Banking Trojan Abusing GitHub for Resilience
The Astaroth banking trojan campaign uses phishing emails with zipped Windows shortcut files to infect victims. It abuses GitHub repositories to host malware configurations, enabling resilience when command and control servers are unreachable. The malware targets banking and cryptocurrency websites, stealing credentials via keylogging and exfiltrating data through Ngrok reverse proxy. Primarily focused on South American countries, especially Brazil, it employs anti-analysis techniques and updates configurations dynamically. Although no direct European targeting is reported, the abuse of GitHub and common banking targets pose risks to European organizations. Mitigation requires enhanced phishing defenses, monitoring for unusual GitHub activity, and network controls against Ngrok traffic. The threat is assessed as medium severity due to targeted credential theft, moderate ease of exploitation via phishing, and limited geographic focus.
AI Analysis
Technical Summary
The Astaroth banking trojan campaign represents a sophisticated malware operation that leverages phishing emails containing zipped Windows shortcut files to initiate infection. Upon execution, the malware installs itself on the victim's Windows system and monitors user activity, specifically detecting access to banking and cryptocurrency websites. It employs keylogging techniques to capture sensitive credentials and exfiltrates this data using Ngrok, a reverse proxy service that can bypass traditional network defenses. A notable innovation in this campaign is the abuse of GitHub repositories to host malware configuration files. This tactic enhances the malware's resilience by allowing it to update its operational parameters dynamically when its primary command and control (C2) servers are unavailable. The campaign uses multiple anti-analysis and evasion techniques, including process injection, obfuscation, and persistence mechanisms, to avoid detection and maintain long-term access. Although the primary targets are in South America, particularly Brazil, the use of globally accessible platforms like GitHub and Ngrok means the malware could potentially affect users worldwide if the infection vector spreads. The campaign's reliance on phishing emails underscores the importance of user awareness and email security controls. The GitHub repositories used for hosting malicious configurations have been reported and removed, but the threat actor may continue to find similar platforms for resilience. This campaign highlights the evolving tactics of banking trojans in leveraging legitimate cloud services to evade detection and maintain persistence.
Potential Impact
For European organizations, the direct impact of this Astaroth campaign is currently limited due to its primary focus on South American targets. However, the abuse of globally accessible platforms like GitHub and Ngrok introduces a risk of collateral infection or future targeting in Europe. Credential theft from banking and cryptocurrency websites can lead to financial fraud, unauthorized transactions, and identity theft. The use of phishing as an infection vector means that any European entity with employees susceptible to phishing could be at risk. Additionally, the malware's ability to update configurations dynamically via GitHub complicates detection and remediation efforts, potentially allowing prolonged unauthorized access. The presence of anti-analysis techniques may hinder forensic investigations and delay incident response. European financial institutions and cryptocurrency-related businesses could be attractive targets if the campaign expands geographically. Furthermore, the use of legitimate services for command and control and configuration updates challenges traditional network security controls, requiring more advanced monitoring and threat hunting capabilities.
Mitigation Recommendations
1. Implement advanced email filtering and phishing detection solutions that can identify and block malicious zipped shortcut files and suspicious links. 2. Conduct regular user awareness training focused on phishing recognition and safe handling of email attachments and links. 3. Monitor network traffic for unusual connections to Ngrok domains or IP addresses, and consider blocking or restricting Ngrok traffic where not required. 4. Employ endpoint detection and response (EDR) solutions capable of detecting keylogging, process injection, and persistence behaviors associated with Astaroth. 5. Monitor GitHub and other cloud repository access logs for unusual or unauthorized activity, and establish alerting for suspicious repository changes or downloads. 6. Use application whitelisting to prevent execution of unauthorized shortcut files and scripts. 7. Maintain up-to-date threat intelligence feeds to quickly identify and respond to emerging Astaroth indicators. 8. Conduct regular security assessments and penetration testing to evaluate phishing resilience and endpoint security posture. 9. Establish incident response playbooks specifically addressing credential theft and malware leveraging cloud services for C2. 10. Collaborate with cloud service providers to report and remove malicious repositories promptly.
