Astaroth Banking Trojan Harnessing GitHub to Steal Crypto Credentials

The post Astaroth Banking Trojan Harnessing GitHub to Steal Crypto Credentials appeared on BitcoinEthereumNews.com.

In brief McAfee has uncovered a Trojan campaign that uses GitHub to redirect malware to new servers whenever existing servers are taken down. The malware is primarily targeting countries in South America, with a particular focus on Brazil. The virus is uploaded via phishing emails, and is capable of stealing banking and crypto credentials. Hackers are deploying a banking Trojan that makes use of GitHub repositories whenever its servers are taken down, according to research from cybersecurity firm McAfee. Dubbed Astaroth, the Trojan virus is spread via phishing emails that invite victims to download a Windows (.lnk) file, which installs the malware on a host computer. Astaroth runs in the background of a victim’s device, using keylogging to steal banking and crypto credentials, and sending such credentials using the Ngrok reverse proxy (an intermediary between servers). Its unique feature is that Astaroth uses GitHub repositories to update its server configuration whenever its command-and-control server is taken down, which usually happens because of intervention from cybersecurity firms or law enforcement agencies. “GitHub is not used to host the malware itself, but just to host a configuration that points to the bot server,” said Abhishek Karnik, Director for Threat Research and Response at McAfee. Speaking to Decrypt, Karnik explained that the malware’s deployers are using GitHub as a resource to direct victims to updated servers, which distinguishes the exploit from previous instances in which GitHub has been harnessed. This includes an attack vector discovered by McAfee in 2024, in which bad actors inserted the Redline Stealer malware into GitHub repositories, something which has been repeated this year in the GitVenom campaign. “However, in this case, it’s not malware that is being hosted but a configuration that manages how the malware communicates with its backend infrastructure,” Karnik added. As with the GitVenom campaign,…

Leave a Reply

Your email address will not be published. Required fields are marked *

Filed under: News - @ October 12, 2025 11:24 am