CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Astaroth Banking Trojan Campaign Leverages GitHub for Resilience

First reported
Last updated
1 unique sources, 2 articles

Summary

Hide ▲

A new campaign distributing the Astaroth banking trojan uses GitHub to host malware configurations and WhatsApp to spread the infection. The malware primarily targets users in Brazil and other Latin American countries. The infection chain starts with a phishing email or WhatsApp message containing a malicious file, which downloads and executes the trojan. Astaroth monitors banking and cryptocurrency websites, steals credentials via keylogging, and uses steganography to hide configuration data within GitHub-hosted images. The malware also includes anti-analysis features to evade detection and persistence mechanisms to ensure it runs on reboot. The campaign has been active since at least July 2024, with previous attacks also targeting Brazil. The latest findings indicate that the malware now spreads via WhatsApp, using a Python-based propagation module to send malicious ZIP files to contacts.

Timeline

  1. 08.01.2026 19:10 1 articles · 23h ago

    Astaroth Banking Trojan Spreads via WhatsApp Messages

    A new campaign distributing the Astaroth banking trojan uses WhatsApp as a distribution vector. The malware retrieves the victim's WhatsApp contact list and automatically sends malicious messages to each contact to further spread the infection. The campaign includes a banking module that monitors web browsing activity for banking URLs and tracks propagation metrics in real time.

    Show sources
    Open in new tab
  2. 13.10.2025 09:52 2 articles · 2mo ago

    Astaroth Banking Trojan Campaign Leverages GitHub for Resilience

    A new campaign distributing the Astaroth banking trojan uses GitHub to host malware configurations, allowing it to remain operational even after traditional command-and-control (C2) servers are taken down. The malware primarily targets users in Brazil and other Latin American countries. The infection chain starts with a phishing email containing a malicious Windows shortcut (.lnk) file, which downloads and executes the trojan. Astaroth monitors banking and cryptocurrency websites, steals credentials via keylogging, and uses steganography to hide configuration data within GitHub-hosted images. The malware also includes anti-analysis features to evade detection and persistence mechanisms to ensure it runs on reboot. The campaign has been active since at least July 2024, with previous attacks also targeting Brazil.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Malicious npm package 'lotusbail' steals WhatsApp credentials and messages

A malicious npm package named 'lotusbail' has been discovered, which poses as a legitimate WhatsApp Web API library. The package steals WhatsApp authentication tokens, session keys, intercepts messages, and exfiltrates contact lists and media files. It has been available for at least six months with over 56,000 downloads. The package also links the attacker's device to the victim's WhatsApp account, granting persistent access even after removal. Researchers recommend checking for rogue linked devices and monitoring runtime behavior for unexpected outbound connections. The package was uploaded by a user named 'seiren_primrose' in May 2025 and has been downloaded 711 times in the last week. It uses a malicious WebSocket wrapper to capture credentials and chats, and the stolen data is transmitted to an attacker-controlled URL in encrypted form. The package also uses a hard-coded pairing code to hijack the device linking process and enters into an infinite loop trap when debugging tools are detected.

Open in new tab

131 Chrome Extensions Hijack WhatsApp Web for Spam Campaign

A coordinated campaign used 131 rebranded clones of a WhatsApp Web automation extension for Google Chrome to spam Brazilian users. The extensions, collectively affecting 20,905 active users, inject code into WhatsApp Web to automate bulk messaging and bypass anti-spam controls. The operation has been ongoing for at least nine months, with recent updates observed in October 2025. The extensions are marketed as CRM tools for WhatsApp, allowing users to maximize sales through the web version. The extensions are published under various names and logos, but most are linked to 'WL Extensão' and 'WLExtensao,' believed to be part of a franchise model by DBX Tecnologia. The practice violates Google's Chrome Web Store policies.

Open in new tab

SORVEPOTEL, Maverick, and Eternidade Stealer Malware Campaigns Target Brazilian Banks via WhatsApp

