Skip to content Dark Web Informer - Cyber Threat Intelligence
IOC

IOC Alert: AuraStealer C2 Domain Identified

📖 Overview
A domain-based indicator tied to command-and-control infrastructure for AuraStealer has been identified. The domain poses a high-confidence threat and disguises itself with a generic login page to support malicious C2 operations.


📌 Key Details

FieldInformation
TypeDomain
Indicatorsoftytoys[.]shop
Threat TypeBotnet C2
Malwareunknown_stealer (AuraStealer)
Confidence100%
Date30 Aug 2025 – 14:44:14 UTC
TagsAuraStealer
Reporterabuse_ch

🔎 URLScan Result
Page Title: Sign in
Screenshot: https://urlscan.io/screenshots/0198cb96-bce3-73ee-a9b3-8400d5a011dd.png
Result: https://urlscan.io/result/0198cb96-bce3-73ee-a9b3-8400d5a011dd/


📡 Related Intelligence
WHOIS Record: https://who.is/whois/softytoys.shop
VirusTotal Report: https://www.virustotal.com/gui/domain/softytoys.shop
Reference: https://foresiet.com/blog/aura-stealer-malware-analysis/


🛡️ Defensive Guidance

  • Block softytoys[.]shop at DNS, proxy, and endpoint layers.
  • Monitor for C2 callbacks and credential theft tied to AuraStealer.
  • Hunt for persistence artifacts and stealer-related payloads on endpoints.
  • Review DNS, proxy, and firewall logs for traffic to the domain.

Latest