High

This technique forced defenders to pursue takedowns at the platform level: McAfee reported the behavior and worked with GitHub (a Microsoft subsidiary) to remove the malicious repositories, which temporarily disrupted the campaign. Overall, Astaroth’s combination of anti-analysis shutdowns, startup persistence, geo/locale gating, and GitHub-steganography-based failover make it a sophisticated, evasive threat engineered to remain operational while minimizing detection and analysis.

Impact

• Sensitive Data Theft
• Gain Access

Indicators of Compromise

Domain Name

• clafenval.medicarium.help

• sprudiz.medicinatramp.click

• blojannindor0.trovaodoceara.motorcycles

MD5

• 6b11d98a41fb1f95cbd99ccf559872f1

• 6b50695795ada6c00aead68d9090c739

• 888cc4983edd91898d01386a2f005e32

SHA-256

• 34207fbffcb38ed51cd469d082c0c518b696bac4eb61e5b191a141b5459669df

• 28515ea1ed7befb39f428f046ba034d92d44a075cc7a6f252d6faf681bdba39c

• 049849998f2d4dd1e629d46446699f15332daa54530a5dad5f35cc8904adea43

SHA1

• bd730172327741bdb04170a56d819a8094548d98

• 5fcce6c94043f57c0a396ffdce4f316f5e1b67cf

• 88805130eb20b976b4838c33983c953d3ac9bc09

Remediation

• Remove any suspicious LNK files from the Windows Startup folders and check for AutoIt scripts or unexpected shortcuts.
• Use application allowlisting (e.g., Microsoft AppLocker or similar) to block unauthorized scripts and executables from running at startup.
• Deploy and maintain modern endpoint protection/EDR that detects AutoIt-based loaders, steganography patterns, and abnormal process behavior; enable automated containment.
• Block or monitor unusual outbound connections, especially to file-hosting/image-serving domains, and create alerts for unexpected HTTP(S) requests that retrieve images or binary blobs.
• Inspect and scan images downloaded from public repositories (GitHub, GitLab, etc.) for hidden data or anomalous metadata; add rules to flag image downloads from untrusted repos.
• Restrict use of developer tools and debugging ports on analyst/production machines and harden systems used for analysis to prevent accidental execution of malware.
• Enforce least privilege for user,s prevent standard accounts from writing to Startup folders or installing scripting runtimes (AutoIt).
• Harden remote access and credentials: rotate exposed credentials, enable MFA, and monitor for suspicious logins that could indicate C2 or operator access.
• Add network and host-based indicators to threat intel feeds (C2 domains, malicious repo names, file hashes) and block them in firewalls and URL filters.
• Conduct targeted threat hunting for machines with non-English locales performing web requests to image-hosting services or spawning AutoIt/wscript/cscript processes.
• Prepare an incident response playbook: isolate infected hosts, collect memory/artifacts (LNK, AutoIt scripts, downloaded images), and perform remediation and reimaging where necessary.
• Report and coordinate takedown or removal of malicious repos with platform providers (GitHub/GitLab) and share IOC details with peers and CERTs to accelerate disruption.
• Train users to avoid opening unexpected shortcuts/attachments and to report unusual pop-ups or startup behaviour phishing is often the delivery vector.
• Keep OS and security software up to date, and regularly audit startup locations, scheduled tasks, and unusual autoruns with automated tools.