Security experts recommend avoiding unknown attachments or links, keeping antivirus software updated, and enabling two-factor authentication to reduce infection risks.

Persistence is maintained by dropping shortcuts in startup folders, including in the Windows Startup folder, which rerun the malicious AutoIt script after reboots.

The malware leverages GitHub to host configurations, enabling it to evade takedowns and maintain persistence by pulling updates, demonstrating a high level of sophistication.

Astaroth is a sophisticated banking and cryptocurrency credential-stealing malware that monitors victims' visits to targeted websites, capturing login credentials through keylogging and transmitting data via Ngrok reverse proxy.

The malware incorporates anti-analysis features, shutting down if it detects emulators, debuggers, or analysis tools like IDA Pro, WinDbg, and Wireshark, and can even shut down its host system if necessary.

Astaroth activates keylogging specifically when victims visit certain banking and crypto-related websites, aiming to steal sensitive login information.

Trend Micro has published Indicators of Compromise (IoCs) related to this campaign to assist in detection and mitigation efforts.

The infection chain begins with phishing emails containing links to ZIP files that launch obfuscated JavaScript via mshta.exe, which then downloads additional malicious files.

Victims are tricked into downloading Windows (.lnk) shortcut files via phishing emails, which silently install the Astaroth malware.

Despite takedown efforts on its command-and-control servers, Astaroth persists by updating its configuration from GitHub, which hosts malware configurations and uses steganography on images to hide data.

The malware primarily targets users in Brazil and other Latin American countries, with previous campaigns in 2024 also focusing on Brazil through phishing emails to distribute the malware.

Persistence is further maintained by dropping LNK files in startup folders, with the malware employing geofencing and locale checks to avoid detection or analysis.