Astaroth Trojan Abuses GitHub for Resilient C2 Attacks

A new Astaroth banking trojan campaign is using GitHub as a resilient backbone for its operations. Instead of relying on traditional command-and-control (C2) servers that can be shut down, the malware hosts its configurations within image files on the platform using steganography. The attack begins with phishing emails that trick users into downloading a malicious shortcut file, which installs the malware. Astaroth then monitors for visits to banking and cryptocurrency websites, using keylogging to steal credentials. This innovative use of a legitimate service makes the malware's infrastructure significantly harder to disrupt.

Latest mentioned: 10-13

Earliest mentioned: 10-10

Sources

mcafee.com gbhackers.com thehackernews.com cybersum.net

Also Read

BRONZE BUTLER Exploits LANSCOPE Zero-Day for Data Theft

In mid-2025, Secureworks CTU researchers uncovered a sophisticated cyber campaign by the BRONZE BUTLER group, exploiting a zero-day vulnerability in Motex LANSCOPE Endpoint Manager. This group, active since 2010, has a history of targeting specific organizations and government entities. The vulnerability, CVE-2025-61932, allows remote attackers to execute arbitrary commands with SYSTEM privileges. The campaign involved deploying Gokcpdoor and Havoc C2 frameworks, using legitimate tools like goddi and 7-Zip for data exfiltration. International cybersecurity authorities quickly responded, highlighting the severity of the threat.

10-31Read more →