Banking Trojan Abusing GitHub for Resilience
A new Astaroth banking trojan campaign has been discovered abusing GitHub to host malware configurations. The infection begins with a phishing email containing a link to download a zipped Windows shortcut file, which installs the Astaroth malware. The trojan detects when users access banking or cryptocurrency websites and steals credentials through keylogging. It sends stolen information to attackers using Ngrok reverse proxy and uses GitHub to update its configuration when command and control servers become inaccessible. The malware primarily targets South American countries, with a focus on Brazil. Astaroth employs various anti-analysis techniques and targets specific banking and cryptocurrency-related sites. The GitHub repositories hosting the malicious configurations have been reported and taken down.
AI Analysis
Technical Summary
The Astaroth banking trojan campaign represents a sophisticated malware operation that leverages phishing emails containing zipped Windows shortcut files to initiate infection. Upon execution, the malware installs itself on the victim's Windows system and monitors user activity, specifically detecting access to banking and cryptocurrency websites. It employs keylogging techniques to capture sensitive credentials and exfiltrates this data using Ngrok, a reverse proxy service that can bypass traditional network defenses. A notable innovation in this campaign is the abuse of GitHub repositories to host malware configuration files. This tactic enhances the malware's resilience by allowing it to update its operational parameters dynamically when its primary command and control (C2) servers are unavailable. The campaign uses multiple anti-analysis and evasion techniques, including process injection, obfuscation, and persistence mechanisms, to avoid detection and maintain long-term access. Although the primary targets are in South America, particularly Brazil, the use of globally accessible platforms like GitHub and Ngrok means the malware could potentially affect users worldwide if the infection vector spreads. The campaign's reliance on phishing emails underscores the importance of user awareness and email security controls. The GitHub repositories used for hosting malicious configurations have been reported and removed, but the threat actor may continue to find similar platforms for resilience. This campaign highlights the evolving tactics of banking trojans in leveraging legitimate cloud services to evade detection and maintain persistence.
Potential Impact
For European organizations, the direct impact of this Astaroth campaign is currently limited due to its primary focus on South American targets. However, the abuse of globally accessible platforms like GitHub and Ngrok introduces a risk of collateral infection or future targeting in Europe. Credential theft from banking and cryptocurrency websites can lead to financial fraud, unauthorized transactions, and identity theft. The use of phishing as an infection vector means that any European entity with employees susceptible to phishing could be at risk. Additionally, the malware's ability to update configurations dynamically via GitHub complicates detection and remediation efforts, potentially allowing prolonged unauthorized access. The presence of anti-analysis techniques may hinder forensic investigations and delay incident response. European financial institutions and cryptocurrency-related businesses could be attractive targets if the campaign expands geographically. Furthermore, the use of legitimate services for command and control and configuration updates challenges traditional network security controls, requiring more advanced monitoring and threat hunting capabilities.
Mitigation Recommendations
1. Implement advanced email filtering and phishing detection solutions that can identify and block malicious zipped shortcut files and suspicious links. 2. Conduct regular user awareness training focused on phishing recognition and safe handling of email attachments and links. 3. Monitor network traffic for unusual connections to Ngrok domains or IP addresses, and consider blocking or restricting Ngrok traffic where not required. 4. Employ endpoint detection and response (EDR) solutions capable of detecting keylogging, process injection, and persistence behaviors associated with Astaroth. 5. Monitor GitHub and other cloud repository access logs for unusual or unauthorized activity, and establish alerting for suspicious repository changes or downloads. 6. Use application whitelisting to prevent execution of unauthorized shortcut files and scripts. 7. Maintain up-to-date threat intelligence feeds to quickly identify and respond to emerging Astaroth indicators. 8. Conduct regular security assessments and penetration testing to evaluate phishing resilience and endpoint security posture. 9. Establish incident response playbooks specifically addressing credential theft and malware leveraging cloud services for C2. 10. Collaborate with cloud service providers to report and remove malicious repositories promptly.
