Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0373: Astaroth

Astaroth is a Trojan and information stealer known to affect companies in Europe, Brazil, and throughout Latin America. It has been known publicly since at least late 2017. [1][2][3]

EnterpriseS0373MalwareObject v2.3 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Astaroth is a Windows Trojan and information stealer publicly known since at least 2017 and described by ATT&CK as affecting organizations in Europe, Brazil, and Latin America. Its business significance is not just malware presence; the mapped behaviors show a full theft workflow: user-driven execution, abuse of legitimate Windows components, obfuscation, discovery, credential and clipboard collection, local staging, command-and-control, and exfiltration.

Executive priority

Prioritize Astaroth as a validation case for endpoint visibility, identity-risk reduction, and incident response readiness on Windows systems. Leaders should ask whether the organization can prove collection of process, script, WMI, command-line, file, and network evidence needed to investigate an information-stealing intrusion, especially where user-opened files and legitimate Windows utilities may be involved. This is also relevant for audit evidence around malware defense, credential protection, data loss monitoring, and regional risk where Europe, Brazil, or Latin America exposure matters.

Technical view

ATT&CK provides no official detection text for Astaroth, so defenders should build coverage from the related techniques. Validate monitoring for Windows execution through WMI, cmd, Visual Basic/JScript, CHM, Regsvr32, and shared module loading; stealth indicators such as software packing, encoded/encrypted files, command obfuscation, deobfuscation, and process hollowing; discovery of system, network, time, and running process information; collection via keylogging and clipboard access; local data staging; ingress tool transfer; C2 through dead-drop resolvers and standard encoding; and exfiltration over the C2 channel.

Likely telemetry

  • Windows endpoint process creation and command-line telemetry
  • WMI activity and parent-child process relationships
  • Script execution telemetry for Visual Basic, JScript/JavaScript, and command shell usage
  • Module load and DLL/shared module activity
  • Regsvr32.exe and CHM/HTML Help execution events

Detection direction

  • Because MITRE provides no official detection guidance for this malware object, start with technique-level analytics rather than a single malware signature.
  • Correlate user-opened malicious file behavior with follow-on script, WMI, cmd, Regsvr32, CHM, or module-loading activity on Windows endpoints.
  • Tune for suspicious use of legitimate Windows components while accounting for administrative software, help files, scripts, and management tooling that may create false positives.
  • Look for chained behavior: obfuscated or encoded content, decoding activity, discovery commands, credential or clipboard collection signals, local staging, then outbound C2 or exfiltration-like traffic.
  • Pay special attention to visibility gaps caused by software packing, command obfuscation, encoded files, and process hollowing, since these can reduce the value of simple hash or command-string matching.

Mitigation priorities

  • Reduce user-execution risk through hardened email/web delivery controls and user-focused handling of suspicious files, consistent with the mapped malicious-file execution behavior.
  • Restrict and monitor abuse-prone Windows utilities and scripting paths such as WMI, command shell, Visual Basic/JScript, CHM handling, and Regsvr32 where business operations allow.
  • Strengthen endpoint protection and logging for packed/encoded files, process hollowing, module loading, and suspicious parent-child process chains.
  • Protect credentials by prioritizing controls and monitoring around keylogging risk, clipboard exposure, and unusual authentication activity following suspected infection.
  • Ensure network egress monitoring can identify unusual dead-drop resolver, tool transfer, encoded C2, and exfiltration-over-C2 patterns.
Analyst notes and limits

Astaroth is a useful ATT&CK object for testing whether a SOC can connect endpoint, identity, and network evidence into one intrusion narrative. The strongest defensive value comes from validating telemetry coverage across the related techniques, not from treating the malware name alone as a detection strategy.

The supplied ATT&CK object has no official detection text, no aliases, no labels, and no explicit tactics listed on the malware object itself. Technique relationships provide behavioral context, but local prevalence, active campaigns, exact indicators, and confirmed exposure require environment-specific intelligence and telemetry.

