Astaroth: Banking Trojan Abusing GitHub for Resilience

    Monday, October 13, 2025 In: Threat Research Print

    Date: 10/13/2025

    Severity: Medium

    Summary

    Astaroth is a stealthy banking trojan that has evolved to become more resilient by abusing GitHub. Instead of relying solely on traditional command-and-control (C2) servers, it uses GitHub repositories to host malware configurations, allowing it to stay active even when C2 infrastructure is taken down. The infection typically starts with a phishing email containing a zipped Windows shortcut (.lnk) file. Once executed, the malware installs Astaroth, which monitors for banking or cryptocurrency activity and steals credentials through keylogging. It exfiltrates data using the Ngrok reverse proxy. To update its configuration, Astaroth retrieves images from GitHub repositories and uses steganography to hide malicious data within them. The abused GitHub repositories have since been taken down.

    Indicators of Compromise (IOC) List

    URLs/Domains

    clafenval.medicarium.help

    sprudiz.medicinatramp.click

    frecil.medicinatramp.beauty

    stroal.medicoassocidos.beauty

    strosonvaz.medicoassocidos.help

    gluminal188.trovaodoceara.sbs

    scrivinlinfer.medicinatramp.icu

    trisinsil.medicesterium.help

    brusar.trovaodoceara.autos

    gramgunvel.medicoassocidos.beauty

    blojannindor0.trovaodoceara.motorcycles

    1.tcp.sa.ngrok.io:20262

    1.tcp.us-cal-1.ngrok.io:24521

    5.tcp.ngrok.io:22934

    7.tcp.ngrok.io:22426

    9.tcp.ngrok.io:23955

    9.tcp.ngrok.io:24080

    https://bit.ly/49mKne9

    https://bit.ly/4gf4E7H https://raw.githubusercontent.com/dridex2024/razeronline/refs/heads/main/razerlimpa.png

    https://github.com/dridex2024/razeronline

    https://github.com/Config2023/01atk-83567z

    https://github.com/S20x/m25

    https://github.com/Tami1010/base

    https://github.com/balancinho1/balaco

    https://github.com/fernandolopes201/675878fvfsv2231im2

    https://github.com/polarbearfish/fishbom

    https://github.com/polarbearultra/amendointorrado

    https://github.com/projetonovo52/master

    https://github.com/vaicurintha/gol

    https://91.220.167.72.host.secureserver.net/peHg4yDUYgzNeAvm5.zip

    IP Address

    91.220.167.72

    Hash : 

