The Reveal Platform
Intel Name: Astaroth: banking trojan abusing github for resilience
Date of Scan: October 13, 2025
Impact: Medium
Summary: Astaroth is a stealthy banking trojan that has evolved to become more resilient by abusing GitHub. Instead of relying solely on traditional command-and-control (C2) servers, it uses GitHub repositories to host malware configurations, allowing it to stay active even when C2 infrastructure is taken down. The infection typically starts with a phishing email containing a zipped Windows shortcut (.lnk) file. Once executed, the malware installs Astaroth, which monitors for banking or cryptocurrency activity and steals credentials through keylogging. It exfiltrates data using the Ngrok reverse proxy. To update its configuration, Astaroth retrieves images from GitHub repositories and uses steganography to hide malicious data within them. The abused GitHub repositories have since been taken down.