Affected Countries
Brazil, Argentina, Chile, Colombia, Peru
Indicators of Compromise
- ip: 91.220.167.72
- hash: 38fee4993fa4f00f2ce27cffa71aa7d6
- hash: 6b11d98a41fb1f95cbd99ccf559872f1
- hash: 6b50695795ada6c00aead68d9090c739
- hash: 888cc4983edd91898d01386a2f005e32
- hash: adef0c759c5a0e30b9e2220a99e3c758
- hash: b0b468de402742d53ea32b0746a8d3c1
- hash: ce858f22ec27b7a85b474ee2058c3df9
- hash: e1499b1f5bb840066cb16e6e91265570
- hash: 5ad81f7ab998c8574a925853d9be5a55fe89d86e
- hash: 5fcce6c94043f57c0a396ffdce4f316f5e1b67cf
- hash: 88805130eb20b976b4838c33983c953d3ac9bc09
- hash: 9528ecb699c86cff21ef20330f8f9318b99c4715
- hash: bd730172327741bdb04170a56d819a8094548d98
- hash: c4efac1602cb8ff376b2aad51fc6067d30e84336
- hash: dd6ac13e0847d558d515b3578fe9432c850fccda
- hash: f330eda2b6cad9d76d2d73fdff5ec8aa53a160a6
- hash: 049849998f2d4dd1e629d46446699f15332daa54530a5dad5f35cc8904adea43
- hash: 11f0d7e18f9a2913d2480b6a6955ebc92e40434ad11bed62d1ff81ddd3dda945
- hash: 251cde68c30c7d303221207370c314362f4adccdd5db4533a67bedc2dc1e6195
- hash: 28515ea1ed7befb39f428f046ba034d92d44a075cc7a6f252d6faf681bdba39c
- hash: 34207fbffcb38ed51cd469d082c0c518b696bac4eb61e5b191a141b5459669df
- hash: 7418ffa31f8a51a04274fc8f610fa4d5aa5758746617020ee57493546ae35b70
- hash: 7609973939b46fe13266eacd1f06b533f8991337d6334c15ab78e28fa3b320be
- hash: a235d2e44ea87e5764c66247e80a1c518c38a7395291ce7037f877a968c7b42b
- hash: db9d00f30e7df4d0cf10cee8c49ee59a6b2e518107fd6504475e99bbcf6cce34
- url: http://1.tcp.sa.ngrok.io:20262
- url: http://1.tcp.us-cal-1.ngrok.io:24521
- url: http://5.tcp.ngrok.io:22934
- url: http://7.tcp.ngrok.io:22426
- url: http://9.tcp.ngrok.io:23955
- url: http://9.tcp.ngrok.io:24080
- url: https://91.220.167.72
- domain: blojannindor0.trovaodoceara.motorcycles
- domain: brusar.trovaodoceara.autos
- domain: clafenval.medicarium.help
- domain: frecil.medicinatramp.beauty
- domain: gluminal188.trovaodoceara.sbs
- domain: gramgunvel.medicoassocidos.beauty
- domain: scrivinlinfer.medicinatramp.icu
- domain: sprudiz.medicinatramp.click
- domain: stroal.medicoassocidos.beauty
- domain: strosonvaz.medicoassocidos.help
- domain: trisinsil.medicesterium.help
Banking Trojan Abusing GitHub for Resilience
Description
A new Astaroth banking trojan campaign has been discovered abusing GitHub to host malware configurations. The infection begins with a phishing email containing a link to download a zipped Windows shortcut file, which installs the Astaroth malware. The trojan detects when users access banking or cryptocurrency websites and steals credentials through keylogging. It sends stolen information to attackers using Ngrok reverse proxy and uses GitHub to update its configuration when command and control servers become inaccessible. The malware primarily targets South American countries, with a focus on Brazil. Astaroth employs various anti-analysis techniques and targets specific banking and cryptocurrency-related sites. The GitHub repositories hosting the malicious configurations have been reported and taken down.
AI-Powered Analysis
Technical Analysis
The Astaroth banking trojan campaign represents a sophisticated malware operation that leverages phishing emails containing zipped Windows shortcut files to initiate infection. Upon execution, the malware installs itself on the victim's Windows system and monitors user activity, specifically detecting access to banking and cryptocurrency websites. It employs keylogging techniques to capture sensitive credentials and exfiltrates this data using Ngrok, a reverse proxy service that can bypass traditional network defenses. A notable innovation in this campaign is the abuse of GitHub repositories to host malware configuration files. This tactic enhances the malware's resilience by allowing it to update its operational parameters dynamically when its primary command and control (C2) servers are unavailable. The campaign uses multiple anti-analysis and evasion techniques, including process injection, obfuscation, and persistence mechanisms, to avoid detection and maintain long-term access. Although the primary targets are in South America, particularly Brazil, the use of globally accessible platforms like GitHub and Ngrok means the malware could potentially affect users worldwide if the infection vector spreads. The campaign's reliance on phishing emails underscores the importance of user awareness and email security controls. The GitHub repositories used for hosting malicious configurations have been reported and removed, but the threat actor may continue to find similar platforms for resilience. This campaign highlights the evolving tactics of banking trojans in leveraging legitimate cloud services to evade detection and maintain persistence.
Potential Impact
For European organizations, the direct impact of this Astaroth campaign is currently limited due to its primary focus on South American targets. However, the abuse of globally accessible platforms like GitHub and Ngrok introduces a risk of collateral infection or future targeting in Europe. Credential theft from banking and cryptocurrency websites can lead to financial fraud, unauthorized transactions, and identity theft. The use of phishing as an infection vector means that any European entity with employees susceptible to phishing could be at risk. Additionally, the malware's ability to update configurations dynamically via GitHub complicates detection and remediation efforts, potentially allowing prolonged unauthorized access. The presence of anti-analysis techniques may hinder forensic investigations and delay incident response. European financial institutions and cryptocurrency-related businesses could be attractive targets if the campaign expands geographically. Furthermore, the use of legitimate services for command and control and configuration updates challenges traditional network security controls, requiring more advanced monitoring and threat hunting capabilities.
