Astaroth Banking Trojan Uses GitHub for Resilient Operations

Cyber Security News by CyberSum.net

Published on October 13, 2025 at 12:00 PM

4 sources

Cybersecurity researchers have uncovered a new Astaroth banking trojan campaign that leverages GitHub repositories to host malware configurations. This tactic ensures the malware remains operational even if traditional command-and-control (C2) servers are taken down. The attack begins with phishing emails containing links to download zipped Windows shortcut files, which install the malware. Astaroth monitors for banking and cryptocurrency-related browser windows, using keylogging to steal credentials. The malware employs steganography to hide configuration data within images on GitHub, making it difficult to eliminate. McAfee worked with GitHub to remove the malicious repositories, but the ease of creating new ones suggests an ongoing challenge.

Also Read

Spear-Phishing Campaign Targets Automobile and E-commerce Industries

Researchers at SEQRITE Labs have uncovered a targeted spear-phishing campaign aimed at organizations in the automobile and e-commerce industries. The operation, active since early October 2025, deploys a previously undocumented .NET-based backdoor dubbed CAPI, designed for credential theft, system reconnaissance, and persistent access. The attack chain uses tax-related decoy documents to lure employees and executes the payload through rundll32.exe, a legitimate Windows binary, to evade detection. The infection begins with a malicious ZIP archive named Payroll Recalculation as of October 1, 2025. Inside the ZIP, analysts found both LNK and PDF files, a common spear-phishing tactic to disguise executable payloads as legitimate business documents.

By Cyber Security News by CyberSum.netOctober 20, 2025 at 06:00 AM