AZORult is a commodity information-stealer first observed in 2016 that harvests browser credentials, cookies, autofill data, cryptocurrency wallets, FTP credentials, and Skype/Telegram chat logs. It is frequently distributed alongside ransomware as a one-two punch where AZORult exfiltrates valuable data before the ransomware encrypts the system. AZORult is sold on underground forums and is commonly delivered through phishing and exploit kits.
This family has been observed using the following ATT&CK techniques: T1555.003 T1071.001 T1083
AZORult is a commodity information-stealer first observed in 2016 that harvests browser credentials, cookies, autofill data, cryptocurrency wallets, FTP credentials, and Skype/Telegram chat logs. It is frequently distributed alongside ransomware as a one-two punch where AZORult exfiltrates valuable data before the ransomware encrypts the system. AZORult is sold on underground forums and is commonly delivered through phishing and exploit kits.
AZORult spreads through phishing emails, exploit kits such as Fallout and RIG, and as a secondary payload dropped by loaders like Emotet and SmokeLoader.
Signs include browser credential prompts, cryptocurrency wallet file access alerts, unexpected outbound HTTP POSTs to command-and-control servers, and antivirus references to AZORult or Puff.
If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance.
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/azorult.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families extracted from the EMBER 2018 benchmark. The catalog is also published on Hugging Face and Kaggle.