Astaroth Malware Uses Steganography in GitHub Images for Covert C2 Backup and Brazilian Bank Theft

The McAfee Threat Research team has uncovered a new and sophisticated Astaroth malware campaign — using GitHub repositories as backup command-and-control (C2) servers. This allows the information-stealing malware to remain operational even after its main infrastructure is disrupted.

According to McAfee researchers, “Instead of relying solely on traditional command-and-control (C2) servers that can be taken down, these attackers are leveraging GitHub repositories to host malware configurations.”

When defenders or law enforcement dismantle one of its servers, “Astaroth simply pulls fresh configurations from GitHub and keeps running,” the report warns.

The attack begins with a phishing email — often themed around DocuSign or job applications — containing a link to download a ZIP archive with a malicious Windows shortcut (.LNK) file. Once executed, this shortcut launches obfuscated JavaScript via mshta.exe, which downloads additional components to install Astaroth on the victim’s system.

McAfee explains, “The infection begins with a phishing email containing a link that downloads a zipped Windows shortcut (.lnk) file. When executed, it installs Astaroth malware on the system.”

These downloaded files include:

• A compiled AutoIt script,
• The Astaroth payload encrypted in stack.tmp,
• And a configuration file (dump.log) that controls the malware’s behavior.

Once executed, the AutoIt script builds shellcode directly in memory and injects it into a legitimate Windows process (RegSvc.exe) — effectively concealing its activity from antivirus software and analysts.

Once installed, Astaroth’s main goal is credential theft. It continuously monitors the victim’s browser activity, activating its keylogging functions when banking or cryptocurrency websites are accessed.

McAfee notes, “Astaroth detects when users access a banking/cryptocurrency website and steals the credentials using keylogging.”

The malware specifically targets South American financial institutions, including:

• caixa.gov.br
• itau.com.br
• santandernet.com.br
• bancooriginal.com.br
• safra.com.br

In addition, Astaroth extends its reach to cryptocurrency platforms such as Binance, Etherscan, MetaMask, Foxbit, and LocalBitcoins — reflecting a growing interest among cybercriminals in digital asset theft.

Perhaps the most striking discovery is Astaroth’s use of GitHub as an encrypted configuration host. When its C2 servers go offline, the malware automatically downloads image files from GitHub containing hidden configuration data via steganography — allowing it to update operational parameters without direct contact with its C2.

“Astaroth uses GitHub to update its configuration when the C2 servers become inaccessible, by hosting images on GitHub which uses steganography to hide this information in plain sight.”

One example cited in the report shows the malware fetching an image from:

hxxps://raw.githubusercontent[.]com/dridex2024/razeronline/refs/heads/main/razerlimpa.png

The embedded configuration file (dump.log) defines parameters like C2 domains, victim identifiers, and update intervals, which are refreshed every two hours.

McAfee confirmed that “The GitHub repositories were reported to GitHub and are taken down.”

For persistence, Astaroth creates a shortcut in the Windows Startup folder, ensuring that its AutoIt script launches automatically at every reboot. The malware also includes extensive anti-analysis checks — terminating itself if virtual machines, debugging tools, or sandbox environments are detected.

The payload is written in Delphi, with multiple layers of encryption and obfuscation. McAfee analysts observed that it “shuts down the system if it detects that it is being analyzed.”

Furthermore, Astaroth avoids infecting systems with English or U.S. regional settings — a common evasion tactic among Latin American malware families.

While Astaroth has the capability to target 11 South American countries including Mexico, Argentina, Chile, and Colombia — the latest campaign is predominantly focused on Brazil. McAfee reports, “Astaroth is capable of targeting many South American countries… but in the recent campaign, it seems to be largely focused on Brazil.”

The malware communicates with its C2 servers through Ngrok reverse proxies, using a custom binary protocol to exfiltrate stolen data. This architecture helps Astaroth mask its real C2 endpoints and bypass firewall detection.

Every two hours, the malware refreshes its configuration, maintaining operational resilience even when parts of its infrastructure are disrupted.

Related Posts:

• Astaroth Phishing Kit Bypasses 2FA, Steals Accounts
• Threat Actors Weaponize Google Cloud Run for Global Payload Delivery
• “Water Makara” Employs Astaroth Malware in Targeted Attacks on Brazilian Organizations
• JavaScript-Based Malware Exploits Steganography for Covert Data Theft
• Apple Forced: Third-Party Apps Coming to Brazilian iOS