Astaroth Trojan Uses GitHub to Evade Detection

What makes the Astaroth Trojan particularly resilient is its innovative use of GitHub repositories, though not in the way security researchers typically encounter. According to Abhishek Karnik, Director for Threat Research and Response at McAfee, “GitHub is not used to host the malware itself, but just to host a configuration that points to the bot server.” This approach allows the malware operators to quickly redirect victims to updated servers whenever cybersecurity firms or law enforcement agencies take down existing command-and-control infrastructure.

This method distinguishes Astaroth from previous GitHub-abusing campaigns like the 2024 Redline Stealer incident and this year’s GitVenom campaign, where malicious code was directly inserted into repositories. Karnik emphasized that “in this case, it’s not malware that is being hosted but a configuration that manages how the malware communicates with its backend infrastructure.” This sophisticated approach demonstrates how cybercriminals are increasingly leveraging legitimate development tools to create more resilient and difficult-to-disrupt attack vectors.

The Astaroth campaign demonstrates sophisticated geographic targeting, primarily focusing on South American territories including Brazil, Mexico, Uruguay, Argentina, Paraguay, Chile, Bolivia, Peru, Ecuador, Colombia, Venezuela and Panama. While capable of targeting Portugal and Italy, the malware is specifically programmed to avoid infecting systems in the United States and other English-speaking countries such as England. This geographic selectivity suggests carefully planned operational parameters designed to maximize success while minimizing detection in regions with more advanced cybersecurity monitoring.

The Trojan employs advanced detection avoidance mechanisms, including the ability to shut down its host system if it detects that analysis software is being operated. This anti-analysis feature makes it particularly challenging for security researchers to study the malware’s behavior and develop effective countermeasures. The malware’s keylogging functions are only activated when it detects that a web browser is visiting specific banking and cryptocurrency websites, making it more difficult for users to notice unusual system behavior.

Astaroth’s primary objective is credential theft, with specific targeting of major Brazilian banking institutions including caixa.gov.br, safra.com.br, itau.com.br, bancooriginal.com.br, santandernet.com.br and btgpactual.com. The malware’s focus on Brazilian financial institutions aligns with its geographic targeting strategy and suggests the operators have detailed knowledge of the regional banking landscape.

Equally concerning is the Trojan’s targeting of cryptocurrency platforms, including etherscan.io, binance.com, bitcointrade.com.br, metamask.io, foxbit.com.br and localbitcoins.com. This dual targeting of both traditional banking credentials and cryptocurrency wallet access demonstrates the evolving sophistication of financial malware. The inclusion of platforms supporting major cryptocurrencies like BTC and ETH, along with exchange tokens such as BNB, indicates the attackers are following the money wherever it flows in the digital economy.

While McAfee researchers don’t have specific data about how much money or cryptocurrency Astaroth has stolen, Karnik noted that “it appears to be very prevalent, especially in Brazil.” The malware’s ability to steal credentials and exfiltrate them using the Ngrok reverse proxy creates a significant threat to both individual users and financial institutions in the targeted regions.

In response to the Astaroth threat, McAfee recommends several key protective measures. Users should avoid opening attachments or links from unknown senders, particularly Windows .lnk files delivered via phishing emails. Maintaining up-to-date antivirus software is crucial, as security vendors continuously update their detection capabilities to identify new threats like Astaroth.

Perhaps most importantly, enabling two-factor authentication across banking and cryptocurrency accounts provides an essential layer of protection even if credentials are compromised. The evolving nature of threats like Astaroth, which abuse legitimate platforms like GitHub while employing sophisticated geographic and behavioral targeting, underscores the need for comprehensive security practices that extend beyond traditional antivirus protection.