McAfee: Astaroth Banking Trojan May Use GitHub To Redirect Servers, Could Target Bitcoin Credentials

• Astaroth uses GitHub to store configuration pointers, not the malware binaries.

• Astaroth spreads via phishing .lnk attachments and runs silently to capture banking and crypto credentials.

• McAfee reports Astaroth targets mainly South America and employs Ngrok and browser checks to exfiltrate data.

Astaroth keylogger steals banking and crypto credentials by using GitHub-hosted configs to redirect victims—learn how to detect and protect your accounts today.

What is Astaroth keylogger and how does it operate?

Astaroth keylogger is a banking Trojan that installs via phishing .lnk attachments and runs background keylogging to harvest banking and cryptocurrency credentials. It communicates with backend servers through Ngrok proxies and can update its server configuration via GitHub repositories when primary command-and-control servers are disrupted.

How does Astaroth use GitHub to redirect servers?

Astaroth does not host executable malware on GitHub; instead attackers store small configuration files in GitHub repositories that point infected hosts to alternative bot servers. When a command-and-control server is taken down, the configuration file stored on GitHub is updated to supply a new server address, allowing the trojan to reconnect and continue exfiltration.

What are the main capabilities and targets of Astaroth?

The Trojan performs keylogging, credential harvesting, and exfiltration via Ngrok reverse proxies. It targets banking domains and crypto platforms and has been observed mainly across South America, with country-specific targeting logic to avoid English-speaking environments. McAfee researchers report heavy prevalence in Brazil and operations across Mexico, Argentina, Chile and other Latin American countries.

Why is GitHub being abused by malware operators?

Attackers exploit reputable platforms like GitHub to host innocuous-looking configuration files because these platforms are highly available and often trusted by defensive systems. Storing only configuration data reduces the risk of immediate detection and enables operators to change backend endpoints quickly after a takedown.

What evidence supports McAfee’s findings?

McAfee threat researchers, including Abhishek Karnik, have observed configuration files in GitHub repositories that point to Ngrok endpoints and alternative servers. McAfee notes that the repository-hosted configs only include pointers, not payloads, and that this behavior resembles prior campaigns such as GitVenom and Redline Stealer incidents reported in security analyses.

Frequently Asked Questions

How to protect your accounts from Astaroth keylogger?

Follow a short, prioritized checklist to reduce risk and limit damage if infected.

1. Do not open unexpected .lnk or attachment files received by email.
2. Run updated antivirus/endpoint protection and schedule full system scans.
3. Enable two-factor authentication on banking and crypto accounts.
4. Use dedicated devices or browser profiles for sensitive financial logins.
5. Monitor account transactions and revoke sessions if unusual activity appears.

Key Takeaways

• Astaroth leverages GitHub for resiliency: Attackers store configuration pointers on GitHub to redirect infected hosts after takedowns.
• Credential theft via keylogging: The trojan captures banking and crypto credentials and exfiltrates them using Ngrok proxies.
• User actions matter: Avoid opening unknown attachments, use up-to-date antivirus and two-factor authentication to reduce risk.

Conclusion

Threat actors behind the Astaroth keylogger combine phishing distribution, keylogging, Ngrok proxies and GitHub-hosted configuration files to maintain operations despite takedowns. Security teams and users should prioritize prevention—phishing awareness, endpoint hygiene, and 2FA—while analysts continue monitoring repository-based configuration abuse. COINOTAG will update this report as new findings emerge.