Aurora surfaced on tracking infrastructure on June 16, 2026, and has claimed all 19 of its recorded victims within a single 30-day window, indicating a fast-tempo initial campaign rather than a slow-burn operation. Claimed targets skew toward manufacturing, with German firms representing the single largest national slice of the victim list; recent claims include an Austrian aerospace composites manufacturer, a Dutch civil engineering firm, and a Peruvian fuel and retail conglomerate, suggesting broad opportunistic targeting rather than a tightly defined vertical. The underlying malware is described as a Go-based multipurpose tool that has circulated since mid-2022 across multiple criminal teams, also sold separately as an infostealer and botnet on underground forums, meaning the ransomware deployment component may share infrastructure with credential-harvesting operations. Aurora's Go-based lineage is consistent with techniques such as disabling or bypassing host-based security controls before encryption and leveraging cross-platform compilation to target both Windows and Linux endpoints without significant code modification. All victim claims should be treated as unverified assertions by the group itself.