Azorult

Category: infostealer · Aliases: InfoStealer.Azorult, Trojan.Azorult, Win32/Azorult · Sample count (EMBER 2018): 1,513 · Enrichment: curated_sourced · Updated: 2026-07-02T09:01:15Z

Overview

Executive Summary

Azorult is a highly prevalent, commercially successful Information Stealer (InfoStealer) and downloader Trojan. Sold on Russian-speaking cybercriminal forums since roughly 2016, it is designed to rapidly harvest sensitive data from infected systems, including saved passwords, cryptocurrency wallets, and browsing history. Furthermore, Azorult is frequently utilized as an Initial Access Broker (IAB) tool; after stealing all available credentials, it acts as a downloader to silently deploy secondary, high-impact payloads, notably ransomware like Hermes or GandCrab.

Infection Vector and Technical Capabilities

Azorult is typically distributed via massive, automated spam campaigns (malspam) containing malicious attachments (Office documents with macros or archive files). It is also frequently dropped as a secondary payload by exploit kits (e.g., Fallout Exploit Kit) or other prominent loaders like SmokeLoader. Its technical operation is focused on rapid, comprehensive data theft:

Threat Assessment

An Azorult detection is a "Code Red" enterprise crisis. The immediate threat is a massive data breach involving the loss of all credentials saved on the machine (leading to Business Email Compromise or VPN access). The secondary, imminent threat is the deployment of enterprise-wide ransomware.

Incident Response and Remediation

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1555 T1059 T1105 T1005

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_AZORULT {
    meta:
        description = "Detects Azorult (infostealer)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "azorult" ascii wide nocase
        $s2 = "infostealer.azorult" ascii wide nocase
        $s3 = "trojan.azorult" ascii wide nocase
        $s4 = "win32/azorult" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Azorult Activity
id: 9929832b2a33519a7b9c83834e038eab
status: experimental
description: Detects generic indicators of the azorult malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*azorult*"
            - "*infostealer.azorult*"
            - "*trojan.azorult*"
            - "*win32/azorult*"
    condition: selection
level: medium

References & External Analysis

Frequently Asked Questions

What is Azorult?

A commercial information-stealing trojan, observed since at least 2016, that also functions as a downloader.

What does Azorult collect?

Browser-stored credentials and cookies, cryptocurrency wallet data, and system information; it can also download further malware.

Has Azorult been used in targeted attacks?

Yes; MITRE notes a July 2018 spearphishing campaign against North American targets.

Is Azorult linked to cryptocurrency theft?

Yes; it has been used to steal cryptocurrency.

How was Azorult distributed?

Through phishing, exploit kits, and bundling with other malware loaders.

Where is the authoritative reference?

MITRE ATT&CK's Azorult entry (S0344), linked on this page.

Related Families (Category: infostealer)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/azorult.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.