    7418ffa31f8a51a04274fc8f610fa4d5aa5758746617020ee57493546ae35b70

    7609973939b46fe13266eacd1f06b533f8991337d6334c15ab78e28fa3b320be

    11f0d7e18f9a2913d2480b6a6955ebc92e40434ad11bed62d1ff81ddd3dda945

    34207fbffcb38ed51cd469d082c0c518b696bac4eb61e5b191a141b5459669df

    28515ea1ed7befb39f428f046ba034d92d44a075cc7a6f252d6faf681bdba39c

    a235d2e44ea87e5764c66247e80a1c518c38a7395291ce7037f877a968c7b42b

    db9d00f30e7df4d0cf10cee8c49ee59a6b2e518107fd6504475e99bbcf6cce34

    251cde68c30c7d303221207370c314362f4adccdd5db4533a67bedc2dc1e6195

    049849998f2d4dd1e629d46446699f15332daa54530a5dad5f35cc8904adea43

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "scrivinlinfer.medicinatramp.icu" or siteurl like "scrivinlinfer.medicinatramp.icu" or url like "scrivinlinfer.medicinatramp.icu" or domainname like "https://91.220.167.72.host.secureserver.net/peHg4yDUYgzNeAvm5.zip" or siteurl like "https://91.220.167.72.host.secureserver.net/peHg4yDUYgzNeAvm5.zip" or url like "https://91.220.167.72.host.secureserver.net/peHg4yDUYgzNeAvm5.zip" or domainname like "clafenval.medicarium.help" or siteurl like "clafenval.medicarium.help" or url like "clafenval.medicarium.help" or domainname like "gluminal188.trovaodoceara.sbs" or siteurl like "gluminal188.trovaodoceara.sbs" or url like "gluminal188.trovaodoceara.sbs" or domainname like "https://bit.ly/49mKne9" or siteurl like "https://bit.ly/49mKne9" or url like "https://bit.ly/49mKne9" or domainname like "trisinsil.medicesterium.help" or siteurl like "trisinsil.medicesterium.help" or url like "trisinsil.medicesterium.help" or domainname like "sprudiz.medicinatramp.click" or siteurl like "sprudiz.medicinatramp.click" or url like "sprudiz.medicinatramp.click" or domainname like "strosonvaz.medicoassocidos.help" or siteurl like "strosonvaz.medicoassocidos.help" or url like "strosonvaz.medicoassocidos.help" or domainname like "frecil.medicinatramp.beauty" or siteurl like "frecil.medicinatramp.beauty" or url like "frecil.medicinatramp.beauty" or domainname like "stroal.medicoassocidos.beauty" or siteurl like "stroal.medicoassocidos.beauty" or url like "stroal.medicoassocidos.beauty" or domainname like "brusar.trovaodoceara.autos" or siteurl like "brusar.trovaodoceara.autos" or url like "brusar.trovaodoceara.autos" or domainname like "gramgunvel.medicoassocidos.beauty" or siteurl like "gramgunvel.medicoassocidos.beauty" or url like "gramgunvel.medicoassocidos.beauty" or domainname like "blojannindor0.trovaodoceara.motorcycles" or siteurl like "blojannindor0.trovaodoceara.motorcycles" or url like "blojannindor0.trovaodoceara.motorcycles" or domainname like "1.tcp.sa.ngrok.io:20262" or siteurl like "1.tcp.sa.ngrok.io:20262" or url like "1.tcp.sa.ngrok.io:20262" or domianname like "1.tcp.us-cal-1.ngrok.io:24521" or siteurl like "1.tcp.us-cal-1.ngrok.io:24521" or url like "1.tcp.us-cal-1.ngrok.io:24521" or domainname like "5.tcp.ngrok.io:22934" or siteurl like "5.tcp.ngrok.io:22934" or url like "5.tcp.ngrok.io:22934" or domainname like "7.tcp.ngrok.io:22426" or siteurl like "7.tcp.ngrok.io:22426" or url like "7.tcp.ngrok.io:22426" or domainname like "9.tcp.ngrok.io:23955" or siteurl like "9.tcp.ngrok.io:23955" or url like "9.tcp.ngrok.io:23955" or domainname like "9.tcp.ngrok.io:24080" or siteurl like "9.tcp.ngrok.io:24080" or url like "9.tcp.ngrok.io:24080" or domainname like "https://bit.ly/4gf4E7H" or siteurl like "https://bit.ly/4gf4E7H" or url like "https://bit.ly/4gf4E7H" or domainname like "https://raw.githubusercontent.com/dridex2024/razeronline/refs/heads/main/razerlimpa.png" or siteurl like "https://raw.githubusercontent.com/dridex2024/razeronline/refs/heads/main/razerlimpa.png" or url like "https://raw.githubusercontent.com/dridex2024/razeronline/refs/heads/main/razerlimpa.png" or domainname like "https://github.com/dridex2024/razeronline" or siteurl like "https://github.com/dridex2024/razeronline" or url like "https://github.com/dridex2024/razeronline" or domainname like "https://github.com/Config2023/01atk-83567z" or siteurl like "https://github.com/Config2023/01atk-83567z" or url like "https://github.com/Config2023/01atk-83567z" or domainname like "https://github.com/S20x/m25" or siteurl like "https://github.com/S20x/m25" or url like "https://github.com/S20x/m25" or domainname like "https://github.com/Tami1010/base" or siteurl like "https://github.com/Tami1010/base" or url like "https://github.com/Tami1010/base" or domainname like "https://github.com/balancinho1/balaco" or siteurl like "https://github.com/balancinho1/balaco" or url like "https://github.com/balancinho1/balaco" or domainname like "https://github.com/fernandolopes201/675878fvfsv2231im2" or siteurl like "https://github.com/fernandolopes201/675878fvfsv2231im2" or url like "https://github.com/fernandolopes201/675878fvfsv2231im2" or domainname like "https://github.com/polarbearfish/fishbom" or siteurl like "https://github.com/polarbearfish/fishbom" or url like "https://github.com/polarbearfish/fishbom" or domainname like "https://github.com/polarbearultra/amendointorrado" or siteurl like "https://github.com/polarbearultra/amendointorrado" or url like "https://github.com/polarbearultra/amendointorrado" or dominname like "https://github.com/projetonovo52/master" or siteurl like "https://github.com/projetonovo52/master" or url like "https://github.com/projetonovo52/master" or domainname like "https://github.com/vaicurintha/gol" or siteurl like "https://github.com/vaicurintha/gol" or url like "https://github.com/vaicurintha/gol"

    Detection Query 2 :

    dstipaddress IN ("91.220.167.72") or srcipaddress IN ("91.220.167.72")

    Detection Query 3 :

    sha256hash IN ("251cde68c30c7d303221207370c314362f4adccdd5db4533a67bedc2dc1e6195","a235d2e44ea87e5764c66247e80a1c518c38a7395291ce7037f877a968c7b42b","34207fbffcb38ed51cd469d082c0c518b696bac4eb61e5b191a141b5459669df","28515ea1ed7befb39f428f046ba034d92d44a075cc7a6f252d6faf681bdba39c","7418ffa31f8a51a04274fc8f610fa4d5aa5758746617020ee57493546ae35b70","7609973939b46fe13266eacd1f06b533f8991337d6334c15ab78e28fa3b320be","11f0d7e18f9a2913d2480b6a6955ebc92e40434ad11bed62d1ff81ddd3dda945","db9d00f30e7df4d0cf10cee8c49ee59a6b2e518107fd6504475e99bbcf6cce34","049849998f2d4dd1e629d46446699f15332daa54530a5dad5f35cc8904adea43")

    Reference:    

    https://www.mcafee.com/blogs/other-blogs/mcafee-labs/astaroth-banking-trojan-abusing-github-for-resilience/       


    Tags

    MalwarePhishingAstarothTrojanGitHubcryptocurrencycredential stealersExfiltrationNgrokSteganographyKeylogger

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.