Auraboros C2: A Previously Undocumented Brazilian RAT Framework With Zero Authentication, Live Audio Streaming, and a Cookie Impersonation Engine
No login. No token. No API key. The entire C2 dashboard, victim list, keylogger feed, and browser credential dump are served over HTTP to anyone who asks.
@Fact_Finder03 tagged us and several other researchers on a live C2 panel at 174.138.43[.]25:5000. @4_n_0_n_1_3_3_7 noted port 9000 was also open. We investigated.
What we found is Auraboros C2 — a previously undocumented command-and-control framework with zero authentication on its management panel. The entire dashboard, victim list, and command API are served over HTTP with no login required. We downloaded the full 84KB JavaScript source, connected to the Socket.io real-time transport, and enumerated the complete command vocabulary: screenshot, webcam, live audio streaming, keylogger, browser credential theft, file browser, Wi-Fi password extraction, ARP/port scanning, reverse SOCKS5 proxy, cookie impersonation, and OTA agent updates.
The panel is Brazilian. The UI is in Portuguese. The copyright reads "© 2026 Auraboros Advanced Defense Systems." One beacon is registered — a Lenovo laptop in Goiania, Brazil, running a process called DiskIntegrityScanner.exe, last seen five days ago. It appears to be the operator's own test machine.
Table of Contents
- The Panel: No Login Required
- The Victim
- The Command Set: Full Operational Capability
- The API Surface
- Real-Time C2 via Socket.io
- Cookie Impersonation Engine
- Infrastructure
- The Implant: DLL Sideloading + Self-Destruct
- OPSEC Failures
- Fingerprinting the Developer
- What This Report Adds
- IOC Table
- MITRE ATT&CK Mapping
- Detection Signatures
- Recommendations
The Panel
Port 5000 serves a 134KB HTML page — a single-page application built with Bootstrap 5.3, Socket.io, and JetBrains Mono. The title is "Painel C2 - Dashboard." There is no authentication. No login form. No token requirement. The Express.js backend serves the panel with Access-Control-Allow-Origin: * — CORS wide open.
| Attribute | Value |
|---|---|
| URL | http://174.138.43[.]25:5000/ |
| Framework | Express.js + Socket.io |
| Frontend | Bootstrap 5.3, JetBrains Mono font |
| Size | 133,975 bytes |
| Last Modified | 2026-04-15 15:45:00 UTC |
| Authentication | None |
| CORS | Access-Control-Allow-Origin: * |
| Language | Brazilian Portuguese (lang="pt-BR") |
The design is polished — dark theme with crimson red accents, glassmorphism cards with backdrop blur, animated scrollbars, responsive mobile layout with dropdown menus. The developer spent time on aesthetics. They did not spend time on security.
The panel header displays "Auraboros C2 Station" with a custom logo. The footer reads "© 2026 Auraboros Advanced Defense Systems." The branding is consistent and deliberate — this is not a fork of an existing framework with the name swapped. The CSS, JavaScript, and UI architecture are custom-built.
The Victim
The /api/beacons endpoint returns a JSON array of all registered beacons. At the time of our investigation, one beacon was registered:
{
"id": "DESKTOP-FVPFLD2",
"user": "LabCasa",
"is_admin": 0,
"pid": 14496,
"process_name": "DiskIntegrityScanner.exe",
"external_ip": "2804:3d90:ffc9:c970:c4e3:31c1:b958:d480",
"location": "Goiânia, BR",
"time": "2026-04-15 12:11:23",
"processor_info": "12th Gen Intel(R) Core(TM) i5-1235U",
"memory_info": "24300mb - Disponivel: 11644mb",
"disk_info": "464gb - Disponivel: 21gb",
"motherboard_info": "LENOVO - LNVNB161216",
"wifi_passwords": null,
"last_seen": "2026-04-15 19:04:06",
"socks_enabled": 0,
"seconds_ago": 434031,
"socks_active": false
}
| Field | Value | Assessment |
|---|---|---|
| Hostname | DESKTOP-FVPFLD2 | Default Windows hostname |
| Username | LabCasa | Portuguese for "HomeLab" |
| Process | DiskIntegrityScanner.exe | Masquerading as system utility |
| Location | Goiania, Brazil | Brazilian IPv6 (2804:3d90::/32 — Claro/NET) |
| Hardware | Lenovo LNVNB161216, i5-1235U, 24GB RAM | Consumer laptop |
| First Seen | 2026-04-15 12:11:23 | |
| Last Seen | 2026-04-15 19:04:06 | Offline for 5 days |
| Admin | No | Non-elevated process |
This is almost certainly the developer's own test machine. The username "LabCasa" (home lab), the default Windows hostname, and the Goiania location all point to a developer testing their creation on a personal laptop. The beacon has been offline for five days — the developer may have stopped testing or moved to a different implant build.
The beacon process DiskIntegrityScanner.exe is the implant binary masquerading as a disk utility. The data model includes hardware fingerprinting (CPU, RAM, disk, motherboard), geolocation, admin privilege status, and SOCKS proxy state.
The Command Set
The 84KB inline JavaScript reveals the complete command vocabulary. Every command is sent via POST /api/command with a JSON body: { target_id: "<beacon_id>", command: "<cmd>" }.
Surveillance
| Command | Function | Description |
|---|---|---|
screenshot | quickCommand | Capture victim's screen |
webcam_snap | quickCommand | Take photo via webcam |
audio_start | quickCommand | Start live audio streaming via Socket.io |
audio_stop | quickCommand | Stop audio stream |
get_clipboard | quickCommand | Steal clipboard contents |
| Keylogger | openKeyloggerModal | Live keylogger with 3-second polling via /api/keylog/{id} |
The audio streaming feature is particularly notable. It uses Socket.io events (audio_chunk_{targetId}) to stream raw audio data from the victim's microphone in real time. The panel renders a live audio visualizer using Canvas when streaming is active.
Data Theft
| Command | Function | Description |
|---|---|---|
| Browser extraction | openBrowserModal | Steal passwords, cookies, history from Chrome/Brave |
forceBrowserExtraction | Per-target | Force immediate browser data pull |
forceBrowserExtractionGlobal | Global | Extract from ALL beacons at once |
get_wifi | quickCommand | Extract saved Wi-Fi passwords |
| Cookie impersonation | impersonateDomain | Session hijacking via stolen cookies |
Browser data extraction supports per-browser filtering (Chrome vs Brave) and includes polling for results. The forceBrowserExtractionGlobal function triggers extraction across every connected beacon simultaneously.
Remote Access
| Command | Function | Description |
|---|---|---|
| File browser | openFileBrowser | Browse victim filesystem (starts at C:\) |
downloadFile | File browser | Download files from victim |
handleFileUpload | File browser | Upload files to victim |
deleteFile | File browser | Delete files on victim |
| Custom commands | openCommandModal | Execute arbitrary shell commands |
| Process browser | get_processes | List running processes |
| Process kill | kill {pid} | Kill process by PID |
Network Operations
| Command | Function | Description |
|---|---|---|
| SOCKS5 proxy | startSocks | Start reverse SOCKS5 on port 1080 |
socks_stop | quickCommand | Stop SOCKS proxy |
| ARP discovery | get_arp | Discover hosts on victim's local network |
| Port scan | sendPortScan | Scan ports on discovered hosts |
| Batch scan | startBatchScan | Sequential port scan across multiple IPs |
| Network info | ipconfig | Get victim's network configuration |
The SOCKS5 proxy enables the operator to route traffic through the victim's machine — useful for lateral movement or for browsing the internet from the victim's IP. Port 1080 on the C2 server is confirmed open by nmap.
Maintenance
| Command | Function | Description |
|---|---|---|
whoami | quickCommand | Get victim user context |
| OTA update | triggerUpdateAgent | Push new implant binary to beacon |
exit | quickCommand | Terminate beacon process |
The OTA update feature allows the operator to upload a new implant binary through the panel. The file is base64-encoded and sent as a self_update command via XHR. This means the operator can update their malware on victim machines without reinfection.
