Astaroth Banking Trojan Campaign Leverages GitHub for Resilience

Timeline

1. 13.10.2025 09:52 1 articles · 7h ago

   Astaroth Banking Trojan Campaign Leverages GitHub for Resilience

   A new campaign distributing the Astaroth banking trojan uses GitHub to host malware configurations, allowing it to remain operational even after traditional command-and-control (C2) servers are taken down. The malware primarily targets users in Brazil and other Latin American countries. The infection chain starts with a phishing email containing a malicious Windows shortcut (.lnk) file, which downloads and executes the trojan. Astaroth monitors banking and cryptocurrency websites, steals credentials via keylogging, and uses steganography to hide configuration data within GitHub-hosted images. The malware also includes anti-analysis features to evade detection and persistence mechanisms to ensure it runs on reboot. The campaign has been active since at least July 2024, with previous attacks also targeting Brazil.

   Show sources

   • Astaroth Banking Trojan Abuses GitHub to Remain Operational After Takedowns — thehackernews.com — 13.10.2025 09:52

   Open in new tab

Information Snippets

• Astaroth uses GitHub repositories to host malware configurations, ensuring resilience against C2 server takedowns.

  First reported: 13.10.2025 09:52
  1 source, 1 article
  Show sources

  • Astaroth Banking Trojan Abuses GitHub to Remain Operational After Takedowns — thehackernews.com — 13.10.2025 09:52

• The campaign primarily targets users in Brazil and other Latin American countries.

  First reported: 13.10.2025 09:52
  1 source, 1 article
  Show sources

  • Astaroth Banking Trojan Abuses GitHub to Remain Operational After Takedowns — thehackernews.com — 13.10.2025 09:52

• The infection begins with a DocuSign-themed phishing email containing a malicious Windows shortcut (.lnk) file.

  First reported: 13.10.2025 09:52
  1 source, 1 article
  Show sources

  • Astaroth Banking Trojan Abuses GitHub to Remain Operational After Takedowns — thehackernews.com — 13.10.2025 09:52

• The malware uses obfuscated JavaScript to fetch additional payloads and execute an AutoIt script.

  First reported: 13.10.2025 09:52
  1 source, 1 article
  Show sources

  • Astaroth Banking Trojan Abuses GitHub to Remain Operational After Takedowns — thehackernews.com — 13.10.2025 09:52

• Astaroth monitors visits to banking and cryptocurrency websites, stealing credentials via keylogging.

  First reported: 13.10.2025 09:52
  1 source, 1 article
  Show sources

  • Astaroth Banking Trojan Abuses GitHub to Remain Operational After Takedowns — thehackernews.com — 13.10.2025 09:52

• The malware includes anti-analysis features to evade detection and persistence mechanisms to run on reboot.

  First reported: 13.10.2025 09:52
  1 source, 1 article
  Show sources

  • Astaroth Banking Trojan Abuses GitHub to Remain Operational After Takedowns — thehackernews.com — 13.10.2025 09:52

• Astaroth uses steganography to hide configuration data within GitHub-hosted images.

  First reported: 13.10.2025 09:52
  1 source, 1 article
  Show sources

  • Astaroth Banking Trojan Abuses GitHub to Remain Operational After Takedowns — thehackernews.com — 13.10.2025 09:52

• Previous Astaroth campaigns targeting Brazil were reported in July and October 2024.

  First reported: 13.10.2025 09:52
  1 source, 1 article
  Show sources

  • Astaroth Banking Trojan Abuses GitHub to Remain Operational After Takedowns — thehackernews.com — 13.10.2025 09:52