Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Astaroth Banking Trojan Abuses GitHub to Remain Operational After Takedowns

The Hacker News by The Hacker News
October 13, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


Oct 13, 2025Ravie LakshmananMalware / Financial Security

Cybersecurity researchers are calling attention to a new campaign that delivers the Astaroth banking trojan that employs GitHub as a backbone for its operations to stay resilient in the face of infrastructure takedowns.

“Instead of relying solely on traditional command-and-control (C2) servers that can be taken down, these attackers are leveraging GitHub repositories to host malware configurations,” McAfee Labs researchers Harshil Patel and Prabudh Chakravorty said in a report.

“When law enforcement or security researchers shut down their C2 infrastructure, Astaroth simply pulls fresh configurations from GitHub and keeps running.”

The activity, per the cybersecurity company, is primarily focused on Brazil, although the banking malware is known to target various countries in Latin America, including Mexico, Uruguay, Argentina, Paraguay, Chile, Bolivia, Peru, Ecuador, Colombia, Venezuela, and Panama.

DFIR Retainer Services

This is not the first time Astaroth campaigns have trained their sights on Brazil. In July and October 2024, both Google and Trend Micro warned of threat clusters dubbed PINEAPPLE and Water Makara that used phishing emails to distribute the malware.

The latest attack chain is no different in that it also begins with a DocuSign-themed phishing email containing a link that downloads a zipped Windows shortcut (.lnk) file, which, when opened, installs Astaroth on the compromised host.

The LNK file incorporates obfuscated JavaScript that’s responsible for fetching additional JavaScript from an external server. The newly fetched JavaScript code, for its part, downloads a number of files from one of the randomly selected hard-coded servers.

This includes an AutoIt script that’s executed by the JavaScript payload, following which it loads and runs shellcode, which, in turn, loads a Delphi-based DLL to decrypt and inject the Astaroth malware into a newly created RegSvc.exe process.

Astaroth is a Delphi malware designed to monitor victims’ visits to banking or cryptocurrency websites and steal their credentials using keylogging. The captured information is transmitted to the attackers using the Ngrok reverse proxy.

It accomplishes this by checking the active browser program window every second and whether it has a banking-related site opened. If these conditions are met, the malware hooks keyboard events to record keystrokes. Some of the targeted websites are listed below –

  • caixa.gov[.]br
  • safra.com[.]br
  • itau.com[.]br
  • bancooriginal.com[.]br
  • santandernet.com[.]br
  • btgpactual[.]com
  • etherscan[.]io
  • binance[.]com
  • bitcointrade.com[.]br
  • metamask[.]io
  • foxbit.com[.]br
  • localbitcoins[.]com
CIS Build Kits

Astaroth also comes fitted with capabilities to resist analysis and shuts down automatically if it detects emulator, debugger, and analysis tools like QEMU Guest Agent, HookExplorer, IDA Pro, ImmunityDebugger, PE Tools, WinDbg, and Wireshark, among others.

Persistence on the host is set up by dropping an LNK file in the Windows Startup folder that runs the AutoIT script to launch the malware automatically upon a system reboot. What’s more, not only is the initial URL accessed by the JavaScript within the LNK file geofenced, the malware also makes sure that the machine’s system locale is not set to English or the U.S.

“Astaroth uses GitHub to update its configuration when the C2 servers become inaccessible, by hosting images on GitHub, which uses steganography to hide this information in plain sight,” McAfee said.

In doing so, the malware leverages a legitimate platform to host configuration files and turn it into a resilient backup infrastructure when primary C2 servers become inaccessible. The company noted that it worked with the Microsoft-owned subsidiary to remove the GitHub repositories, temporarily neutralizing the operations.



Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
MediaTek and Airoha Unveil World’s First AI-Powered Fiber Gateway Platform

MediaTek and Airoha Unveil World's First AI-Powered Fiber Gateway Platform

Recommended.

2025 Next-Gen Solution Provider Leaders

2025 Next-Gen Solution Provider Leaders

October 27, 2025
The Fed meets with uncertainty permeating the air. Here’s what to expect

The Fed meets with uncertainty permeating the air. Here’s what to expect

May 6, 2025

Trending.

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

April 30, 2026
Google’s 0 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

Google’s $750 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

April 24, 2026
This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

April 21, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio