{"id":222662,"date":"2025-10-10T17:00:24","date_gmt":"2025-10-11T00:00:24","guid":{"rendered":"https:\/\/www.mcafee.com\/blogs\/?p=222662"},"modified":"2025-10-10T17:50:55","modified_gmt":"2025-10-11T00:50:55","slug":"astaroth-banking-trojan-abusing-github-for-resilience","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/astaroth-banking-trojan-abusing-github-for-resilience\/","title":{"rendered":"Astaroth: Banking Trojan Abusing GitHub for Resilience"},"content":{"rendered":"

by Harshil Patel and Prabudh Chakravorty<\/em><\/p>\n

*EDITOR’S NOTE:<\/strong> Special thank you to the GitHub team for working with us on this research. All malicious GitHub repositories mentioned in the following research have been reported to GitHub and taken down.<\/span><\/p>\n

Digital banking has made our lives easier, but it’s also handed cybercriminals a golden opportunity. Banking trojans are the invisible pickpockets of the digital age, silently stealing credentials while you browse your bank account or check your crypto wallet. Today, we’re breaking down a particularly nasty variant called Astaroth, and it’s doing something clever: abusing GitHub to stay resilient.<\/p>\n

McAfee\u2019s Threat Research team recently uncovered a new Astaroth campaign that’s taken infrastructure abuse to a new level. Instead of relying solely on traditional command-and-control (C2) servers that can be taken down, these attackers are leveraging GitHub repositories to host malware configurations. When law enforcement or security researchers shut down their C2 infrastructure, Astaroth simply pulls fresh configurations from GitHub and keeps running. Think of it like a criminal who keeps backup keys to your house hidden around the neighborhood. Even if you change your locks, they’ve got another way in.<\/p>\n

Key Findings<\/span>\u00a0<\/span><\/h2>\n
    \n
  • McAfee recently discovered a new Astaroth campaign abusing GitHub to host malware configurations.<\/span>\u00a0<\/span><\/li>\n
  • Infection begins with a phishing email containing a link that downloads a zipped Windows shortcut (.lnk) file. When executed, it installs Astaroth malware on the system.<\/span>\u00a0<\/span><\/li>\n
  • Astaroth detects when users access a banking\/cryptocurrency website and steals the credentials using keylogging. <\/span>\u00a0<\/span><\/li>\n
  • It sends the stolen information to the attacker using the Ngrok reverse proxy.<\/span>\u00a0<\/span><\/li>\n
  • Astaroth uses GitHub to update its configuration when the C2 servers become inaccessible, by hosting images on GitHub which uses steganography to hide this information in plain sight.<\/span>\u00a0<\/span><\/li>\n
  • The GitHub repositories were reported to GitHub and are taken down.<\/span>\u00a0<\/span><\/li>\n<\/ul>\n

    Key Takeaways\u00a0<\/span>\u00a0<\/span><\/h2>\n
      \n
    • Don\u2019t open attachments and links in emails from unknown sources.<\/span>\u00a0<\/span><\/li>\n
    • Use 2 factor authentication (2FA) on banking websites where possible.<\/span>\u00a0<\/span><\/li>\n
    • Keep your antivirus up to date.<\/span>\u00a0<\/span><\/li>\n<\/ul>\n

      Geographical Prevalence<\/span>\u00a0<\/span><\/h2>\n

      Astaroth is capable of targeting many South American countries like Brazil, Mexico, Uruguay, Argentina, Paraguay, Chile, Bolivia, Peru, Ecuador, Colombia, Venezuela, and Panama. It can also target Portugal and Italy.<\/span>\u00a0<\/span><\/p>\n

      But in the recent campaign, it seems to be largely focused on Brazil.<\/span>\u00a0<\/span><\/p>\n

      \"\"<\/p>\n

      Figure <\/span><\/span>1<\/span><\/span><\/span>: <\/span>Geographical Prevalence<\/span><\/span>\u00a0<\/span><\/em><\/p>\n

       <\/p>\n

      Conclusion<\/span>\u00a0<\/span><\/h2>\n

      Astaroth is a password-stealing malware family that targets South America. The malware leverages GitHub to host configuration files, treating the platform as resilient backup infrastructure when primary C2 servers become inaccessible. McAfee reported the findings to GitHub and worked with their security research team to remove the malicious repositories, temporarily disrupting operations.<\/span>\u00a0<\/span><\/p>\n

       <\/p>\n

      Technical Analysis<\/span>\u00a0<\/span><\/h2>\n

      \"\"<\/p>\n

      Figure <\/span><\/span>2<\/span><\/span><\/span> : Infection chain<\/span><\/span>\u00a0<\/span><\/em><\/p>\n

       <\/p>\n

      Phishing Email<\/span>\u00a0<\/span><\/h2>\n

      The attack starts with an e-mail to the victim which contains a link to a site that downloads a zip file. Emails with themes such as DocuSign and resumes are used to lure the victims into downloading a zip file.<\/span>\u00a0<\/span><\/p>\n

      \"\"<\/p>\n

      Figure 3: Phishing Email<\/em><\/p>\n

      \"\"<\/p>\n

      Figure 4: Phishing Email<\/em><\/p>\n

      \"\"<\/p>\n

      Figure 5: Phishing Email<\/em><\/p>\n

       <\/p>\n

      JavaScript Downloader<\/span>\u00a0<\/span><\/p>\n

      The downloaded zip file contains a LNK file, which has obfuscated javascript command run using mshta.exe.<\/span>\u00a0<\/span><\/p>\n

      \"\"\u00a0<\/span><\/p>\n

      This command simply fetches more javascript code from the following URL:<\/span>\u00a0<\/span><\/p>\n

      \"\"\u00a0<\/span><\/p>\n

      To impede analysis, all the links are geo-restricted, such that they can only be accessed from the targeted geography.<\/span>\u00a0<\/span><\/p>\n

      The downloaded javascript then downloads a set of files in ProgramData from a randomly selected server:<\/span>\u00a0<\/span><\/p>\n

      \"\"<\/p>\n

      \"\"<\/p>\n

      \"\"<\/p>\n

      Figure 6: Downloaded Files<\/em><\/p>\n

      Here,\u00a0<\/span>\u00a0<\/span><\/p>\n

      \u201dCorsair.Yoga.06342.8476.366.log\u201d<\/span><\/i> is\u00a0 AutoIT compiled script, <\/span>\u201cCorsair.Yoga.06342.8476.366.exe\u201d<\/span><\/i> is AutoIT interpreter,<\/span>\u00a0<\/span><\/p>\n

      \u201cstack.tmp\u201d<\/span><\/i> is an encrypted payload (Astaroth),<\/span>\u00a0<\/span><\/p>\n

      \u00a0and <\/span>\u201cdump.log\u201d<\/span><\/i> is an encrypted malware configuration.<\/span>\u00a0<\/span><\/p>\n

      AutoIt script is executed by javascript, which builds and loads a shellcode in the memory of AutoIT process.<\/span>\u00a0<\/span><\/p>\n

       <\/p>\n

      Shellcode Analysis<\/span><\/span>\u00a0<\/span><\/h2>\n

      \"\"<\/p>\n

      Figure <\/span><\/span>7<\/span><\/span><\/span>: AutoIt script building shellcode<\/span><\/span><\/em><\/p>\n

      The shellcode has 3 entrypoints and $LOADOFFSET is the one using which it loads a DLL in memory.<\/span>\u00a0<\/span><\/p>\n

      To run the shellcode the script hooks Kernel32: LocalCompact, and makes it jump to the entrypoint.<\/span>\u00a0<\/span><\/p>\n

      \"\"<\/p>\n

      Figure <\/span><\/span>8<\/span><\/span><\/span>: Hooking LocalCompact API<\/span><\/span>\u00a0<\/span><\/em><\/p>\n

      \u00a0<\/span>
      <\/span>Shellcode<\/span>\u2019s $LOADOFFSET <\/span>starts by resolving a set of API<\/span>s that are used for loading a DLL in mem<\/span>ory.<\/span> The<\/span> API addresses are stored <\/span>in a jump table <\/span>at the very be<\/span>ginning of the <\/span>shellcode memory<\/span>.<\/span><\/span>\u00a0<\/span><\/p>\n

      \"\"<\/p>\n

      Figure <\/span><\/span>9<\/span><\/span><\/span>: APIs resolved by shellcode<\/span><\/span><\/em>\u00a0<\/span><\/em>
      <\/span><\/p>\n

       <\/p>\n

      Here shellcode is <\/span>made<\/span> to load a DLL file(Delphi) and t<\/span>his DLL <\/span>de<\/span>crypts and <\/span>inject<\/span>s<\/span> the final payload into <\/span>newly created <\/span>RegSvc.exe process<\/span>.<\/span><\/span>\u00a0<\/span><\/p>\n

       <\/p>\n

      Payload Analysis<\/span>\u00a0<\/span><\/h2>\n

      The payload, Astaroth malware is written in Delphi and uses various anti-analysis techniques and shuts down the system if it detects that it is being analyzed.<\/span>\u00a0<\/span><\/p>\n

      It checks for the following tools in the system:<\/span>\u00a0<\/span><\/p>\n

      \"\"<\/p>\n

      Figure <\/span><\/span>10<\/span><\/span><\/span>: List of analysis tools<\/span><\/span>\u00a0<\/span><\/em><\/p>\n

       <\/p>\n

      It also makes sure that system locale is not related to the United States or English.<\/span>\u00a0<\/span><\/p>\n

      Every second it checks for program windows like browsers, if that window is in foreground and has a banking related site opened then it hooks keyboard events to get keystrokes.<\/span>\u00a0<\/span><\/p>\n

      \"\"<\/p>\n

      Figure <\/span><\/span>11<\/span><\/span><\/span>: Hooking keyboard events<\/span><\/span>\u00a0<\/span><\/em><\/p>\n

      Programs are targeted if they have a window class name containing chrome, ieframe, mozilla, xoff, xdesk, xtrava or sunawtframe.<\/span><\/p>\n

      Many banking-related sites are targeted, some of which are mentioned below:<\/span>
      \ncaixa.gov.br<\/span>\u00a0<\/span><\/p>\n

      safra.com.br<\/span>\u00a0<\/span><\/p>\n

      Itau.com.br<\/span>\u00a0<\/span><\/p>\n

      bancooriginal.com.br<\/span>\u00a0<\/span><\/p>\n

      santandernet.com.br<\/span>\u00a0<\/span><\/p>\n

      btgpactual.com<\/span>\u00a0<\/span><\/p>\n

       <\/p>\n

      We also observed some cryptocurrency-related sites being targeted:<\/span>\u00a0<\/span><\/p>\n

      etherscan.io<\/span>\u00a0<\/span><\/p>\n

      binance.com<\/span>\u00a0<\/span><\/p>\n

      bitcointrade.com.br<\/span>\u00a0<\/span><\/p>\n

      metamask.io<\/span>\u00a0<\/span><\/p>\n

      foxbit.com.br<\/span>\u00a0<\/span><\/p>\n

      localbitcoins.com<\/span>\u00a0<\/span><\/p>\n

       <\/p>\n

      C2 Communication & Infrastructure<\/span>\u00a0<\/span><\/h2>\n

      The stolen banking credentials and other information are sent to C2 server using a custom binary protocol.<\/span>\u00a0<\/span><\/p>\n

      \"\"Figure <\/span><\/span>12<\/span><\/span><\/span>: C2 communication<\/span><\/span>\u00a0<\/span>\u00a0<\/em><\/span><\/p>\n

       <\/p>\n

      Astaroth<\/span>\u2019s <\/span>C2 infrastructure and malware configuration<\/span> are<\/span> depicted below.<\/span><\/span>\u00a0<\/span><\/h2>\n

      \"\"<\/p>\n

      Figure <\/span><\/span>13<\/span><\/span><\/span>: C2 infrastructure<\/span><\/span>\u00a0<\/span><\/em><\/p>\n

      Malware config is <\/span>store<\/span>d<\/span> in dump.log encrypted, following is <\/span>the information stored in it<\/span>:<\/span><\/span>\u00a0<\/span><\/p>\n

      \"\"<\/p>\n

      Figure <\/span><\/span>14<\/span><\/span><\/span>: Malware configuration<\/span><\/span>\u00a0<\/span><\/em><\/p>\n

       <\/p>\n

      Every 2 hours the configuration is updated by fetching an image file from config update URLs and extracting the hidden configuration from the image.<\/span>\u00a0<\/span><\/p>\n

      hxxps:\/\/bit[.]ly\/4gf4E7H —> <\/span>hxxps:\/\/raw.githubusercontent[.]com\/\/dridex2024\/\/razeronline\/\/refs\/heads\/main\/razerlimpa[.]png<\/span><\/b>\u00a0<\/span><\/p>\n

      Image file keeps the configuration hidden by storing it in the following format:<\/span><\/p>\n

      \"\"<\/p>\n

      We found more such GitHub repositories having image files with above pattern and reported them to GitHub, which they have taken down.<\/span>\u00a0<\/span><\/p>\n

      Persistence Mechanism\u00a0<\/span>\u00a0<\/span><\/h2>\n

      For persistence, Astaroth drops a LNK file in startup folder which runs the AutoIT script to launch the malware when the system starts.<\/span>\u00a0<\/span>\u00a0<\/span><\/p>\n

      McAfee Coverage<\/span>\u00a0<\/span><\/h2>\n

      McAfee has extensive coverage for Astaroth:<\/span>\u00a0<\/span><\/p>\n

      Trojan:Shortcut\/SuspiciousLNK.OSRT<\/span>\u00a0<\/span><\/p>\n

      Trojan:Shortcut\/Astaroth.OJS<\/span>\u00a0<\/span><\/p>\n

      Trojan:Script\/Astaroth.DL<\/span>\u00a0<\/span><\/p>\n

      Trojan:Script\/Astaroth.AI<\/span>\u00a0<\/span><\/p>\n

      Trojan:Script\/AutoITLoader.LC!2<\/span>\u00a0<\/span><\/p>\n

      Trojan:Shortcut\/Astaroth.STUP<\/span>\u00a0<\/span><\/p>\n

      Indicator Of Compromise(s)<\/span>\u00a0<\/span><\/h2>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
      IOC<\/span><\/b>\u00a0<\/span><\/td>\nHash \/ URL<\/span><\/b>\u00a0<\/span><\/td>\n<\/tr>\n
      Email<\/span>\u00a0<\/span><\/td>\n7418ffa31f8a51a04274fc8f610fa4d5aa5758746617020ee57493546ae35b70<\/span>
      \n7609973939b46fe13266eacd1f06b533f8991337d6334c15ab78e28fa3b320be<\/span>
      \n11f0d7e18f9a2913d2480b6a6955ebc92e40434ad11bed62d1ff81ddd3dda945<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
      ZIP URL<\/span>\u00a0<\/span><\/td>\nhttps:\/\/91.220.167.72.host.secureserver[.]net\/peHg4yDUYgzNeAvm5.zip<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
      LNK<\/span>\u00a0<\/span><\/td>\n34207fbffcb38ed51cd469d082c0c518b696bac4eb61e5b191a141b5459669df<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
      JS Downloader<\/span>\u00a0<\/span><\/td>\n28515ea1ed7befb39f428f046ba034d92d44a075cc7a6f252d6faf681bdba39c<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
      Download server<\/span>\u00a0<\/span><\/td>\nclafenval.medicarium[.]help<\/span>
      \nsprudiz.medicinatramp[.]click<\/span>
      \nfrecil.medicinatramp[.]beauty<\/span>
      \nstroal.medicoassocidos[.]beauty<\/span>
      \nstrosonvaz.medicoassocidos[.]help<\/span>
      \ngluminal188.trovaodoceara[.]sbs<\/span>
      \nscrivinlinfer.medicinatramp[.]icu<\/span>
      \ntrisinsil.medicesterium[.]help<\/span>
      \nbrusar.trovaodoceara[.]autos<\/span>
      \ngramgunvel.medicoassocidos[.]beauty<\/span>
      \nblojannindor0.trovaodoceara[.]motorcycles<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
      AutoIT compiled script<\/span>\u00a0<\/span><\/td>\na235d2e44ea87e5764c66247e80a1c518c38a7395291ce7037f877a968c7b42b<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
      Injector dll<\/span>\u00a0<\/span><\/td>\ndb9d00f30e7df4d0cf10cee8c49ee59a6b2e518107fd6504475e99bbcf6cce34<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
      payload<\/span>\u00a0<\/span><\/td>\n251cde68c30c7d303221207370c314362f4adccdd5db4533a67bedc2dc1e6195<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
      Startup LNK<\/span>\u00a0<\/span><\/td>\n049849998f2d4dd1e629d46446699f15332daa54530a5dad5f35cc8904adea43<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
      C2 server<\/span>\u00a0<\/span><\/td>\n1.tcp.sa.ngrok[.]io:20262<\/span>
      \n1.tcp.us-cal-1.ngrok[.]io:24521<\/span>
      \n5.tcp.ngrok[.]io:22934<\/span>
      \n7.tcp.ngrok[.]io:22426<\/span>
      \n9.tcp.ngrok[.]io:23955<\/span>
      \n9.tcp.ngrok[.]io:24080<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
      Config update URL<\/span>\u00a0<\/span><\/td>\nhttps:\/\/bit[.]ly\/49mKne9<\/span>
      \nhttps:\/\/bit[.]ly\/4gf4E7H<\/span>\u00a0<\/span>https:\/\/raw.githubusercontent[.]com\/dridex2024\/razeronline\/refs\/heads\/main\/razerlimpa.png<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
      GitHub Repositories hosting config images<\/span>\u00a0<\/span><\/td>\nhttps:\/\/github[.]com\/dridex2024\/razeronline<\/span>\u00a0<\/span><\/p>\n

      https:\/\/github[.]com\/Config2023\/01atk-83567z<\/span>\u00a0<\/span><\/p>\n

      https:\/\/github[.]com\/S20x\/m25<\/span>\u00a0<\/span><\/p>\n

      https:\/\/github[.]com\/Tami1010\/base<\/span>\u00a0<\/span><\/p>\n

      https:\/\/github[.]com\/balancinho1\/balaco<\/span>\u00a0<\/span><\/p>\n

      https:\/\/github[.]com\/fernandolopes201\/675878fvfsv2231im2<\/span>\u00a0<\/span><\/p>\n

      https:\/\/github[.]com\/polarbearfish\/fishbom<\/span>\u00a0<\/span><\/p>\n

      https:\/\/github[.]com\/polarbearultra\/amendointorrado<\/span>\u00a0<\/span><\/p>\n

      https:\/\/github[.]com\/projetonovo52\/master<\/span>\u00a0<\/span><\/p>\n

      https:\/\/github[.]com\/vaicurintha\/gol<\/span>\u00a0<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

       <\/p>\n","protected":false},"excerpt":{"rendered":"

      by Harshil Patel and Prabudh Chakravorty *EDITOR’S NOTE: Special thank you to the GitHub team for working with us on…<\/p>\n","protected":false},"author":695,"featured_media":156030,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[10661,442],"tags":[],"coauthors":[4136],"class_list":["post-222662","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-internet-security","category-mcafee-labs"],"acf":[],"yoast_head":"\nAstaroth: Banking Trojan Abusing GitHub for Resilience | McAfee Blog<\/title>\n<meta name=\"description\" content=\"by Harshil Patel and Prabudh Chakravorty *EDITOR'S NOTE: Special thank you to the GitHub team for working with us on this research. All malicious GitHub\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Astaroth: Banking Trojan Abusing GitHub for Resilience | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"by Harshil Patel and Prabudh Chakravorty *EDITOR'S NOTE: Special thank you to the GitHub team for working with us on this research. All malicious GitHub\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/astaroth-banking-trojan-abusing-github-for-resilience\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2025-10-11T00:00:24+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-10-11T00:50:55+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/04\/300x200_Blog_trojan.png\" \/>\n\t<meta property=\"og:image:width\" content=\"300\" \/>\n\t<meta property=\"og:image:height\" content=\"200\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"McAfee Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee_Labs\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee Labs\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/astaroth-banking-trojan-abusing-github-for-resilience\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/astaroth-banking-trojan-abusing-github-for-resilience\/\"},\"author\":{\"name\":\"McAfee Labs\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\"},\"headline\":\"Astaroth: Banking Trojan Abusing GitHub for Resilience\",\"datePublished\":\"2025-10-11T00:00:24+00:00\",\"dateModified\":\"2025-10-11T00:50:55+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/astaroth-banking-trojan-abusing-github-for-resilience\/\"},\"wordCount\":1387,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/astaroth-banking-trojan-abusing-github-for-resilience\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/04\/300x200_Blog_trojan.png\",\"articleSection\":[\"Internet Security\",\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/astaroth-banking-trojan-abusing-github-for-resilience\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/astaroth-banking-trojan-abusing-github-for-resilience\/\",\"name\":\"Astaroth: Banking Trojan Abusing GitHub for Resilience | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/astaroth-banking-trojan-abusing-github-for-resilience\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/astaroth-banking-trojan-abusing-github-for-resilience\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/04\/300x200_Blog_trojan.png\",\"datePublished\":\"2025-10-11T00:00:24+00:00\",\"dateModified\":\"2025-10-11T00:50:55+00:00\",\"description\":\"by Harshil Patel and Prabudh Chakravorty *EDITOR'S NOTE: Special thank you to the GitHub team for working with us on this research. All malicious GitHub\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/astaroth-banking-trojan-abusing-github-for-resilience\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/astaroth-banking-trojan-abusing-github-for-resilience\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/astaroth-banking-trojan-abusing-github-for-resilience\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/04\/300x200_Blog_trojan.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/04\/300x200_Blog_trojan.png\",\"width\":300,\"height\":200},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/astaroth-banking-trojan-abusing-github-for-resilience\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Astaroth: Banking Trojan Abusing GitHub for Resilience\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\",\"name\":\"McAfee Labs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"caption\":\"McAfee Labs\"},\"description\":\"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee_Labs\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Astaroth: Banking Trojan Abusing GitHub for Resilience | McAfee Blog","description":"by Harshil Patel and Prabudh Chakravorty *EDITOR'S NOTE: Special thank you to the GitHub team for working with us on this research. All malicious GitHub","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Astaroth: Banking Trojan Abusing GitHub for Resilience | McAfee Blog","og_description":"by Harshil Patel and Prabudh Chakravorty *EDITOR'S NOTE: Special thank you to the GitHub team for working with us on this research. All malicious GitHub","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/astaroth-banking-trojan-abusing-github-for-resilience\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2025-10-11T00:00:24+00:00","article_modified_time":"2025-10-11T00:50:55+00:00","og_image":[{"width":300,"height":200,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/04\/300x200_Blog_trojan.png","type":"image\/png"}],"author":"McAfee Labs","twitter_card":"summary_large_image","twitter_creator":"@McAfee_Labs","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee Labs","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/astaroth-banking-trojan-abusing-github-for-resilience\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/astaroth-banking-trojan-abusing-github-for-resilience\/"},"author":{"name":"McAfee Labs","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad"},"headline":"Astaroth: Banking Trojan Abusing GitHub for Resilience","datePublished":"2025-10-11T00:00:24+00:00","dateModified":"2025-10-11T00:50:55+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/astaroth-banking-trojan-abusing-github-for-resilience\/"},"wordCount":1387,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/astaroth-banking-trojan-abusing-github-for-resilience\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/04\/300x200_Blog_trojan.png","articleSection":["Internet Security","McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/astaroth-banking-trojan-abusing-github-for-resilience\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/astaroth-banking-trojan-abusing-github-for-resilience\/","name":"Astaroth: Banking Trojan Abusing GitHub for Resilience | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/astaroth-banking-trojan-abusing-github-for-resilience\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/astaroth-banking-trojan-abusing-github-for-resilience\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/04\/300x200_Blog_trojan.png","datePublished":"2025-10-11T00:00:24+00:00","dateModified":"2025-10-11T00:50:55+00:00","description":"by Harshil Patel and Prabudh Chakravorty *EDITOR'S NOTE: Special thank you to the GitHub team for working with us on this research. All malicious GitHub","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/astaroth-banking-trojan-abusing-github-for-resilience\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/astaroth-banking-trojan-abusing-github-for-resilience\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/astaroth-banking-trojan-abusing-github-for-resilience\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/04\/300x200_Blog_trojan.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/04\/300x200_Blog_trojan.png","width":300,"height":200},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/astaroth-banking-trojan-abusing-github-for-resilience\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Astaroth: Banking Trojan Abusing GitHub for Resilience"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad","name":"McAfee Labs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","caption":"McAfee Labs"},"description":"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.","sameAs":["https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee_Labs"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/222662","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/695"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=222662"}],"version-history":[{"count":13,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/222662\/revisions"}],"predecessor-version":[{"id":222962,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/222662\/revisions\/222962"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media\/156030"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=222662"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=222662"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=222662"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=222662"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}