📖 Overview
A domain-based indicator has been identified hosting a fraudulent “WhatsApp AI” investment platform, which is associated with AuraStealer operations. The site promotes fake promises of high financial returns as a lure, while functioning as part of a botnet C2 and credential harvesting infrastructure. Confidence is assessed at 50%.
📌 Key Details
| Field | Information |
|---|---|
| Type | Domain |
| Indicator | balancedassetline[.]xyz |
| Threat Type | Botnet C2 |
| Malware | unknown_stealer (AuraStealer) |
| Confidence | 50% |
| Date | 11 Sep 2025 – 12:25:59 UTC |
| Tags | AuraStealer |
| Reporter | meowmeow |
🔎 URLScan Result
Page Title: WhatsApp-AI
Screenshot: https://urlscan.io/screenshots/01980aa9-0905-753c-892d-47b5798ba6c8.png
Result: https://urlscan.io/result/01980aa9-0905-753c-892d-47b5798ba6c8/
📡 Related Intelligence
WHOIS Record: https://who.is/whois/balancedassetline.xyz
VirusTotal Report: https://www.virustotal.com/gui/domain/balancedassetline.xyz
🛡️ Defensive Guidance
- Block
balancedassetline[.]xyzat DNS, proxy, and endpoint layers. - Monitor for connections to cryptocurrency scam or fake AI investment sites.
- Hunt for AuraStealer indicators of compromise across endpoints.
- Review DNS and proxy logs for abnormal traffic linked to investment fraud domains.
⚠️ Confidence is moderate (50%), meaning this IOC should be flagged for watchlisting and enrichment until additional evidence confirms its full role in AuraStealer campaigns.
