots, clipboard theft, live keylogging with three-second polling intervals, Wi-Fi password extraction, file browsing, arbitrary shell command execution, process enumeration, ARP scanning, port scanning, reverse SOCKS5 proxying on port 1080, OTA agent updates, and a dedicated cookie impersonation engine.
Six unauthenticated API endpoints expose beacon lists, command results, event logs, live keylogger feeds, and stolen browser credentials to anyone on the network.
The Socket.io transport also broadcasts all real-time command results to every connected client, with no session isolation in place.
The single registered beacon found during the investigation appears to be the developer’s own test machine.
The beacon, identified as hostname DESKTOP-FVPFLD2 with a username of “LabCasa,” the Portuguese word for “home lab,” was running a process called DiskIntegrityScanner.exe on a Lenovo laptop located in Goiania, Brazil.
The beacon had been offline for five days at the time of discovery, and the test machine showed no saved passwords, confirming it was a clean lab setup used during development.
DLL Sideloading and Browser Credential Theft
One of the most technically significant aspects of Auraboros is how it delivers and hides the implant on a target machine. Rather than deploying a standalone malicious binary, the framework uses DLL sideloading.
A clean, seemingly legitimate executable called DiskIntegrityScanner.exe acts as the host process. When this file runs, it loads a malicious DLL that immediately executes a “CollectData” routine, harvesting the machine’s hostname, username, and privilege level before registering with the C2 server.
This technique allows the implant to hide behind a legitimate-looking process in the Windows task list, making it harder to detect during routine monitoring.
The credential theft mechanism targets Brave and Chrome browsers using Windows DPAPI (Data Protection API).
The implant resolves the browser’s AppData profile path, locates the encrypted master key, decrypts it using the Windows CryptUnprotectData function, and then copies the Login Data SQLite database to query for stored passwords and session cookies.
During testing, the developer ran the Brave extraction command 18 times in a single afternoon session, suggesting active debugging of the DPAPI decryption logic.
The cookie impersonation engine then takes the stolen cookies, generates a session cloning script, and routes traffic through the victim’s SOCKS5 proxy tunnel so the attacker’s browser appears to originate from the victim’s IP address during account takeover attempts.
Organizations and security teams should take the following immediate actions based on the findings. Block the IP address 174.138.43[.]25 at the network perimeter right away. Hunt for the presence of DiskIntegrityScanner.exe on all endpoints, as it is not a legitimate Windows binary.
Monitor outbound connections to port 9000 on DigitalOcean-hosted IPs, which is assessed as the beacon callback port. Set up alerts for reverse SOCKS5 activity on port 1080.
Report the infrastructure to DigitalOcean’s abuse team at abuse@digitalocean.com. Additionally, hunt for Socket.io polling requests directed to non-standard ports, which may indicate active C2 beaconing behavior.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post New Auraboros RAT Exposes Live Audio Streaming, Keylogging, and Cookie Hijacking in Open C2 Panel appeared first on Cyber Security News.
