Who, what & why

Who is behind AZORult Tracker?

AZORult Tracker is maintained by:

This project has been created during our last year of engineering school at ENSIBS Cyberdéfense in Vannes (FRANCE). We decided to work on AZORult Tracker because we all enjoy threat intelligence and we wanted to contribute to its community.

What is AZORult and AZORult Tracker?

  • AZORult is one of the most used malware stealer in 2019. Like most of malware, AZORult need a web panel called "Command & Control" (Also called C&C, C2, panel) to operate.
  • AZORult Tracker is a C&C Tracker which focuses on this malware panel (versions 3.2 and 3.3.1, which are the most common). The main purpose of the Tracker is to reference AZORult C&C panels and to track them through time. These data can be useful for threat hunting, threat intelligence, threat streams... To display these results, AZORult Tracker offers both a website and an API for more specific searches.
  • AZORult panel offers a page in open access which displays a lot of statistics about the victims: number of stolen passwords, infected countries, and a lot more. This data are also tracked through time by AZORult Tracker to have a detailed evolution of each panel.
  • AZORult Tracker also recovers the configuration of the panels, including: files grabber and loaders (second-stage).

If you want to know more about AZORult, you can check out its Malpedia page. And here are more specifically two articles on the C&C panel :

Why did we make AZORult Tracker?

  • AZORult is one of the most used botnet and it has no dedicated tracker.
  • Contribute to the security of the users (through IOC providing).
  • Contribute to Cyber Threat Intelligence community.

FAQs

My server is in the database, how can I remove it?

If your server is in the database, it's probably because it has been compromised to host an AZORult panel. First of all, make sure there are no more malware panels on your websites. Then contact us at azorult-tracker[at]protonmail[.]com with object "[Opt-out] your_server_here". Note: you'll have to prove that you are the owner of the server to remove it from the database.

How does AZORult Tracker get new panels?

To get new panels to track, AZORult Tracker use feeders including:

Thanks to them for their awesome work!

We also share the panels we discover during our personal investigations.

Is the database and website free to use?

There is no restriction on the website and the API, however, the provided data are under the CC0 license.

How can I contribute to AZORult Tracker?

Although the database is open, we do not provide the website/API source code. However, if you found new panels not referenced by AZORult Tracker, you can submit them on CyberCrime Tracker or directly on Twitter with the hashtag #AZORult, our feeders will take care of retrieving them.

Why does some panel got "hacked" label?

Some versions of the AZORult panel have vulnerabilities. Once exploited, the panel may have inconsistent data.

Why some panel statistics are inconsistent?

It's possible in some cases that erroneous data may be injected into the statistics page of C&C. They are not taken into account, however, this can lead to some inconsistencies. It's also likely that seemingly legitimate data are injected into the statistics, inflating, for example, the number of victims on a panel.

Why aren't there infection statistics for all panels?

The page containing the infection statistics is in the C&C "backend", to access it you need to know its path, if you don't have it the statistics can't be retrieved. However, we still get the malware's settings, files grabber and loaders.

Why are the panel statistics are out of date?

Online C&C are scanned every 12 hours, it's possible that changes have taken place since the last scan.

Why is the panel indicated as offline whereas it's accessible?

It's possible that panels may not have the right status (offline instead of online), this may be due to the use of technology such as Cloudflare. This is also why some panels listed on the feeders are not present on AZORult Tracker.

Contact

You want to collaborate with AZORult Tracker? You've got an amazing idea? You have a huge list of C&C not referenced? You spotted a bug? Feel free to contact us at the following email: azorult-tracker[at]protonmail[.]com or directly on Twitter.

Disclaimer

  • AZORult Tracker and his founders do not take any responsibility and are not liable for any damage caused through use of products or services through this website, be it indirect, special, incidental or consequential damages.
  • Any data offered by AZORult Tracker is served as it is on best effort.
  • AZORult Tracker can not be held liable for any false positive.
  • AZORult logo is property of © Can Stock Photo Inc. / Alexius.