Mitigation Recommendations
1. Implement advanced email filtering and phishing detection solutions that can identify and block malicious zipped shortcut files and suspicious links. 2. Conduct regular user awareness training focused on phishing recognition and safe handling of email attachments and links. 3. Monitor network traffic for unusual connections to Ngrok domains or IP addresses, and consider blocking or restricting Ngrok traffic where not required. 4. Employ endpoint detection and response (EDR) solutions capable of detecting keylogging, process injection, and persistence behaviors associated with Astaroth. 5. Monitor GitHub and other cloud repository access logs for unusual or unauthorized activity, and establish alerting for suspicious repository changes or downloads. 6. Use application whitelisting to prevent execution of unauthorized shortcut files and scripts. 7. Maintain up-to-date threat intelligence feeds to quickly identify and respond to emerging Astaroth indicators. 8. Conduct regular security assessments and penetration testing to evaluate phishing resilience and endpoint security posture. 9. Establish incident response playbooks specifically addressing credential theft and malware leveraging cloud services for C2. 10. Collaborate with cloud service providers to report and remove malicious repositories promptly.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- []
- Adversary
- Astaroth
- Pulse Id
- 68ee1391e202d5db1c015e71
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip91.220.167.72 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash38fee4993fa4f00f2ce27cffa71aa7d6 | — | |
hash6b11d98a41fb1f95cbd99ccf559872f1 | — | |
hash6b50695795ada6c00aead68d9090c739 | — | |
hash888cc4983edd91898d01386a2f005e32 | — | |
hashadef0c759c5a0e30b9e2220a99e3c758 | — | |
hashb0b468de402742d53ea32b0746a8d3c1 | — | |
hashce858f22ec27b7a85b474ee2058c3df9 | — | |
hashe1499b1f5bb840066cb16e6e91265570 | — | |
hash5ad81f7ab998c8574a925853d9be5a55fe89d86e | — | |
hash5fcce6c94043f57c0a396ffdce4f316f5e1b67cf | — | |
hash88805130eb20b976b4838c33983c953d3ac9bc09 | — | |
hash9528ecb699c86cff21ef20330f8f9318b99c4715 | — | |
hashbd730172327741bdb04170a56d819a8094548d98 | — | |
hashc4efac1602cb8ff376b2aad51fc6067d30e84336 | — | |
hashdd6ac13e0847d558d515b3578fe9432c850fccda | — | |
hashf330eda2b6cad9d76d2d73fdff5ec8aa53a160a6 | — | |
hash049849998f2d4dd1e629d46446699f15332daa54530a5dad5f35cc8904adea43 | — | |
hash11f0d7e18f9a2913d2480b6a6955ebc92e40434ad11bed62d1ff81ddd3dda945 | — | |
hash251cde68c30c7d303221207370c314362f4adccdd5db4533a67bedc2dc1e6195 | — | |
hash28515ea1ed7befb39f428f046ba034d92d44a075cc7a6f252d6faf681bdba39c | — | |
hash34207fbffcb38ed51cd469d082c0c518b696bac4eb61e5b191a141b5459669df | — | |
hash7418ffa31f8a51a04274fc8f610fa4d5aa5758746617020ee57493546ae35b70 | — | |
hash7609973939b46fe13266eacd1f06b533f8991337d6334c15ab78e28fa3b320be | — | |
hasha235d2e44ea87e5764c66247e80a1c518c38a7395291ce7037f877a968c7b42b | — | |
hashdb9d00f30e7df4d0cf10cee8c49ee59a6b2e518107fd6504475e99bbcf6cce34 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://1.tcp.sa.ngrok.io:20262 | — | |
urlhttp://1.tcp.us-cal-1.ngrok.io:24521 | — | |
urlhttp://5.tcp.ngrok.io:22934 | — | |
urlhttp://7.tcp.ngrok.io:22426 | — | |
urlhttp://9.tcp.ngrok.io:23955 | — | |
urlhttp://9.tcp.ngrok.io:24080 | — | |
urlhttps://91.220.167.72 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainblojannindor0.trovaodoceara.motorcycles | — | |
domainbrusar.trovaodoceara.autos | — | |
domainclafenval.medicarium.help | — | |
domainfrecil.medicinatramp.beauty | — | |
domaingluminal188.trovaodoceara.sbs | — | |
domaingramgunvel.medicoassocidos.beauty | — | |
domainscrivinlinfer.medicinatramp.icu | — | |
domainsprudiz.medicinatramp.click | — | |
domainstroal.medicoassocidos.beauty | — | |
domainstrosonvaz.medicoassocidos.help | — | |
domaintrisinsil.medicesterium.help | — |
Threat ID: 68ee16217eab8b438c022a49
Added to database: 10/14/2025, 9:21:37 AM
Last enriched: 10/14/2025, 9:49:38 AM
Last updated: 12/4/2025, 12:58:14 AM
Views: 201
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
ThreatFox IOCs for 2025-12-03
MediumSnakes by the riverbank
MediumDNS Uncovers Infrastructure Used in SSO Attacks
MediumUnraveling Water Saci's New Multi-Format, AI-Enhanced Attacks Propagated via WhatsApp
MediumOperation DupeHike: Targeting Russian employees with DUPERUNNER and AdaptixC2
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.