Affected Countries
Brazil, Argentina, Chile, Colombia, Peru
Indicators of Compromise
- ip: 91.220.167.72
- hash: 38fee4993fa4f00f2ce27cffa71aa7d6
- hash: 6b11d98a41fb1f95cbd99ccf559872f1
- hash: 6b50695795ada6c00aead68d9090c739
- hash: 888cc4983edd91898d01386a2f005e32
- hash: adef0c759c5a0e30b9e2220a99e3c758
- hash: b0b468de402742d53ea32b0746a8d3c1
- hash: ce858f22ec27b7a85b474ee2058c3df9
- hash: e1499b1f5bb840066cb16e6e91265570
- hash: 5ad81f7ab998c8574a925853d9be5a55fe89d86e
- hash: 5fcce6c94043f57c0a396ffdce4f316f5e1b67cf
- hash: 88805130eb20b976b4838c33983c953d3ac9bc09
- hash: 9528ecb699c86cff21ef20330f8f9318b99c4715
- hash: bd730172327741bdb04170a56d819a8094548d98
- hash: c4efac1602cb8ff376b2aad51fc6067d30e84336
- hash: dd6ac13e0847d558d515b3578fe9432c850fccda
- hash: f330eda2b6cad9d76d2d73fdff5ec8aa53a160a6
- hash: 049849998f2d4dd1e629d46446699f15332daa54530a5dad5f35cc8904adea43
- hash: 11f0d7e18f9a2913d2480b6a6955ebc92e40434ad11bed62d1ff81ddd3dda945
- hash: 251cde68c30c7d303221207370c314362f4adccdd5db4533a67bedc2dc1e6195
- hash: 28515ea1ed7befb39f428f046ba034d92d44a075cc7a6f252d6faf681bdba39c
- hash: 34207fbffcb38ed51cd469d082c0c518b696bac4eb61e5b191a141b5459669df
- hash: 7418ffa31f8a51a04274fc8f610fa4d5aa5758746617020ee57493546ae35b70
- hash: 7609973939b46fe13266eacd1f06b533f8991337d6334c15ab78e28fa3b320be
- hash: a235d2e44ea87e5764c66247e80a1c518c38a7395291ce7037f877a968c7b42b
- hash: db9d00f30e7df4d0cf10cee8c49ee59a6b2e518107fd6504475e99bbcf6cce34
- url: http://1.tcp.sa.ngrok.io:20262
- url: http://1.tcp.us-cal-1.ngrok.io:24521
- url: http://5.tcp.ngrok.io:22934
- url: http://7.tcp.ngrok.io:22426
- url: http://9.tcp.ngrok.io:23955
- url: http://9.tcp.ngrok.io:24080
- url: https://91.220.167.72
- domain: blojannindor0.trovaodoceara.motorcycles
- domain: brusar.trovaodoceara.autos
- domain: clafenval.medicarium.help
- domain: frecil.medicinatramp.beauty
- domain: gluminal188.trovaodoceara.sbs
- domain: gramgunvel.medicoassocidos.beauty
- domain: scrivinlinfer.medicinatramp.icu
- domain: sprudiz.medicinatramp.click
- domain: stroal.medicoassocidos.beauty
- domain: strosonvaz.medicoassocidos.help
- domain: trisinsil.medicesterium.help
Banking Trojan Abusing GitHub for Resilience
Description
The Astaroth banking trojan campaign uses phishing emails with zipped Windows shortcut files to infect victims. It abuses GitHub repositories to host malware configurations, enabling resilience when command and control servers are unreachable. The malware targets banking and cryptocurrency websites, stealing credentials via keylogging and exfiltrating data through Ngrok reverse proxy. Primarily focused on South American countries, especially Brazil, it employs anti-analysis techniques and updates configurations dynamically. Although no direct European targeting is reported, the abuse of GitHub and common banking targets pose risks to European organizations. Mitigation requires enhanced phishing defenses, monitoring for unusual GitHub activity, and network controls against Ngrok traffic. The threat is assessed as medium severity due to targeted credential theft, moderate ease of exploitation via phishing, and limited geographic focus.
