Astaroth: Banking Trojan Abusing GitHub for Resilience

McAfee researchers uncovered an active Astaroth campaign that infects victims via phishing ZIPs containing LNK files which launch obfuscated JavaScript and AutoIT components; the Delphi-based payload performs keylogging and credential theft against banking and cryptocurrency sites, exfiltrating data via ngrok-based C2s. The actors use GitHub-hosted images with steganographically embedded configuration as resilient backup infrastructure for updates when primary C2s are disrupted; the report includes technical analysis, targeted site lists, persistence details, and numerous IOCs (hashes, URLs, GitHub repos).