Resurgence of Azorult malware: Dark Web campaign revealed


The famous Azorult malware has resurfaced on the dark web, demonstrating a renewed and sophisticated approach. First identified in 2016, Azorult functions as a powerful information theft threat, specializing in extracting sensitive data such as browsing history, login credentials and cryptocurrency details.

Cyble Research & Intelligence Labs (CRIL) recently found several PDF files leading to a final payload for Azorult. This is a stripped down version of the report highlighting the Azorult campaign, including the techniques, characteristics, infection chain and evasion techniques used by the information thieves.

What is Azorult malware?

Azorult, a malware variant originating from Russian underground forums, works as both an information stealer and an additional threat downloader. Its primary objective is to clandestinely harvest a wide range of sensitive information from compromised systems, making it a persistent and formidable adversary.

According to CRIL, the discovery of several sample links distributing Azorult exposed an ongoing campaign aimed at compromising unsuspecting users. In the latest iteration of the Azorult campaign, the initial attack vector involves a zip file containing a malicious shortcut file masquerading as a PDF. document.

This deceptive shortcut file, coupled with an obfuscated PowerShell script, triggers a chain of events leading to the deployment of the Azorult payload.

Azorult’s infection chain

Azorult malware infection chain
Source: Cyblé

The Azorult campaign follows a meticulous, multi-step infection chain, precisely orchestrated to avoid detection. The malicious shortcut file, when executed, deletes and executes a batch file through Task Scheduler.

The following steps include downloading an additional loader from a remote server, injecting shellcode into memory and ultimately executing the Azorult malware. Notably, all steps take place in the system memory, leaving no trace on the disk and escape detection.

Analyzing PowerShell scripts

Azorult malware
Source: Cyblé

The complexity of the campaign becomes apparent as we analyze the PowerShell scripts involved. THE malicious scripts download helper loaders, dynamically identify specific fields in assemblies, and run a loader responsible for retrieving configuration data from a command and control server. The complexity of the campaign lies in its ability to dynamically adapt, making analysis and detection difficult.

Charger Features

Azorult Malware Loader Details
Source: Cyblé

The loader executable, known as “helper.exe”, goes through several checks to ensure it works in a legitimate environment. Language code checks and virtual environment checks contribute to loader evasion capabilities.

Azorult charger
Source: Cyblé

The loader extracts a unique machine ID, communicates with the C&C servers and continues malicious activities depending on the configuration received.

Azorult payload analysis

Azorult payload analysis
Source: Cyblé

The ultimate payload, a 32-bit Azorult .Net executable, exhibits a range of malicious activity. These include generation cryptographic keysperforming system checks and targeting crypto wallets, browsers, and various applications.

Azorult payload analysis
Source: Cyblé

Azorult goes beyond data theft by capturing system screenshots, creating a complete profile of the compromised system.


The resurgence of Azorult malware in this complex campaign highlights the ongoing threat it poses to cyber security. With its ability to adapt, employ obfuscation techniques, and run entirely in system memory, Azorult remains a formidable opponent.

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only and users take full responsibility for their reliance on it. The Cyber ​​Express assumes no responsibility for the accuracy or consequences of the use of this information.

Leave a comment