AI-Powered Analysis
Technical Analysis
The Astaroth banking trojan campaign represents a sophisticated malware operation that leverages phishing emails containing zipped Windows shortcut files to initiate infection. Upon execution, the malware installs itself on the victim's Windows system and monitors user activity, specifically detecting access to banking and cryptocurrency websites. It employs keylogging techniques to capture sensitive credentials and exfiltrates this data using Ngrok, a reverse proxy service that can bypass traditional network defenses. A notable innovation in this campaign is the abuse of GitHub repositories to host malware configuration files. This tactic enhances the malware's resilience by allowing it to update its operational parameters dynamically when its primary command and control (C2) servers are unavailable. The campaign uses multiple anti-analysis and evasion techniques, including process injection, obfuscation, and persistence mechanisms, to avoid detection and maintain long-term access. Although the primary targets are in South America, particularly Brazil, the use of globally accessible platforms like GitHub and Ngrok means the malware could potentially affect users worldwide if the infection vector spreads. The campaign's reliance on phishing emails underscores the importance of user awareness and email security controls. The GitHub repositories used for hosting malicious configurations have been reported and removed, but the threat actor may continue to find similar platforms for resilience. This campaign highlights the evolving tactics of banking trojans in leveraging legitimate cloud services to evade detection and maintain persistence.
Potential Impact
For European organizations, the direct impact of this Astaroth campaign is currently limited due to its primary focus on South American targets. However, the abuse of globally accessible platforms like GitHub and Ngrok introduces a risk of collateral infection or future targeting in Europe. Credential theft from banking and cryptocurrency websites can lead to financial fraud, unauthorized transactions, and identity theft. The use of phishing as an infection vector means that any European entity with employees susceptible to phishing could be at risk. Additionally, the malware's ability to update configurations dynamically via GitHub complicates detection and remediation efforts, potentially allowing prolonged unauthorized access. The presence of anti-analysis techniques may hinder forensic investigations and delay incident response. European financial institutions and cryptocurrency-related businesses could be attractive targets if the campaign expands geographically. Furthermore, the use of legitimate services for command and control and configuration updates challenges traditional network security controls, requiring more advanced monitoring and threat hunting capabilities.
Mitigation Recommendations
1. Implement advanced email filtering and phishing detection solutions that can identify and block malicious zipped shortcut files and suspicious links. 2. Conduct regular user awareness training focused on phishing recognition and safe handling of email attachments and links. 3. Monitor network traffic for unusual connections to Ngrok domains or IP addresses, and consider blocking or restricting Ngrok traffic where not required. 4. Employ endpoint detection and response (EDR) solutions capable of detecting keylogging, process injection, and persistence behaviors associated with Astaroth. 5. Monitor GitHub and other cloud repository access logs for unusual or unauthorized activity, and establish alerting for suspicious repository changes or downloads. 