Astaroth Trojan Uses GitHub to Evade Disruption
Cybersecurity researchers have discovered a new campaign delivering the Astaroth banking trojan, which cleverly remains operational even after takedowns. The malware uses GitHub as a backup control system to keep running when its main servers are blocked. Therefore, removing its infrastructure does not immediately stop the infection chain.
How the Campaign Starts
The attack begins with a phishing email that imitates a legitimate DocuSign message. The email includes a link to a zipped Windows shortcut (.lnk) file. When victims open the file, hidden JavaScript runs silently in the background. This script then downloads more malicious code from remote servers to continue the infection.
Inside the Attack Chain
The JavaScript loads an AutoIt script, which executes shellcode that decrypts a Delphi-based DLL. This DLL injects the Astaroth malware into a Windows process to hide its presence. As a result, the trojan installs itself deeply and avoids easy detection. However, every step of this chain depends on users opening the initial phishing file.
What the Trojan Steals
Astaroth targets banking and cryptocurrency users. It checks the active browser window every second to detect visits to financial websites. When detected, it records keystrokes to steal login credentials and transactions. The stolen data is then sent to the attackers through a reverse proxy connection. Therefore, even encrypted traffic may not prevent exfiltration.
GitHub as a Survival Tool
Instead of relying only on command-and-control servers, the trojan retrieves new configurations from GitHub repositories. Researchers found it hides settings inside image files using steganography. When one server is taken down, Astaroth simply pulls a new configuration from GitHub and continues running. This approach makes the malware highly resilient against takedowns.
Regional Focus and Behavior
The campaign mainly targets Brazil and several Latin American countries. However, the infection files are geo-fenced, so they stop executing if the system locale is English or U.S. based. Moreover, the malware checks for analysis tools like debuggers and network monitors. Therefore, it avoids running in virtual environments or research labs.
Ongoing Response
Researchers collaborated with the hosting provider to remove the malicious repositories. Yet, the operation was only temporarily neutralized. Because attackers can quickly create new repositories, the campaign may reappear with minimal effort. Consequently, experts urge organizations to strengthen internal defenses rather than relying solely on takedowns.
How to Prevent Similar Attacks
Organizations should implement advanced email filtering and employee phishing training. In addition, they must enforce strict attachment policies and system patching. Continuous endpoint monitoring and real-time behavioral analysis can detect abnormal scripts early. Security assessments, app hardening, and managed detection services also help block malware that abuses legitimate platforms like GitHub.
Sleep well, we got you covered.