The API
Six API endpoints are confirmed from the JavaScript source:
| Endpoint | Method | Auth | Purpose |
|---|---|---|---|
/api/beacons | GET | None | List all beacons with full metadata |
/api/command | POST | None | Send command to beacon |
/api/results/{id} | GET | None | Retrieve command output |
/api/logs/{id} | GET | None | Retrieve event logs |
/api/keylog/{id} | GET | None | Retrieve live keylogger data |
/api/browser-data/{id} | GET | None | Retrieve stolen browser credentials |
Every endpoint is unauthenticated. There are no tokens, no sessions, no API keys. Anyone who can reach port 5000 can list victims, send commands, read keylogger output, and download stolen browser credentials.
Real-Time C2 via Socket.io
The panel uses Socket.io for real-time communication. We confirmed the transport is active:
GET /socket.io/?EIO=4&transport=polling → 200 OK
Response: {"sid":"EUIFtOwwiUywLhLcAAAA","upgrades":["websocket"],
"pingInterval":25000,"pingTimeout":20000,"maxPayload":1000000}
The server assigned us session ID EUIFtOwwiUywLhLcAAAA and offered a WebSocket upgrade. Socket.io events include:
command_result— real-time command output pushed to all connected clientsaudio_chunk_{targetId}— live audio stream data from victim microphones
This means any connected client receives all command results for all beacons in real time. There is no session isolation.
Cookie Impersonation Engine
The JavaScript contains a section headed AURABOROS C2 - OPERAÇÃO DE PERSONIFICAÇÃO MULTI-COOKIE (Multi-Cookie Impersonation Operation). This feature allows the operator to:
- Extract browser cookies from a victim via the browser data API
- Copy domain-specific cookies as JSON (
copyDomainCookiesJSON) - Generate an impersonation script (
generateImpersonateScript) - Route traffic through the victim's SOCKS5 proxy for IP-matched session hijacking
The impersonation requires the SOCKS proxy to be active — the panel warns "⚠️ AÇÃO BLOQUEADA! O túnel SOCKS5 desta máquina está DESATIVADO" (Action blocked! The SOCKS5 tunnel on this machine is disabled) if the operator tries to impersonate without it.
This is a complete session hijacking toolkit: steal the cookies, clone the session, route through the victim's IP so the target website sees the same source IP as the legitimate session.
Infrastructure
| Attribute | Value |
|---|---|
| IP | 174.138.43[.]25 |
| Hosting | DigitalOcean, LLC (AS14061) |
| CIDR | 174.138.0.0/17 |
| Country | US |
| OS | Ubuntu (OpenSSH 9.6p1) |
Open Ports
| Port | Service | Purpose |
|---|---|---|
| 22 | SSH (OpenSSH 9.6p1) | Admin access |
| 1080 | SOCKS5 | Reverse proxy through victims |
| 5000 | Express.js | C2 panel (unauthenticated) |
| 9000 | Unknown | Listener/stager (empty reply on HTTP) |
Port 9000 accepts TCP connections but returns empty replies to HTTP requests. This is likely the beacon callback port — where DiskIntegrityScanner.exe phones home. The server only responds to properly formatted check-in requests from the implant.
The Implant: DLL Sideloading + Self-Destruct
The event logs from /api/logs/DESKTOP-FVPFLD2 reveal critical details about the implant architecture that the panel source alone doesn't expose.
DLL-Based Implant
The logs show repeated DLL_PROCESS_ATTACH entries — the Windows callback fired when a DLL is loaded into a process:
[2026-04-15 14:17:49] DLL_PROCESS_ATTACH
[2026-04-15 14:17:59] Starting CollectData
[2026-04-15 14:17:59] Computer Name: DESKTOP-FVPFLD2
[2026-04-15 14:17:59] User Name: LabCasa
[2026-04-15 14:18:00] Executando como USUARIO COMUM
[2026-04-15 14:18:00] Finished CollectData
The implant is not a standalone executable. DiskIntegrityScanner.exe is likely a clean, signed binary used as a DLL sideloading host — it loads the malicious DLL, which runs CollectData on attach to fingerprint the machine (hostname, username, privilege level) and register with the C2. This is a well-known defense evasion technique: the process list shows a legitimate-looking executable, while the malicious code runs inside a sideloaded DLL.
The agent ran as USUARIO COMUM (standard user) — it did not have admin privileges. Multiple DLL_PROCESS_ATTACH entries across the afternoon suggest the developer was restarting and recompiling the implant during testing.