A self-spreading malware named SORVEPOTEL targets Brazilian users via WhatsApp. The malware spreads through phishing messages containing malicious ZIP files, primarily affecting Windows systems. The campaign is designed for rapid propagation rather than data theft or ransomware. The malware exploits the trust in WhatsApp to spread across contacts and groups, leading to account bans for excessive spam. The majority of infections are concentrated in Brazil, impacting various sectors including government, public service, and technology. The malware uses a Windows shortcut (LNK) file to execute a PowerShell script, which retrieves the main payload and establishes persistence on the infected system. It also communicates with a command-and-control (C2) server for further instructions. New findings reveal that SORVEPOTEL is linked to a banking malware called Maverick, which targets Brazilian banks and monitors active browser window tabs for URLs matching financial institutions. The malware uses IMAP connections to terra.com[.]br email accounts using hardcoded email credentials to retrieve commands and implements a sophisticated remote control mechanism that allows the adversary to pause, resume, and monitor the WhatsApp propagation in real-time. A newly identified banking Trojan known as Eternidade Stealer has been observed pushing Brazil’s cybercrime ecosystem into a more aggressive phase, with attackers using WhatsApp as both an entry point and a propagation tool. The malware combines a WhatsApp-propagating worm, a Delphi-based stealer, and an MSI dropper to harvest financial data, system details, and contact lists. The campaign leverages a combination of social engineering and WhatsApp hijacking to distribute the trojan, using an obfuscated Visual Basic Script to drop a batch script that delivers two payloads: a Python script for WhatsApp Web-based dissemination and an MSI installer for Eternidade Stealer. The malware harvests a victim's entire contact list, filters out groups, business contacts, and broadcast lists, and sends a malicious attachment to all contacts. The MSI installer drops several payloads, including an AutoIt script that checks if the compromised system is based in Brazil by inspecting the operating system language. The script scans running processes and registry keys to ascertain the presence of installed security products and profiles the machine, sending details to a C2 server. The malware injects the Eternidade Stealer payload into 'svchost.exe' using process hollowing. Eternidade Stealer continuously scans active windows and running processes for strings related to banking portals, payment services, and cryptocurrency exchanges and wallets. The malware uses a terra.com[.]br email address to fetch C2 details, mirroring a tactic recently adopted by Water Saci. The campaign's backend was traced to two panels, one for managing the Redirector System and another login panel, used to monitor infected hosts. The threat actor Water Saci is using a sophisticated, highly layered infection chain that uses HTML Application (HTA) files and PDFs to propagate a worm that deploys a banking trojan via WhatsApp in attacks targeting users in Brazil. The latest wave is characterized by the attackers shifting from PowerShell to a Python-based variant that spreads the malware in a worm-like manner over WhatsApp Web. The PDF lure instructs victims to update Adobe Reader by clicking on an embedded link. Users who receive HTA files are deceived into executing a Visual Basic Script immediately upon opening, which then runs PowerShell commands to fetch next-stage payloads from a remote server, an MSI installer for the trojan and a Python script that's responsible for spreading the malware via WhatsApp Web. The MSI installer serves as a conduit for delivering the banking trojan using an AutoIt script. The script also runs checks to ensure that only one instance of the trojan is running at any given point of time. The script verifies the presence of a marker file named "executed.dat." If it does not exist, the script creates the file and notifies an attacker-controlled server ("manoelimoveiscaioba[.]com"). The script analyzes the user's Google Chrome browsing history to search visits to banking websites, specifically a hard-coded list comprising Santander, Banco do Brasil, Caixa Econômica Federal, Sicredi, and Bradesco. The script then proceeds to another critical reconnaissance step that involves checking for installed antivirus and security software, as well as harvesting detailed system metadata. The main functionality of the malware is to monitor open windows and extract their window titles to compare them against a list of banks, payment platforms, exchanges, and cryptocurrency wallets. If any of these windows contain keywords related to targeted entities, the script looks for a TDA file dropped by the installer and decrypts and injects it into a hollowed "svchost.exe" process, following which the loader searches for an additional DMP file containing the banking trojan. The banking trojan deployed is not Maverick, but rather a malware that exhibits structural and behavioral continuity with Casbaneiro. The trojan carries out "aggressive" anti-virtualization checks to sidestep analysis and detection, and gathers host information through Windows Management Instrumentation (WMI) queries. The trojan makes Registry modifications to set up persistence and establishes contact with a C2 server ("serverseistemasatu[.]com") to send the collected details and receive backdoor commands that grant remote control over the infected system. The trojan forcibly terminates several browsers to force victims to reopen banking sites under "attacker-controlled conditions." The second aspect of the campaign is the use of a Python script, an enhanced version of its PowerShell predecessor, to enable malware delivery to every contact via WhatsApp Web sessions using the Selenium browser automation tool. There is "compelling" evidence to suggest that Water Saci may have used a large language model (LLMs) or code-translation tool to port their propagation script from PowerShell to Python, given the functional similarities between the two versions and the inclusion of emojis in console outputs. The development comes as Brazilian banking users are also being targeted by a previously undocumented Android malware dubbed RelayNFC that's designed to carry out Near-Field Communication (NFC) relay attacks and siphon contactless payment data. RelayNFC implements a full real-time APDU relay channel, allowing attackers to complete transactions as though the victim's card were physically present. The malware is built using React Native and Hermes bytecode, which complicates static analysis and helps evade detection. Primarily spread via phishing, the attack makes use of decoy Portuguese-language sites (e.g., "maisseguraca[.]site") to trick users into installing the malware under the pretext of securing their payment cards. The end goal of the campaign is to capture the victim's card details and relay them to attackers, who can then perform fraudulent transactions using the stolen data. The cybersecurity company said its investigation also uncovered a separate phishing site ("test.ikotech[.]online") that distributes an APK file with a partial implementation of Host Card Emulation (HCE), indicating that the threat actors are experimenting with different NFC relay techniques.

Open in new tab

WhatsApp Zero-Day Exploited in Targeted Attacks

A zero-day vulnerability in WhatsApp (CVE-2025-55177) was exploited in targeted attacks against specific users, chained with a separate iOS flaw (CVE-2025-43300). The flaw allowed unauthorized users to trigger content processing from arbitrary URLs on targeted devices. Apple issued threat notifications to users targeted in mercenary spyware attacks, which included individuals based on their status or function, such as journalists, lawyers, activists, politicians, and senior officials. The attacks highlight the risks of chaining multiple vulnerabilities to compromise targets, emphasizing the need for comprehensive security measures. WhatsApp patched the issue and notified affected users. Apple has sent threat notifications multiple times a year since 2021, alerting users in over 150 countries, including a fourth campaign in France in 2025. The attacks began with the exploitation of the WhatsApp zero-day vulnerability, which was chained with an iOS flaw in sophisticated attacks. Apple has been issuing threat notifications to users targeted in these attacks, advising them to enable Lockdown Mode and seek emergency security assistance. Apple introduced Memory Integrity Enforcement (MIE) in the latest iPhone models to combat memory corruption vulnerabilities, and the number of U.S. investors in spyware and surveillance technologies has increased significantly.

Open in new tab