Saturday, May 31, 2025
HomeMalwareHackers using Facebook and YouTube Profiles to Host Astaroth Malware C2 Server

Hackers using Facebook and YouTube Profiles to Host Astaroth Malware C2 Server

Published on

SIEM as a Service

Follow Us on Google News

Cybercriminals abusing Facebook and YouTube profiles to host the Astaroth malware that launches through sophisticated phishing campaign to target mainly Brazilian citizens.

Threat actors behind the Astaroth Trojan using a various trusted source to compromise and steal the sensitive the data from the victims.

Security research community motioning Astaroth Trojan activities since 2018 and the malware evade the various security protection by abusing the antivirus to intrude the targeted device.

- Advertisement - Google News

Astaroth leverages the legitimate windows services to drop the payload, and the method will help to easily bypass the security protection.

Researchers from Cofense uncovered a phishing email campaign that temp users to open a .htm file which is the initial stage of start the infection.

Astaroth Malware Infection Process

Once the Victims opens the .htm file, it downloads a zip file that contains .LNK file which downloads JavaScript.

Soon after Javascript code download multiple files that execute the Astaroth information stealer.

Researchers discovered a two .DLL files that associated with the legitimate program ( ‘C:\Program Files\Internet Explorer\ExtExport.exe’.) to run malicious code from trusted sources.

According to Cofense report ” The legitimate programs that were targeted for process hollowing were unins000.exe, svchost.exe, and userinit.exe. The program unins000.exe is most notably used within a security program on systems that allow online banking in Brazil. After the program’s process is hollowed out and replaced with malicious code, Astaroth begins to retrieve the Command and Control (C2) configuration data from outside trusted sources. “

In order to maintain the C2 configuration data, threat actors using the Facebook and YouTube profiles description with base64 encoded and custom encrypted.

Threat actors cleverly hosting the C2 data within these trusted sources to bypass the network security, and gather the victim’s information to collect the sensitive information such as stored passwords in the browser, email client credentials, SSH credentials, and more.

After the malware collects all the data, it bundles and encrypts sent via HTTPS POST to a site from the C2 list.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges in Organizational Environments

A startling discovery by BeyondTrust researchers has unveiled a critical vulnerability in Microsoft Entra...

Threat Actors Exploit Google Apps Script to Host Phishing Sites

The Cofense Phishing Defense Center has uncovered a highly strategic phishing campaign that leverages...

Dadsec Hacker Group Uses Tycoon2FA Infrastructure to Steal Office365 Credentials

Cybersecurity researchers from Trustwave’s Threat Intelligence Team have uncovered a large-scale phishing campaign orchestrated...

Beware: Weaponized AI Tool Installers Infect Devices with Ransomware

Cisco Talos has uncovered a series of malicious threats masquerading as legitimate AI tool...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hackers Use AI-Generated Videos on TikTok to Spread Info-Stealing Malware

TrendMicro has uncovered a sophisticated campaign where threat actors are exploiting TikTok to distribute...

Novel Malware Evades Detection by Skipping PE Header in Windows

Researchers have identified a sophisticated new strain of malware that bypasses traditional detection mechanisms...

New Rust-Based InfoStealer Uses Fake CAPTCHA to Deliver EDDIESTEALER

A newly discovered Rust-based infostealer, dubbed EDDIESTEALER, has been uncovered by Elastic Security Labs,...