DPAPI Browser Credential Theft
The Brave browser extraction logs show the stealer's credential theft methodology:
[2026-04-15 12:45:36] Extracao Brave iniciada...
[2026-04-15 12:45:36] Caminho Brave resolvido: C:\Users\LabCasa\AppData\Local\BraveSoftware\Brave-Browser\User Data
[2026-04-15 12:45:38] MK encodada encontrada. Dec via DPAPI...
[2026-04-15 12:45:38] MK recuperada para Brave!
[2026-04-15 12:45:38] Perfis encontrados: 1
[2026-04-15 12:45:38] Analisando perfil: Default
[2026-04-15 12:45:38] Login Data copiado com sucesso.
[2026-04-15 12:45:38] Senhas encontradas: 0
[2026-04-15 12:45:38] Aviso: Banco de Cookies nao encontrado para Default
The flow: resolve browser profile path → find the encrypted master key → decrypt it via Windows DPAPI (CryptUnprotectData) → copy the Login Data SQLite database → query for saved passwords. The test machine had zero saved passwords and no cookies database, confirming this was a clean lab environment.
Self-Destruct
The command results include self-destruct confirmations:
{
"command": "steal_brave",
"output": "[+] Comando de autodestruicao processado. O agente enviara esta confirmacao e evaporara em seguida."
}
Translation: "Self-destruct command processed. The agent will send this confirmation and evaporate afterwards."
The self-destruct was triggered during testing — the developer sent multiple steal_brave commands, some of which apparently triggered the destruct mechanism (possibly a crash-triggered wipe or a test of the exit-and-clean routine). The word "evaporar" (evaporate) suggests the implant deletes itself from disk after confirmation.
Full Command History (25 commands)
The /api/results/ endpoint returned 25 executed commands — all from the developer's test session on April 15:
| Time | Command | Result |
|---|---|---|
| 12:11 | screenshot | Screen captured |
| 12:12 | webcam_snap | Webcam captured via Media Foundation |
| 12:12 | ls C:\ | Directory listing completed |
| 12:45 | screenshot | Screen captured |
| 12:45 | webcam_snap | Webcam captured |
| 12:45-17:01 | steal_brave x18 | Repeated Brave extraction tests |
| Final | exit | Beacon terminated |
The developer spent the entire afternoon on April 15 testing the Brave browser extraction, restarting the agent repeatedly (5 DLL_PROCESS_ATTACH cycles), and fixing issues. The sheer repetition of steal_brave — 18 times in one session — suggests they were debugging the DPAPI decryption or profile enumeration logic.
OPSEC Failures
This C2 exposes its operator through a cascade of security mistakes:
1. Zero Authentication (Critical)
The entire panel — dashboard, beacon list, command API, keylogger feed, browser credential dump — is served over HTTP with no login, no token, no API key. The Express.js server doesn't even have middleware for authentication. Any scanner hitting port 5000 gets the full panel.
2. CORS Wide Open
Access-Control-Allow-Origin: *
Any website in any browser can make API calls to this C2. An attacker could build a webpage that silently queries /api/beacons and exfiltrates the victim list.
3. Test Machine Exposes Developer
The single registered beacon is the developer's own machine:
| Artifact | Value | What It Reveals |
|---|---|---|
| Username | LabCasa | Portuguese speaker, home lab setup |
| Location | Goiania, BR | Developer's physical city |
| IPv6 | 2804:3d90:ffc9:c970:c4e3:31c1:b958:d480 | Claro/NET Brazil, specific /64 prefix |
| Hardware | Lenovo LNVNB161216, i5-1235U | Specific laptop model identifiable |
| Hostname | DESKTOP-FVPFLD2 | Default Windows install (not reimaged) |
The IPv6 address narrows to a specific Claro/NET subscriber in the Goiania metropolitan area. The Lenovo model number (LNVNB161216) corresponds to a specific IdeaPad or ThinkBook SKU. Combined with the Goiania location, this significantly narrows the pool of possible developers.
