{
  "family": "azorult",
  "sample_count": 1513,
  "category": "infostealer",
  "description": "AZORult is a commodity information-stealer first observed in 2016 that harvests browser credentials, cookies, autofill data, cryptocurrency wallets, FTP credentials, and Skype/Telegram chat logs. It is frequently distributed alongside ransomware as a one-two punch where AZORult exfiltrates valuable data before the ransomware encrypts the system. AZORult is sold on underground forums and is commonly delivered through phishing and exploit kits.",
  "cta": "If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance.",
  "aliases": [
    "puff"
  ],
  "enrichment_level": "hand-curated",
  "faq": [
    {
      "@type": "Question",
      "name": "What is Azorult?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "AZORult is a commodity information-stealer first observed in 2016 that harvests browser credentials, cookies, autofill data, cryptocurrency wallets, FTP credentials, and Skype/Telegram chat logs. It is frequently distributed alongside ransomware as a one-two punch where AZORult exfiltrates valuable data before the ransomware encrypts the system. AZORult is sold on underground forums and is commonly delivered through phishing and exploit kits."
      }
    },
    {
      "@type": "Question",
      "name": "How does Azorult spread?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "AZORult spreads through phishing emails, exploit kits such as Fallout and RIG, and as a secondary payload dropped by loaders like Emotet and SmokeLoader."
      }
    },
    {
      "@type": "Question",
      "name": "What are the signs of an Azorult infection?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Signs include browser credential prompts, cryptocurrency wallet file access alerts, unexpected outbound HTTP POSTs to command-and-control servers, and antivirus references to AZORult or Puff."
      }
    },
    {
      "@type": "Question",
      "name": "What should I do if I think I have Azorult on my system?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance."
      }
    }
  ],
  "faq_count": 4,
  "mitre_attack": [
    "T1555.003",
    "T1071.001",
    "T1083"
  ],
  "cisa_advisory": null,
  "last_updated": "2026-05-27"
}