11.10.2025
3 min
575
Cybersecurity researchers from McAfee have identified a new Astaroth banking trojan campaign that abuses GitHub infrastructure to manage malicious payloads, allowing the malware to remain active even after the command-and-control (C2) servers are blocked. Unlike classic trojans, Astaroth does not rely on its own C2 server. Once the operators lose access to their infrastructure, the trojan simply downloads new configurations from GitHub, ensuring the continuity of attacks.
The latest wave of infections was recorded in Brazil, but the activity has already spread across Latin American countries — Mexico, Argentina, Peru, and Colombia. The infection begins with a phishing email disguised as a DocuSign message, containing an archive file (LNK) that launches malicious JavaScript, AutoIt, and Delphi components.
Astaroth activates when it detects browser activity, especially during logins to banking or cryptocurrency sites, records keystrokes, and transmits data through a Ngrok tunnel.
Targets domains like *caixa.gov.br, itau.com.br, santander.com.br, binance.com, metamask.io, localbitcoins.com*, and others.
Skips execution when Wireshark, IDA Pro, or Debugger tools are detected, and stores stolen data in Windows autoload memory.
Uses GitHub not for code storage, but as a hosting and staging environment for encrypted configurations, which makes detection more difficult.
Astaroth is a well-known banking trojan written in Delphi, active since 2018. Its operators have repeatedly demonstrated adaptability, and the latest version shows a shift to cloud and public infrastructure.
In 2024, Google and Trend Micro warned about similar groups like PINEAPPLE and Water Makara, which experimented with cloud-based malware delivery. Now, McAfee Labs confirms that GitHub has effectively become a “reserve network” for Astaroth’s configuration data. Despite periodic repository takedowns, attackers can quickly recreate them. Using GitHub as a control channel for malware represents a new level of evolution in banking trojans — it lets threat actors blend in with legitimate domains and minimize detection risks. The Astaroth case demonstrates how even trusted developer platforms can be turned into cyberattack tools when proper content-control mechanisms are absent.
