S0344: Azorult
Azorult is a commercial Trojan that is used to steal information from compromised hosts. Azorult has been observed in the wild as early as 2016. In July 2018, Azorult was seen used in a spearphishing campaign against targets in North America. Azorult has been seen used for cryptocurrency theft. [1][2]
Analyst context for executives and security teams
Azorult matters because ATT&CK describes it as a Windows commercial Trojan focused on stealing information from compromised hosts, with historical reporting since 2016 and observations involving spearphishing and cryptocurrency theft. For leaders, the practical issue is not just malware removal: this behavior points to credential exposure, browser-stored secret theft, host reconnaissance, and possible follow-on tool transfer that can affect account security and incident scope.
Executive priority
Treat Azorult-aligned activity as an identity and incident-scoping priority. Ask whether the organization can prove collection of endpoint, credential-access, and network evidence on Windows systems; whether browser-stored credentials and insecure credential files are governed; and whether incident response playbooks include rapid password/session review when information-stealing malware is suspected. The TA505 relationship in ATT&CK adds threat-intelligence relevance, but it should not be used as automatic attribution without local evidence.
Technical view
SOC and IR teams should validate Windows telemetry against the ATT&CK relationships for Azorult: registry queries, system/network/user/process/file/time discovery, process hollowing, token-based process creation, file deletion, deobfuscation, screen capture, credential access from files and web browsers, ingress tool transfer, and encrypted command-and-control using symmetric cryptography. Because MITRE provides no dedicated detection text for this software object, coverage should be tested through the related techniques rather than a single malware signature.
Likely telemetry
- Windows endpoint process creation, parent-child process relationships, command-line arguments, and process injection indicators
- Windows Registry access/query telemetry
- File system enumeration, credential-store access, file creation, file deletion, and suspicious access to browser profile data
- User, host, process, network configuration, and system time discovery events
- Network connection metadata, DNS/proxy/firewall logs, and encrypted outbound session characteristics
Detection direction
- Map detections to the related ATT&CK techniques rather than relying only on the Azorult name or hash-based indicators.
- Correlate discovery bursts with credential-store access, browser data access, file deletion, and outbound network activity to reduce single-event false positives.
- Tune for administrative-tool overlap: registry queries, process discovery, and file enumeration can be benign, so prioritize unusual parent processes, user context, timing, destination patterns, and sequence of behaviors.
- Validate blind spots around browser credential stores, endpoint file access visibility, process injection telemetry, and encrypted outbound traffic where payload inspection is unavailable.
- Use the TA505 relationship as enrichment for threat intelligence and hunting context, not as standalone attribution.
Mitigation priorities
- Prioritize reducing credential exposure: discourage or control browser-stored passwords and locate insecure credentials in local files or shares.
- Harden Windows endpoints with controls that restrict suspicious process injection, token abuse, unauthorized tool transfer, and execution from user-writable locations where feasible.
- Ensure endpoint detection, proxy/DNS logging, and incident response evidence retention are sufficient to reconstruct discovery, credential access, and outbound communication.
- Prepare IR actions for suspected infostealer activity, including affected-account review, credential reset decisions, and validation of any additional tools transferred to the host.
- Use security awareness and email controls as relevant to the officially reported spearphishing observation, while avoiding assumptions that every Azorult case begins that way.
Analyst notes and limits
This take is based on ATT&CK S0344 Azorult, its official description, cited Proofpoint and Unit42 references, and supplied relationships. The most decision-useful relationships are credential access from files and browsers, Windows discovery behaviors, stealth/evasion behaviors, ingress tool transfer, and encrypted command-and-control. Local telemetry is required to determine whether any observed event is Azorult, another infostealer, or legitimate administration.
MITRE does not provide a specific detection section, aliases, labels, or malware-level tactics for this object. The object platform is Windows, while several related techniques are broader across operating systems; defensive validation here should therefore focus on Windows unless local evidence supports broader scope. No claim of current active exploitation, customer exposure, or confirmed attribution is made.
Azorult
Azorult is a commercial Trojan that is used to steal information from compromised hosts. Azorult has been observed in the wild as early as 2016. In July 2018, Azorult was seen used in a spearphishing campaign against targets in North America. Azorult has been seen used for cryptocurrency theft. [1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1134.002 | Create Process with Token Sub-technique | Azorult can call WTSQueryUserToken and CreateProcessAsUser to start a new process with local system privileges.CitationUnit42 Azorult Nov 2018 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Azorult can delete files from victim machines.CitationUnit42 Azorult Nov 2018 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Azorult can encrypt C2 traffic using XOR.CitationUnit42 Azorult Nov 2018CitationProofpoint Azorult July 2018 |
| Enterprise | T1033 | System Owner/User Discovery | Azorult can collect the username from the victim’s machine.CitationUnit42 Azorult Nov 2018 |
| Enterprise | T1055.012 | Process Hollowing Sub-technique | Azorult can decrypt the payload into memory, create a new suspended process of itself, then inject a decrypted payload to the new process and resume new process execution.CitationUnit42 Azorult Nov 2018 |
| Enterprise | T1012 | Query Registry | Azorult can check for installed software on the system under the Registry key |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Azorult uses an XOR key to decrypt content and uses Base64 to decode the C2 address.CitationUnit42 Azorult Nov 2018CitationProofpoint Azorult July 2018 |
| Enterprise | T1552.001 | Credentials In Files Sub-technique | Azorult can steal credentials in files belonging to common software such as Skype, Telegram, and Steam.CitationUnit42 Azorult Nov 2018 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | Azorult can steal credentials from the victim's browser.CitationUnit42 Azorult Nov 2018 |
| Enterprise | T1105 | Ingress Tool Transfer | |
| Enterprise | T1124 | System Time Discovery | Azorult can collect the time zone information from the system.CitationUnit42 Azorult Nov 2018CitationProofpoint Azorult July 2018 |
| Enterprise | T1016 | System Network Configuration Discovery | Azorult can collect host IP information from the victim’s machine.CitationUnit42 Azorult Nov 2018 |
| Enterprise | T1083 | File and Directory Discovery | Azorult can recursively search for files in folders and collects files from the desktop with certain extensions.CitationUnit42 Azorult Nov 2018 |
| Enterprise | T1082 | System Information Discovery | Azorult can collect the machine information, system architecture, the OS version, computer name, Windows product name, the number of CPU cores, video card information, and the system language.CitationUnit42 Azorult Nov 2018CitationProofpoint Azorult July 2018 |
| Enterprise | T1113 | Screen Capture | Azorult can capture screenshots of the victim’s machines.CitationUnit42 Azorult Nov 2018 |
| Enterprise | T1057 | Process Discovery | Azorult can collect a list of running processes by calling CreateToolhelp32Snapshot.CitationUnit42 Azorult Nov 2018CitationProofpoint Azorult July 2018 |
Groups, software, and campaigns
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | 9eff79d33449… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Unit42 Azorult Nov 2018
Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.
Open source URL -
[2]
Proofpoint Azorult July 2018
Proofpoint. (2018, July 30). New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. Retrieved November 29, 2018.
Open source URL -
[3]
Azorult
(Citation: Unit42 Azorult Nov 2018)(Citation: Proofpoint Azorult July 2018)
-
[4]
mitre-attack S0344Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.