4. Command History Persists
Every command ever executed is permanently accessible via /api/results/{id}. The developer's entire testing session — screenshots, webcam captures, browser extractions — is recorded and exposed. If real victims were enrolled, their stolen data would be equally accessible.
5. Socket.io Accepts All Connections
The Socket.io transport assigns session IDs to any connecting client and broadcasts all command_result events to every connected session. There is no session isolation. A researcher connected to the Socket.io transport would receive real-time results from commands executed against active victims.
6. Victim Data Includes Full Hardware Fingerprint
The beacon registration includes CPU model, total and available RAM, disk size, and motherboard manufacturer/model. This level of fingerprinting is unusual for a C2 — most collect OS version and hostname. The detailed hardware data serves no operational purpose but creates a detailed forensic record that could identify victims.
7. No TLS
Port 5000 serves plain HTTP. All command traffic, victim data, stolen credentials, keylogger output, and browser data transits the network in cleartext. Anyone on the path between the operator and the server can intercept everything.
Fingerprinting the Developer
From the exposed infrastructure and test data, we can construct a profile:
| Category | Finding |
|---|---|
| Language | Brazilian Portuguese (UI, logs, variable names all PT-BR) |
| City | Goiania, Goias, Brazil |
| ISP | Claro/NET (IPv6 prefix 2804:3d90:ffc9:c970::/64) |
| Hardware | Lenovo LNVNB161216, 12th Gen Intel i5-1235U, 24GB RAM, 464GB disk |
| Browser | Brave (primary — targeted for extraction testing) |
| OS | Windows (default hostname not changed) |
| Skill level | Intermediate — strong frontend (polished UI, Socket.io real-time), competent backend (Express.js API, DPAPI decryption), weak security (no auth, no TLS) |
| Development pattern | Active April 15, 2026 (full afternoon test session), panel last modified same day |
| Branding | "Auraboros Advanced Defense Systems" — aspires to professional/military positioning |
| C2 hosting | DigitalOcean (standard VPS, not bulletproof — suggests early stage) |
| Agent architecture | DLL sideloading into DiskIntegrityScanner.exe, DPAPI for browser creds, self-destruct capability |
The developer is technically capable but operationally immature. The implant features — DLL sideloading, DPAPI decryption, self-destruct, Media Foundation webcam capture, live audio streaming — require real Windows internals knowledge. The panel features — Socket.io real-time, cookie impersonation with SOCKS chaining, OTA updates — show architectural thinking.
But the complete absence of authentication, the exposed test machine, the persistent command history, and the use of standard DigitalOcean hosting (not bulletproof) all suggest someone who hasn't yet operated this tool against real targets. The single test beacon confirms this: Auraboros appears to be in active development, not active deployment.
That may change. The feature set is deployment-ready. The only thing missing is basic operational security — and that can be added in an afternoon.
What This Report Adds
-
Auraboros C2 is previously undocumented. No public threat intelligence, security research, or vendor advisory references this framework by name. This is the first public analysis.
-
The complete source is captured. The 84KB inline JavaScript contains every API call, every command, every UI element. The full command vocabulary — from screenshot to live audio streaming to cookie impersonation — is documented from source code, not behavioral analysis.
-
Unauthenticated victim data is exposed. The
/api/beaconsendpoint returns full victim metadata including hardware specs, geolocation, and process information with zero authentication. -
The Socket.io transport is active and accepting connections. We received a valid session ID without any credentials.
-
The cookie impersonation engine demonstrates a sophisticated session hijacking workflow that chains browser data theft, SOCKS proxying, and automated script generation.
Credit to @Fact_Finder03 for the initial tip and @4_n_0_n_1_3_3_7 for flagging port 9000.
IOC Table
Network
| Type | Indicator | Context |
|---|---|---|
| IPv4 | 174.138.43[.]25 | Auraboros C2 server |
| Port | :5000 | C2 panel (Express.js, unauthenticated) |
| Port | :9000 | Beacon listener/stager |
| Port | :1080 | Reverse SOCKS5 proxy |
| ASN | AS14061 (DigitalOcean) | Hosting |
Host Indicators
| Type | Value |
|---|---|
| Process | DiskIntegrityScanner.exe |
| Beacon ID format | Windows hostname (e.g., DESKTOP-FVPFLD2) |
| C2 callback | 174.138.43[.]25:9000 (assessed) |
Panel Artifacts
| Artifact | Value |
|---|---|
| Page title | Painel C2 - Dashboard |
| Branding | Auraboros C2 Station |
| Copyright | © 2026 Auraboros Advanced Defense Systems |
| Logo | logo-semfundo.png |
| Socket.io path | /socket.io/?EIO=4&transport=polling |
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Implementation |
|---|---|---|---|
| Command and Control | Application Layer Protocol: Web | T1071.001 | Express.js + Socket.io C2 |
| Command and Control | Proxy: SOCKS | T1090.001 | Reverse SOCKS5 on port 1080 |
| Collection | Screen Capture | T1113 | screenshot command |
| Collection | Video Capture | T1125 | webcam_snap command |
| Collection | Audio Capture | T1123 | audio_start live streaming |
| Collection | Clipboard Data | T1115 | get_clipboard command |
| Collection | Input Capture: Keylogging | T1056.001 | Live keylogger with 3s polling |
| Credential Access | Credentials from Password Stores: Web Browsers | T1555.003 | Chrome/Brave extraction |
| Credential Access | Steal Web Session Cookie | T1539 | Cookie impersonation engine |
| Credential Access | OS Credential Dumping | T1003 | Wi-Fi password extraction |
| Discovery | Network Service Discovery | T1046 | ARP scan + port scan |
| Discovery | Process Discovery | T1057 | get_processes |
| Discovery | System Information Discovery | T1082 | CPU, RAM, disk, motherboard fingerprint |
| Lateral Movement | Proxy: SOCKS | T1090.001 | Pivot through victim network |
| Exfiltration | Exfiltration Over C2 Channel | T1041 | All data via HTTP API |
| Defense Evasion | Masquerading | T1036.005 | DiskIntegrityScanner.exe |
| Persistence | Software Update | T1195 | OTA agent self-update |
Detection Signatures
Network
# Auraboros C2 panel
alert http any any -> any 5000 (msg:"GHOST - Auraboros C2 Panel Access"; content:"Auraboros C2 Station"; http.response_body; sid:2026042020; rev:1;)
# Auraboros beacon callback
alert tcp $HOME_NET any -> $EXTERNAL_NET 9000 (msg:"GHOST - Possible Auraboros Beacon Callback"; flow:to_server,established; sid:2026042021; rev:1;)
# Auraboros SOCKS proxy
alert tcp $HOME_NET any -> $EXTERNAL_NET 1080 (msg:"GHOST - Possible Auraboros SOCKS Proxy"; flow:to_server,established; sid:2026042022; rev:1;)
Host
# Implant masquerading
DiskIntegrityScanner.exe (not a legitimate Windows binary)
# Socket.io C2 polling pattern
GET /socket.io/?EIO=4&transport=polling (to non-standard port)
YARA
rule Auraboros_C2_Panel {
meta:
description = "Auraboros C2 panel HTML"
author = "Breakglass Intelligence"
date = "2026-04-20"
strings:
$brand1 = "Auraboros C2 Station" ascii
$brand2 = "Auraboros Advanced Defense Systems" ascii
$api1 = "/api/beacons" ascii
$api2 = "/api/command" ascii
$api3 = "/api/keylog/" ascii
$api4 = "/api/browser-data/" ascii
$cmd1 = "DiskIntegrityScanner" ascii
$cmd2 = "quickCommand" ascii
condition:
any of ($brand*) or (2 of ($api*)) or ($cmd1 and $cmd2)
}
Recommendations
| Action | Priority |
|---|---|
Block 174.138.43[.]25 at perimeter | Immediate |
Hunt for DiskIntegrityScanner.exe on endpoints | Immediate |
| Monitor for connections to port 9000 on DigitalOcean IPs | High |
| Monitor for reverse SOCKS5 on port 1080 | High |
Report to DigitalOcean abuse (abuse@digitalocean.com) | High |
| Hunt for Socket.io polling to non-standard ports | Medium |
Investigation by Breakglass Intelligence. Credit to @Fact_Finder03 for the initial tip and @4_n_0_n_1_3_3_7 for flagging port 9000.