Astaroth Banking Trojan Exploits GitHub and Ngrok To Evade Detection And Maintain Persistence
October 23rd, 2025
Medium
Our Cyber Threat Intelligence Unit is monitoring an ongoing campaign involving Astaroth, a sophisticated banking Trojan targeting users across Brazil and Latin America. The malware collects digital banking and crypto credentials via credential theft, keylogging, and browser monitoring. Astaroth remains resilient by using GitHub as an auxiliary C2 channel and hosting configuration data hidden in images through steganography. This allows communication even if primary C2 servers are taken down. The infection begins with a DocuSign-themed phishing email that delivers a zipped Windows shortcut (.LNK) file. When opened, the file executes obfuscated JavaScript, downloads payloads, and runs an AutoIt script to decrypt and inject the trojan into a new RegSvc.exe process. Astaroth then monitors browser sessions for financial or crypto activity and exfiltrates data through Ngrok reverse proxies. Research by McAfee Labs highlights the malware’s anti-analysis measures, geofencing logic, and its continued use of legitimate cloud platforms to avoid takedowns.
Technical Details
Attack Type: Abuse of legitimate platforms (GitHub) for resilient configuration hosting and evasion.
Severity Medium.
Affected Components: Windows endpoints and GitHub repositories leveraged for configuration updates.
Attack Chain:
Initial Vector: Phishing emails masquerading as DocuSign notifications distribute a ZIP archive containing a malicious .LNK file.
Execution: The LNK launches obfuscated JavaScript (via mshta.exe), which retrieves additional scripts from external servers.
Payload Delivery: Downloaded scripts fetch an AutoIt executable that decrypts and loads a Delphi-based DLL, injecting the Astaroth payload into a spawned RegSvc.exe process.
Persistence: An additional .LNK is placed in the Windows Startup folder to ensure automatic execution on reboot.
Post-Compromise Behavior:
Monitors browser sessions on financial and cryptocurrency sites.
Captures keystrokes and credentials.
Transmits data via Ngrok tunnels.
Fetches updated configurations from GitHub images embedded with steganographic data when primary C2s are unreachable.
Performs environmental checks and terminates if analysis tools such as IDA Pro, WinDbg, Wireshark, QEMU Guest Agent, or Immunity Debugger are detected.
Impact
Theft of banking and cryptocurrency credentials leading to direct financial loss.
Compromise of sensitive personal or corporate data.
Potential service disruption from infected endpoints acting as secondary distribution nodes.
Operational downtime due to containment, remediation, and incident response.
Regulatory and reputational risk associated with unauthorized access or data exposure.
Detection Method
Hunt for .LNK files in Startup directories containing or spawning obfuscated JavaScript.
Detect unusual mshta.exe → AutoIt3.exe → RegSvc.exe process chains.
Monitor for AutoIt executions outside approved workflows.
Flag outbound connections to Ngrok TCP endpoints (*.tcp.ngrok[.]io).
Monitor for repeated access to GitHub raw-content URLs hosting PNG or image files followed by decoding or parsing activity.
Identify systems attempting to reach geofenced infrastructure inconsistent with organizational regions.
Correlate DNS or HTTP activity to known malicious hostnames and IPs listed in our IOC section below.
Indicators of Compromise
Type | Indicator |
ZIP URL | https://91.220.167.72.host.secureserver[.]net/peHg4yDUYgzNeAvm5.zip |
LNK SHA-256 | 34207fbffcb38ed51cd469d082c0c518b696bac4eb61e5b191a141b5459669df |
JS Downloader | 28515ea1ed7befb39f428f046ba034d92d44a075cc7a6f252d6faf681bdba39c |
Download server | clafenval.medicarium[.]help sprudiz.medicinatramp[.]click frecil.medicinatramp[.]beauty stroal.medicoassocidos[.]beauty strosonvaz.medicoassocidos[.]help gluminal188.trovaodoceara[.]sbs scrivinlinfer.medicinatramp[.]icu trisinsil.medicesterium[.]help brusar.trovaodoceara[.]autos gramgunvel.medicoassocidos[.]beauty blojannindor0.trovaodoceara[.]motorcycles |
AutoIT compiled script | a235d2e44ea87e5764c66247e80a1c518c38a7395291ce7037f877a968c7b42b |
Injector dll | db9d00f30e7df4d0cf10cee8c49ee59a6b2e518107fd6504475e99bbcf6cce34 |
payload | 251cde68c30c7d303221207370c314362f4adccdd5db4533a67bedc2dc1e6195 |
Startup LNK | 049849998f2d4dd1e629d46446699f15332daa54530a5dad5f35cc8904adea43 |
C2 server | 1.tcp.sa.ngrok[.]io:20262 1.tcp.us-cal-1.ngrok[.]io:24521 5.tcp.ngrok[.]io:22934 7.tcp.ngrok[.]io:22426 9.tcp.ngrok[.]io:23955 9.tcp.ngrok[.]io:24080 |
Config update URL | https://bit[.]ly/49mKne9� https://bit[.]ly/4gf4E7H https://raw.githubusercontent[.]com/dridex2024/razeronline/refs/heads/main/razerlimpa.png |
GitHub Repositories hosting config images | https://github[.]com/dridex2024/razeronline https://github[.]com/Config2023/01atk-83567z https://github[.]com/S20x/m25 https://github[.]com/Tami1010/base https://github[.]com/balancinho1/balaco https://github[.]com/fernandolopes201/675878fvfsv2231im2 https://github[.]com/polarbearfish/fishbom https://github[.]com/polarbearultra/amendointorrado https://github[.]com/projetonovo52/master https://github[.]com/vaicurintha/gol |
Recommendations
Coordinate with GitHub and relevant providers to flag and remove repositories linked to Astaroth configuration hosting.
Block known malicious domains and Ngrok endpoints at the network and DNS layers.
Patch and harden Windows hosts, and enforce application control to block unauthorized scripts.
Implement EDR detections for mshta-spawned AutoIt and abnormal RegSvc.exe activity.
Enable network telemetry for outbound image downloads from GitHub, followed by decoding or command parsing.
Apply email filtering and sandboxing for ZIP/LNK attachments from unknown senders.
Educate end users on phishing lures impersonating DocuSign or other business services.
Conclusion
The Astaroth banking Trojan demonstrates how modern malware exploits legitimate cloud services for persistence and evasion. By leveraging GitHub for covert configuration updates and Ngrok for command-and-control, adversaries can maintain operations despite infrastructure takedowns. We urge organizations to stay vigilant by strengthening defenses against phishing, and monitor for unusual AutoIt and GitHub activities within their environments. Continuous monitoring, rapid containment, and cross-team coordination are essential to mitigate risks associated with this evolving threat.