GOLD ATMOSPHERE

GOLD ATMOSPHERE was a financially motivated cybercriminal threat group that developed and marketed the Aurora Stealer malware. Aurora first emerged in April 2022 and was marketed on underground forums and Telegram channels by multiple personas for prices ranging from 125 to 300 USD per month. Aurora consisted of an administrative panel distributed to GOLD ATMOSPHERE's customers that allowed the generation of unique builds of the malware for distribution. The panel also implemented Aurora's command and control (C2) functionality allowing it to receive stolen data from infected hosts. Threat actors could configure the panel to notify them by Telegram when high-value data, such as cryptocurrency wallets, was received. Aurora steadily gained popularity from late 2022 to mid-2023 but maintained a diminutive presence on credential marketplaces. CTU researchers observed a sudden drop in the volume of new Aurora samples in late April 2023. In early May 2023, GOLD ATMOSPHERE deleted the Telegram channels used to provide sales and support for Aurora and are reported to have abandoned existing customers. The future of this malware's operation remains unclear.