EXECUTIVE SUMMARY:
A new campaign of the Astaroth banking trojan has been observed leveraging public infrastructure to improve its resilience. Rather than solely relying on traditional command-and-control (C2) servers, the attackers are abusing GitHub to host and distribute configuration files. This enables Astaroth to adapt and persist in compromised environments even when its primary backend infrastructure is disrupted.
The infection begins with a phishing message delivering a ZIP archive containing a Windows shortcut. When the victim opens that shortcut, an obfuscated JavaScript command is executed through mshta.exe, which in turn downloads additional malicious components. These include an AutoIt-based loader, an encrypted payload, and a configuration file. The loader initializes shellcode with multiple entry points, resolves necessary APIs dynamically, and injects a DLL into a spawned system process. The final payload monitors active browser windows, hooks keyboard input to capture credentials when banking or crypto sites are in focus, and exfiltrates data via a custom binary protocol to command servers. Crucially, when the primary command-and-control infrastructure is unreachable, the malware updates its configuration by fetching seemingly innocuous image files from publicly hosted repositories. It hides real configuration data via steganography in those images, often hosted on GitHub, enabling it to resume operation. Persistence is achieved by placing a startup shortcut that triggers the malicious loader on reboot. Indicators such as file hashes, URL paths, and repository names have been catalogued for detection and response efforts.
This campaign demonstrates how attackers are evolving their infrastructure strategies leveraging mainstream code hosting platforms like GitHub to bypass traditional defenses and takedown efforts. Organizations and individuals must adopt layered defense measures: avoid opening suspicious attachments and links, enforce two-factor authentication, maintain up-to-date endpoint protection, and monitor for anomalous network or file system activity. Because Astaroth blends in with legitimate services and uses fallback infrastructure, a defense-in-depth posture is essential to detect and disrupt it.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Execution | T1059.010 | Command and Scripting Interpreter | AutoHotKey & AutoIT |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defense Evasion | T1027.003 | Obfuscated Files or Information | Steganography |
| T1497.001 | Virtualization / Sandbox Evasion | System Checks | |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Command and Control | T1102.003 | Web Service | One‑Way Communication |
| T1071.001 | Application Layer Protocol | Web Protocols | |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
MBC MAPPING:
| Objective | Behavior ID | Behavior |
| Anti-Behavioral Analysis | B0001 | Debugger Detection |
| Anti-Static Analysis | B0032 | Executable Code Obfuscation |
| Collection | E1056 | Input Capture |
| Command and Control | B0030 | C2 Communication |
| Defense Evasion | F0001 | Software Packing |
| Execution | B0011 | Remote Commands |
| Exfiltration | E1020 | Automated Exfiltration |
| Lateral Movement | E1105 | Ingress Tool Transfer |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
| Privilege Escalation | E1055 | Process Injection |
REFERENCES:
The following reports contain further technical details: