Astaroth is a trojan and information stealer of sensitive information such as user credentials using a key logger module, operating system calls interception, and clipboard monitoring. It is used in a fileless malware campaign in the memory of infected computers. Astaroth also abuses living-off-the-land binaries (LOLbins) such as the command line interface of the Windows Management Instrumentation Command-line (WMIC) to steathily download and install malware payloads in the background.

The multi-stage infection process begins with a spear-phishing email containing a malicious link to an LNK file. When clicked, it downloads and executes JavaScript code, which downloads the payload by abusing the Bitsadmin tool. The malicious payloads downloaded in the background are all Base64 encoded and are decoded on systems using the Certutil tool in the form of four DLLs that will be loaded using the Regsvr32 tool.


  • July 2019: Researchers believe the banking trojan called Guildma, and Astaroth are the same malware. Both use Avast binary aswrundll.exe as a LOLBin. Guildma is a complex malware that is a combination of spyware, RAT, password stealer, and banking malware. Until recent reports, the malware appeared to stay within Brazil. Guildma/Astaroth has been observed targeting approximately 130 banks and web services such as, Netflix, Amazon, and Google Mail, although currently not exploiting computers using the English language. (Avast)

  • September 2019: Astaroth Trojan uses Cloudflare workers to bypass AV software. (Bleeping Computer)

Technical Details

  • BleepingComputer provides technical details and indicators of compromise on recent Astaroth activity, available here.