Astaroth banking trojan GitHub-backed credential theft activity
Malware Activity
Summary
Hide ▲
Show ▼
The Astaroth banking trojan is using GitHub repositories to pull fresh configurations after takedowns, extending credential-theft operations against banking and cryptocurrency users on Windows. The malware is delivered through DocuSign-themed phishing emails that drop a zipped .lnk file and launch a multi-stage loader chain. It injects into RegSvc.exe, monitors visits to financial websites, and captures keystrokes to steal credentials. The activity is concentrated in Brazil and broader Latin America, making the operation resilient and harder to disrupt.
Related Happenings
Malware-Slop malicious npm file-theft campaign
Campaign
First: 27.05.2026 18:44
Last: 27.05.2026 18:44
Sources 1
About this happening:
The **Malware-Slop** campaign is distributing a malicious **npm** package that steals local files from installers, creating an unauthorized data-transfer risk for users of **Anthr...
Malware-Slop malicious npm file-theft campaign
CampaignAbout this happening: The **Malware-Slop** campaign is distributing a malicious **npm** package that steals local files from installers, creating an unauthorized data-transfer risk for users of **Anthr...
EtherRAT malicious MSI loader with Ethereum-based C2
Malware Activity
First: 30.04.2026 14:30
Last: 30.04.2026 14:30
Sources 1
About this happening:
The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...
EtherRAT malicious MSI loader with Ethereum-based C2
Malware ActivityAbout this happening: The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...
Mirax Android banking trojan with residential proxy nodes
Malware Activity
First: 13.04.2026 17:30
Last: 13.04.2026 17:30
Sources 1
About this happening:
Mirax is spreading across **Europe** with **remote access** and **residential proxy** features, increasing the risk of device compromise, data theft, and traffic abuse. The Androi...
Mirax Android banking trojan with residential proxy nodes
Malware ActivityAbout this happening: Mirax is spreading across **Europe** with **remote access** and **residential proxy** features, increasing the risk of device compromise, data theft, and traffic abuse. The Androi...
GlassWorm multi-stage data-theft malware evolution
Malware Activity
First: 25.03.2026 16:26
Last: 25.03.2026 16:26
Sources 1
About this happening:
The **GlassWorm** malware family has evolved into a **multi-stage** payload chain that steals browser data and crypto-wallet information, increasing risk for **Windows** and **mac...
GlassWorm multi-stage data-theft malware evolution
Malware ActivityAbout this happening: The **GlassWorm** malware family has evolved into a **multi-stage** payload chain that steals browser data and crypto-wallet information, increasing risk for **Windows** and **mac...
Storm-2561 SEO-poisoning VPN credential-theft campaign
Campaign
First: 13.03.2026 15:38
Last: 13.03.2026 15:38
Sources 1
About this happening:
The **Storm-2561** group is running a **credential-theft campaign** that uses **SEO poisoning** and fake **VPN clients** to steal **VPN credentials** from people searching for ent...
Storm-2561 SEO-poisoning VPN credential-theft campaign
CampaignAbout this happening: The **Storm-2561** group is running a **credential-theft campaign** that uses **SEO poisoning** and fake **VPN clients** to steal **VPN credentials** from people searching for ent...
Timeline
-
13.10.2025 09:52 2 articles · 7mo ago
Astaroth campaign uses GitHub-backed fallback infrastructure
Initial DisclosureMcAfee Labs describes a new Astaroth banking trojan campaign that uses GitHub repositories to host malware configurations and stay operational when C2 servers are taken down. The delivery chain begins with DocuSign-themed phishing emails that drop a zipped Windows shortcut (.lnk) file, then uses obfuscated JavaScript, an AutoIt script, shellcode, and a Delphi-based DLL to inject Astaroth into a newly created RegSvc.exe process. The malware monitors banking and cryptocurrency websites, hooks keyboard events to record keystrokes, transmits captured information through Ngrok, and focuses primarily on Brazil while also affecting targets across Latin America.
Show sources
- Astaroth Banking Trojan Abuses GitHub to Remain Operational After Takedowns — thehackernews.com — 13.10.2025 09:52
- Astaroth Banking Trojan Abuses GitHub to Remain Operational After Takedowns — thehackernews.com — 13.10.2025 09:52