- The Astaroth banking trojan now uses GitHub to host Malware configurations, improving its ability to continue operating after takedowns.
- The malware campaign targets primarily Brazil, with activity also reported across Latin American countries.
- Infections start with phishing emails themed as DocuSign, delivering a zipped Windows shortcut file that installs the malware.
- Astaroth monitors banking and cryptocurrency websites, logging keystrokes to steal credentials, which are sent using a reverse proxy service.
- The trojan uses anti-analysis techniques and maintains persistence by setting up startup files and limiting infection to non-English/U.S. system locales.
Security researchers have identified a new campaign distributing the Astaroth banking trojan, which now relies on GitHub repositories to store malware configuration data. This method allows the trojan to remain operational even if its command-and-control (C2) servers are shut down. The campaign was reported on October 13, 2025, with a focus on Brazil and other Latin American countries.
According to McAfee Labs researchers Harshil Patel and Prabudh Chakravorty, “Instead of relying solely on traditional command-and-control (C2) servers that can be taken down, these attackers are leveraging GitHub repositories to host malware configurations.” They explained that when authorities disable the main C2 infrastructure, Astaroth simply retrieves fresh configuration files from GitHub to continue its operations. The malware campaign is active in Brazil, Mexico, Uruguay, Argentina, Paraguay, Chile, Bolivia, Peru, Ecuador, Colombia, Venezuela, and Panama.
The infection begins with a DocuSign-themed phishing email that deceives recipients into downloading a zipped Windows shortcut (.lnk) file. This file contains obfuscated JavaScript that fetches additional scripts and files, including an AutoIt script, which loads and executes shellcode to run a malicious Delphi-based DLL. This DLL decrypts and injects the Astaroth malware into a system process named RegSvc.exe.
Astaroth monitors active browser windows every second, specifically looking for visits to banking and cryptocurrency websites. Once such sites are detected, the malware activates keylogging to capture credentials. The stolen data is sent to attackers through the Ngrok reverse proxy service. Some of the targeted sites include caixa.gov[.]br, itau.com[.]br, Binance[.]com, and MetaMask[.]io.
The trojan is designed to avoid detection by shutting down if it detects virtual machines, debuggers, or analysis tools such as IDA Pro and Wireshark. It persists on infected machines by placing a shortcut file in the Windows Startup folder, ensuring it runs after reboot. In addition, the malware verifies that infected systems do not use English or U.S. system locales before proceeding.
McAfee noted that Astaroth uses steganography on GitHub—a technique of hiding data within images—to conceal its configuration files. The company collaborated with Microsoft, which owns GitHub, to remove the repositories and temporarily disrupt the malware’s infrastructure. This approach shows how legitimate platforms can be exploited to enhance malware resilience.
For further reading, see the full McAfee Labs report.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- XRP Rallies 8.7% as Crypto Market Rebounds After Major Crash
- U.S. May Buy $1B Critical Minerals, TMC Stock Soars on Hopes
- XRP Recovers $30B as Institutional Buyers Drive 8.5% Surge
- Nifty Needs to Break Key Resistance for Bull Trend Amid Tensions
- RTFKT Co-Founder Benoît Pagotto Dies at 41, Tributes Pour In
