Astaroth Banking Trojan

Cybersecurity researchers have identified a fresh campaign delivering the Astaroth banking trojan that deliberately uses legitimate services as a fallback to survive takedowns. Rather than relying solely on traditional Command-and-Control (C2) servers that defenders can locate and disrupt, the operators are hosting malware configuration data on GitHub and embedding it in images via steganography — allowing the malware to recover and continue operating even after infrastructure is seized or disabled.

How GitHub And Steganography Become A Backup C2

The attackers place configuration blobs inside images on public GitHub repositories. When the Trojan can't reach its primary C2 servers, it pulls updated configuration data from those image files — effectively turning a well-known code-hosting platform into a resilient backup delivery channel. Because the data is hidden inside images, it blends into normal traffic and repositories and makes detection and takedown more complicated. Security teams worked with the Microsoft-owned platform to remove the offending repos, which temporarily disrupted the campaign, but the design shows clear intent to resist future takedowns.

Geographic Focus And Prior Activity

The current campaign is concentrated primarily in Brazil, although Astaroth historically targets a broad set of Latin American countries, including Mexico, Uruguay, Argentina, Paraguay, Chile, Bolivia, Peru, Ecuador, Colombia, Venezuela, and Panama. This is consistent with earlier Astaroth activity: researchers flagged related clusters (tracked as PINEAPPLE and Water Makara) in July and October 2024 that used phishing lures to distribute the same family of malware.

The Infection Chain

The attack typically begins with a DocuSign-themed phishing message containing a link. That link delivers a ZIP that contains a Windows shortcut (.lnk). Opening the LNK launches an obfuscated JavaScript stub that fetches additional JavaScript from externally hosted servers. The fetched JavaScript in turn downloads multiple files from one of several hard-coded servers. Among those files is an AutoIt script executed by the JavaScript payload; the AutoIt script loads and runs shellcode, which then loads a Delphi-based DLL. That DLL decrypts the Astaroth payload and injects it into a newly created RegSvc.exe process — completing the deployment.

What Astaroth Does On Infected Hosts

Astaroth is implemented in Delphi and is designed to monitor users' web activity, focusing on visits to banking and cryptocurrency-related websites. It checks the active browser window every second; when it detects a targeted banking or crypto site, it hooks keyboard events to capture keystrokes and harvest credentials. The trojan transmits stolen data back to the attackers using a Ngrok reverse-proxy tunnel, allowing exfiltration even when direct C2 connectivity is restricted.

Examples Of Observed Targets

The researchers listed a set of banking and crypto-related sites observed being monitored by the malware:

• caixa.gov.br
• safra.com.br
• itau.com.br
• bancooriginal.com.br
• santandernet.com.br
• btgpactual.com
• etherscan.io
• binance.com
• bitcointrade.com.br
• metamask.io
• foxbit.com.br
• localbitcoins.com

Anti-analysis Capabilities

Astaroth includes numerous anti-analysis techniques. It probes the environment for virtualization, emulation, debugging and common analysis tools (examples include QEMU Guest Agent, HookExplorer, IDA Pro, Immunity Debugger, PE Tools, WinDbg, Wireshark and similar tools) and will terminate itself if such tools are detected. These checks make dynamic analysis and sandboxing more difficult for defenders.

Persistence, Geofencing, And Locale Checks

To maintain persistence, the campaign drops a shortcut into the Windows Startup folder that invokes the AutoIt script on reboot, ensuring the malware relaunches automatically. The infection chain includes geofencing: the initial URL fetched by the LNK is targeted by region, and the malware also verifies the system locale — it avoids running on machines set to English/United States locales. These safeguards narrow its victim profile and reduce accidental exposure.

Operational Impact

By abusing GitHub to host stealthy configuration updates, the operators created a lightweight, hard-to-takedown backup channel for Astaroth. Researchers coordinated with the Microsoft-owned platform to remove the malicious repositories, which temporarily disrupted the campaign. The use of legitimate services for fallback demonstrates the need for defenders to monitor abuse of cloud and code-hosting platforms as part of C2 hunting.

Summary

This campaign highlights two trends defenders must consider: (1) threat actors increasingly use respected third-party platforms as resilient infrastructure and (2) modern malware blends multiple scripting and compiled components (JavaScript → AutoIt → shellcode → Delphi DLL) to complicate analysis and persistence removal. The combination of GitHub-based configuration fallback, targeted geofencing, strong anti-analysis checks, and browser activity monitoring makes Astaroth a particularly resilient and privacy-invasive banking trojan. Vigilance against phishing lures, monitoring for unusual GitHub image activity, and robust endpoint detection that spots the multi-stage chain are key to detecting and disrupting infections.