Skip to main content

YouTube Videos Distributing Aurora Stealer Malware via Highly Evasive Loader.


Aurora Stealer Malware

Cybersecurity researchers have detailed the inner workings of a highly evasive loader named "in2al5d p3in4er" (read: invalid printer) that's used to deliver the Aurora information stealer malware.

"The in2al5d p3in4er loader is compiled with Embarcadero RAD Studio and targets endpoint workstations using advanced anti-VM (virtual machine) technique," cybersecurity firm Morphisec said in a report shared with The Hacker News.

Aurora is a Go-based information stealer that emerged on the threat landscape in late 2022. Offered as a commodity malware to other actors, it's distributed through YouTube videos and SEO-poised fake cracked software download websites.

Clicking the links present in YouTube video descriptions redirects the victim to decoy websites where they are enticed into downloading the malware under the garb of a seemingly-legitimate utility.


The loader analyzed by Morphisec is designed to query the vendor ID of the graphics card installed on a system, and compared it against a set of allowlisted vendor IDs (AMD, Intel, or NVIDIA). If the value doesn't match, the loader terminates itself.

The loader ultimately decrypts the final payload and injects it into a legitimate process called "sihost.exe" using a technique called process hollowing. Alternatively, some loader samples also allocate memory to write the decrypted payload and invoke it from there.

"During the injection process, all loader samples resolve the necessary Win APIs dynamically and decrypt these names using a XOR key: 'in2al5d p3in4er,'" security researchers Arnold Osipov and Michael Dereviashkin said.


Another crucial aspect of the loader is its use of Embarcadero RAD Studio to generate executables for multiple platforms, thereby enabling it to evade detection.

"Those with the lowest detection rate on VirusTotal are compiled using 'BCC64.exe,' a new Clang based C++ compiler from Embarcadero," the Israeli cybersecurity company said, pointing out its ability to evade sandboxes and virtual machines.

"This compiler uses a different code base such as 'Standard Library' (Dinkumware) and 'Runtime Library' (compiler-rt) and generates optimized code which changes the entry point and execution flow. This breaks security vendors' indicators, such as signatures composed from 'malicious/suspicious code block.'"

UPCOMING WEBINAR
Defend with Deception: Advancing Zero Trust Security

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

In a nutshell, the findings show that the threat actors behind in2al5d p3in4er are leveraging social engineering methods for a high-impact campaign that employs YouTube as a malware distribution channel and directs viewers to convincing-looking fake websites to distribute the stealer malware.

The development comes as Intel 471 unearthed another malware loader AresLoader that's marketed for $300/month as a service for criminal actors to push information stealers disguised as popular software using a binder tool. The loader is suspected to be developed by a group with ties to Russian hacktivism.

Some of the prominent malware families spread using AresLoader since January 2023 include Aurora Stealer, Laplas ClipperLumma StealerStealc, and SystemBC.

Source: THN 

Comments

Post a Comment

Popular posts from this blog

Ambassador Angualia Richard Perished in a Fatal Accident.

Story by Osuta Yusuf. Arua City. 29-7-2025. 📸: Portrait of Ambassador Angualia Richard. Courtesy Photo. Former Uganda's Ambassador to Egypt, Ambassador Angualia Louis Richard has been reported dead this evening 5pm 28-7-2025 after he was involved in a head-on collision accident with another motorcycle rider near Abi Farm, Ayivu East Constituency in Arua City. 📸: Photos from the scene of the Accident. Courtesy Photos. He met his death this evening while riding on a Bajaj Motorcycle. Amb. Angualia, who contested in 2011 for Maracha County but lost to Hon Alex Onzima Adrooa. In 2016 when two Constituencies were created in Maracha District, carving Maracha Constituency and Maracha East constituency, Ambassador Angualia contested for Maracha Constituency MP position in 2016 but lost to Hon Oguzu Lee Denis. Ambassador Angualia later shifted to contest in Maracha East Constituency but again lost to Hon Ruth Lematia Molly Ondoru during the 4-September-2020...
1 comment
Read more

Lab Student Drowned, Body Missing in Rokoze Lake in Nyadri Sub-county, Maracha District.

Maracha District.  5-December-2025. 📸: Residents gathered around the lake as they searched the missing body of the student. Photo by #Information_is_Power's news reporter.  This afternoon Friday 5-December-2025, a student from St Joseph Laboratory Training School in Maracha hospital, a one  Araku Denis drowned in Rokoze water body in Nyadri Sub-county and the  body has not been retrieved upto this night as the police and residents searched for it and in vain but they are expected to resume retrieving it tomorrow Saturday 6-December-2025. 📸: Photo of the deceased which we captured on his phone screen this night. Araku and his fellow students had  reportedly gone to pass time at water point after completing exams papers of today. Him and callagues got attracted to swimming at water body where he perished.  By press time, efforts to retrieve his body proved futile as the body remains invisible on water surface.  Rokoze water body...
Post a Comment
Read more

Surgeons fined $60,000 and banned permanently from profession after billionaire died during penis enlargement surgery.

Surgeons have been banned from practicing plastic surgery after a billionaire patient died during a penis enlargement procedure. Belgian-Israeli diamond dealer Ehud Arye Laniado, 65, died of a heart attack during the procedure to enlarge his penis at the Saint-Honore-Ponthieu aesthetic clinic in Paris. His star surgeon, known as Guy H, was known for operating on wealthy clients and he treated Ehud two to four times a year in procedures costing tens of thousands of euros. Wealthy Omega Diamonds owner Ehud would be operated on out of office hours. He had been having injections into his penis to make it appear larger. An investigation was swiftly opened into potential manslaughter chargers following his death, though it soon shifted to charges of failing to assist a person in danger, drug offences and practicing medicine without a licence. A Paris court on Wednesday suspended Guy H's licence and sentenced him to 15 months behind bars. His surgeon, who had been...
Post a Comment
Read more