Astaroth

The attack begins with a message containing a ZIP archive ... For any user, getting a file from a friend on WhatsApp feels much safer than opening a random email.

The attack begins with a message containing a ZIP archive (basically a compressed folder), usually named with a confusing string of digits like 552_516107-a9af16a8-552.zip.

The content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'

The dropper is a UTF-16LE PowerShell script... The sample sthzr.ps1 arrived as a 6KB UTF-16LE encoded PowerShell file.

During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.

If a victim opens this folder, a hidden script triggers a chain reaction.

The WhatsApp Spreader: This is a new piece of code written in Python (a file named zapbiu.py) that steals your contact list and starts sending out copies of the virus to everyone you know.

AppleSeed has the ability to use JavaScript to execute PowerShell. APT32 has used JavaScript for drive-by downloads and C2 communications. Astaroth uses JavaScript to perform its core functionalities.

If a victim opens this folder, a hidden script triggers a chain reaction.

Examples include: "Sandworm Team leveraged Microsoft Office attachments which contained malicious macros..."; "Bumblebee has relied upon a user opening an ISO file to enable execution of malicious shortcut files and DLLs"; "Lumma Stealer has gained initial execution through victims opening malicious executable files embedded in zip archives, and MSI files within RAR files."

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.

The content repeatedly references malicious shortcut files: e.g., "APT38 has used malicious Word documents and shortcut files," "Bumblebee... opening an ISO file to enable execution of malicious shortcut files and DLLs," and "Mustang Panda distributed malicious LNK objects for user execution."

The assembly imports... Win32 injection APIs (LoadLibrary, GetProcAddress, GetDelegateForFunctionPointer, OpenProcess) -- the toolkit for process injection

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.

The content repeatedly references malicious shortcut files: e.g., "APT38 has used malicious Word documents and shortcut files," "Bumblebee... opening an ISO file to enable execution of malicious shortcut files and DLLs," and "Mustang Panda distributed malicious LNK objects for user execution."

The content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.

Later, in October 2025, it was found abusing GitHub to hide its backup files inside images.

That string concatenation is the second layer of evasion within the evasion... jTifh -- a function that executes: "Resta" + "rt-Computer -Force".

Examples throughout the content include 'encrypted payloads decrypted and executed in memory,' 'encrypts its configuration file,' 'AES-encrypted resource,' 'RC4 encrypted embedded scripts,' and 'payload includes an encrypted main component.'

The assembly imports... Win32 injection APIs (LoadLibrary, GetProcAddress, GetDelegateForFunctionPointer, OpenProcess) -- the toolkit for process injection

The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'

installutil.exe is a Microsoft-signed .NET Framework utility... Because it is signed by Microsoft, it is trusted by default in AppLocker and WDAC policies... The malware abuses this trust to load arbitrary .NET code.

Before executing any payload logic, the dropper verifies internet connectivity... In a sandbox that intercepts or blocks ICMP, the result is either $null or a single error object... If connectivity passes, the dropper checks for running analysis tools.

MITRE ATT&CK ID Technique Implementation... T1497.003 Time Based Evasion Start-Sleep -Seconds 5 delays between stages

Further probing revealed that the malware hides its main files in a very specific spot on the computer: C:\Public\MicrosoftEdgeCache_6.60.2.9313.

Calls [System.Reflection.Assembly]::Load($bytes) -- reflective loading that avoids writing the DLL to disk as a PE file

The decoded DLL embeds 14 SHA256 certificate fingerprints hardcoded as string constants... When Astaroth detects a TLS handshake whose server certificate matches one of these hashes, it interposes on the connection to capture banking credentials.

In February 2025, a version of Astaroth was found that could bypass two-factor authentication to steal Gmail and Microsoft logins.

MITRE ATT&CK ID Technique Implementation... T1539 Steal Web Session Cookie Browser injection for banking session credential capture

MITRE ATT&CK ID Technique Implementation... T1552 Unsecured Credentials Banking credential theft via overlay/hook on targeted HTTPS sessions

Agent Tesla has the ability to steal credentials from FTP clients and wireless profiles... APT33 has used a variety of publicly available tools like LaZagne to gather credentials... Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from the credential vault and DPAPI.

In February 2025, a version of Astaroth was found that could bypass two-factor authentication to steal Gmail and Microsoft logins.

The content repeatedly describes actors and malware using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, netsh interface show, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, and network adapter/interface details.

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

Before executing any payload logic, the dropper verifies internet connectivity... In a sandbox that intercepts or blocks ICMP, the result is either $null or a single error object... If connectivity passes, the dropper checks for running analysis tools.

MITRE ATT&CK ID Technique Implementation... T1497.003 Time Based Evasion Start-Sleep -Seconds 5 delays between stages

Examples include "Bazar can also check if the Russian language is installed on the infected machine and terminate if it is found," "DropBook has checked for the presence of Arabic language," and "Maze has checked the language of the infected system using the GetUSerDefaultUILanguage function."

The content repeatedly describes adversaries and malware storing collected data, command output, credentials, archives, or files in local temporary folders, working directories, hidden directories, registry locations, recycle bins, or specific files prior to exfiltration.

The dropper configures its web client... Headers.Add("Cache-Control", "no-cache")... The secondary URL decodes to https://catalogo.castrouria.com/bl.txt

C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.

ADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.

If the check fails, the dropper calls jTifh... 'Restart-Computer -Force'... If any of these twelve processes are found, the same forced reboot is triggered.