Azorult is a highly prevalent, commercially successful Information Stealer (InfoStealer) and downloader Trojan. Sold on Russian-speaking cybercriminal forums since roughly 2016, it is designed to rapidly harvest sensitive data from infected systems, including saved passwords, cryptocurrency wallets, and browsing history. Furthermore, Azorult is frequently utilized as an Initial Access Broker (IAB) tool; after stealing all available credentials, it acts as a downloader to silently deploy secondary, high-impact payloads, notably ransomware like Hermes or GandCrab.
Infection Vector and Technical Capabilities
Azorult is typically distributed via massive, automated spam campaigns (malspam) containing malicious attachments (Office documents with macros or archive files). It is also frequently dropped as a secondary payload by exploit kits (e.g., Fallout Exploit Kit) or other prominent loaders like SmokeLoader.
Its technical operation is focused on rapid, comprehensive data theft:
Extensive Credential Harvesting: Azorult is highly efficient. It targets a vast array of applications, extracting saved passwords and cookies from over 30 different web browsers. It also explicitly targets FTP clients (FileZilla), email clients (Outlook), messaging apps (Skype, Telegram), and numerous desktop cryptocurrency wallets (Bitcoin, Monero).
System Profiling and Exfiltration: Before exfiltration, it compiles a detailed system profile (OS version, IP address, installed software). The stolen data is compressed, encrypted, and rapidly transmitted to a Command and Control (C2) server via HTTP POST requests.
Downloader Capabilities: In many campaigns, after the "smash and grab" data theft is complete, the C2 server instructs Azorult to download and execute a secondary payload. This means an Azorult infection is often the immediate precursor to a catastrophic ransomware deployment.
Threat Assessment
An Azorult detection is a "Code Red" enterprise crisis. The immediate threat is a massive data breach involving the loss of all credentials saved on the machine (leading to Business Email Compromise or VPN access). The secondary, imminent threat is the deployment of enterprise-wide ransomware.
Incident Response and Remediation
Immediate Network Isolation: The endpoint must be severed from the network instantly. This stops the active exfiltration of stolen data and, critically, prevents Azorult from downloading its secondary ransomware payload.
Mandatory Global Credential Reset: Every single password, VPN token, and web session cookie associated with the compromised user must be invalidated and reset immediately. Assume total credential compromise.
Hunt for Secondary Payloads: Incident responders must utilize EDR telemetry to verify whether Azorult successfully executed a secondary payload before it was isolated. The machine must be completely wiped and re-imaged from a known-good baseline.
Known aliases
Threat reports may refer to this family under multiple names:
This family has been observed using the following ATT&CK techniques: T1555T1059T1105T1005
Generated Detections (Boilerplate)
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.