6. Use application whitelisting to prevent execution of unauthorized shortcut files and scripts. 7. Maintain up-to-date threat intelligence feeds to quickly identify and respond to emerging Astaroth indicators. 8. Conduct regular security assessments and penetration testing to evaluate phishing resilience and endpoint security posture. 9. Establish incident response playbooks specifically addressing credential theft and malware leveraging cloud services for C2. 10. Collaborate with cloud service providers to report and remove malicious repositories promptly.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- []
- Adversary
- Astaroth
- Pulse Id
- 68ee1391e202d5db1c015e71
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip91.220.167.72 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash38fee4993fa4f00f2ce27cffa71aa7d6 | — | |
hash6b11d98a41fb1f95cbd99ccf559872f1 | — | |
hash6b50695795ada6c00aead68d9090c739 | — | |
hash888cc4983edd91898d01386a2f005e32 | — | |
hashadef0c759c5a0e30b9e2220a99e3c758 | — | |
hashb0b468de402742d53ea32b0746a8d3c1 | — | |
hashce858f22ec27b7a85b474ee2058c3df9 | — | |
hashe1499b1f5bb840066cb16e6e91265570 | — | |
hash5ad81f7ab998c8574a925853d9be5a55fe89d86e | — | |
hash5fcce6c94043f57c0a396ffdce4f316f5e1b67cf | — | |
hash88805130eb20b976b4838c33983c953d3ac9bc09 | — | |
hash9528ecb699c86cff21ef20330f8f9318b99c4715 | — | |
hashbd730172327741bdb04170a56d819a8094548d98 | — | |
hashc4efac1602cb8ff376b2aad51fc6067d30e84336 | — | |
hashdd6ac13e0847d558d515b3578fe9432c850fccda | — | |
hashf330eda2b6cad9d76d2d73fdff5ec8aa53a160a6 | — | |
hash049849998f2d4dd1e629d46446699f15332daa54530a5dad5f35cc8904adea43 | — | |
hash11f0d7e18f9a2913d2480b6a6955ebc92e40434ad11bed62d1ff81ddd3dda945 | — | |
hash251cde68c30c7d303221207370c314362f4adccdd5db4533a67bedc2dc1e6195 | — | |
hash28515ea1ed7befb39f428f046ba034d92d44a075cc7a6f252d6faf681bdba39c | — | |
hash34207fbffcb38ed51cd469d082c0c518b696bac4eb61e5b191a141b5459669df | — | |
hash7418ffa31f8a51a04274fc8f610fa4d5aa5758746617020ee57493546ae35b70 | — | |
hash7609973939b46fe13266eacd1f06b533f8991337d6334c15ab78e28fa3b320be | — | |
hasha235d2e44ea87e5764c66247e80a1c518c38a7395291ce7037f877a968c7b42b | — | |
hashdb9d00f30e7df4d0cf10cee8c49ee59a6b2e518107fd6504475e99bbcf6cce34 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://1.tcp.sa.ngrok.io:20262 | — | |
urlhttp://1.tcp.us-cal-1.ngrok.io:24521 | — | |
urlhttp://5.tcp.ngrok.io:22934 | — | |
urlhttp://7.tcp.ngrok.io:22426 | — | |
urlhttp://9.tcp.ngrok.io:23955 | — | |
urlhttp://9.tcp.ngrok.io:24080 | — | |
urlhttps://91.220.167.72 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainblojannindor0.trovaodoceara.motorcycles | — | |
domainbrusar.trovaodoceara.autos | — | |
domainclafenval.medicarium.help | — | |
domainfrecil.medicinatramp.beauty | — | |
domaingluminal188.trovaodoceara.sbs | — | |
domaingramgunvel.medicoassocidos.beauty | — | |
domainscrivinlinfer.medicinatramp.icu | — | |
domainsprudiz.medicinatramp.click | — | |
domainstroal.medicoassocidos.beauty | — | |
domainstrosonvaz.medicoassocidos.help | — | |
domaintrisinsil.medicesterium.help | — |
Threat ID: 68ee16217eab8b438c022a49
Added to database: 10/14/2025, 9:21:37 AM
Last enriched: 10/14/2025, 9:49:38 AM
Last updated: 10/15/2025, 5:05:42 AM
Views: 41
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
ThreatFox IOCs for 2025-10-14
MediumBombShell: UEFI shell vulnerabilities allow attackers to bypass Secure Boot on Framework Devices
MediumAstaroth Trojan Targets Windows, Uses GitHub Images to Stay Active After Takedowns
MediumWhen the monster bytes: tracking TA585 and its arsenal
MediumAstaroth Banking Trojan Abuses GitHub to Remain Operational After Takedowns
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.