Official MITRE ATT&CK definition

Astaroth

Astaroth is a Trojan and information stealer known to affect companies in Europe, Brazil, and throughout Latin America. It has been known publicly since at least late 2017. [1][2][3]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

36 rows
Domain ID Name Relationship / procedure
Enterprise T1102.001 Dead Drop Resolver Sub-technique

Astaroth can store C2 information on cloud hosting services such as AWS and CloudFlare and websites like YouTube and Facebook.[3]
Enterprise T1124 System Time Discovery

Astaroth collects the timestamp from the infected machine. [2]
Enterprise T1564.003 Hidden Window Sub-technique

Astaroth loads its module with the XSL script parameter vShow set to zero, which opens the application with a hidden window. [1]
Enterprise T1027.013 Encrypted/Encoded File Sub-technique

Astaroth has used an XOR-based algorithm to encrypt payloads twice with different keys.[3]
Enterprise T1115 Clipboard Data

Astaroth collects information from the clipboard by using the OpenClipboard() and GetClipboardData() libraries. [1]
Enterprise T1082 System Information Discovery

Astaroth collects the machine name and keyboard language from the system. [2][1]
Enterprise T1497.001 System Checks Sub-technique

Astaroth can check for Windows product ID's used by sandboxes and usernames and disk serial numbers associated with analyst environments.[3]
Enterprise T1129 Shared Modules

Astaroth uses the LoadLibraryExW() function to load additional modules. [1]
Enterprise T1059.005 Visual Basic Sub-technique

Astaroth has used malicious VBS e-mail attachments for execution.[3]
Enterprise T1057 Process Discovery

Astaroth searches for different processes on the system.[1]
Enterprise T1204.002 Malicious File Sub-technique

Astaroth has used malicious files including VBS, LNK, and HTML for execution.[3]
Enterprise T1140 Deobfuscate/Decode Files or Information

Astaroth uses a fromCharCode() deobfuscation method to avoid explicitly writing execution commands and to hide its code. [1][3]
Enterprise T1132.001 Standard Encoding Sub-technique

Astaroth encodes data using Base64 before sending it to the C2 server. [2]
Enterprise T1027.002 Software Packing Sub-technique

Astaroth uses a software packer called Pe123\RPolyCryptor.[1]
Enterprise T1218.010 Regsvr32 Sub-technique

Astaroth can be loaded through regsvr32.exe.[1]
Enterprise T1518.001 Security Software Discovery Sub-technique

Astaroth checks for the presence of Avast antivirus in the C:\Program\Files\ folder. [2]
Enterprise T1566.001 Spearphishing Attachment Sub-technique

Astaroth has been delivered via malicious e-mail attachments.[3]
Enterprise T1056.001 Keylogging Sub-technique

Astaroth logs keystrokes from the victim's machine. [2]
Enterprise T1574.001 DLL Sub-technique

Astaroth can launch itself via DLL Search Order Hijacking.[3]
Enterprise T1059.007 JavaScript Sub-technique

Astaroth uses JavaScript to perform its core functionalities. [2][3]
Enterprise T1041 Exfiltration Over C2 Channel

Astaroth exfiltrates collected information from its r1.log file to the external C2 server. [1]
Enterprise T1220 XSL Script Processing

Astaroth executes embedded JScript or VBScript in an XSL stylesheet located on a remote domain. [1]
Enterprise T1016 System Network Configuration Discovery

Astaroth collects the external IP address from the system. [2]
Enterprise T1055.012 Process Hollowing Sub-technique

Astaroth can create a new process in a suspended state from a targeted legitimate process in order to unmap its memory and replace it with malicious code.[1][3]
Enterprise T1547.009 Shortcut Modification Sub-technique

Astaroth's initial payload is a malicious .LNK file. [2][1]
Enterprise T1047 Windows Management Instrumentation

Astaroth uses WMIC to execute payloads. [2]
Enterprise T1555 Credentials from Password Stores

Astaroth uses an external software known as NetPass to recover passwords. [1]
Enterprise T1105 Ingress Tool Transfer

Astaroth uses certutil and BITSAdmin to download additional malware. [2][1][3]
Enterprise T1552 Unsecured Credentials

Astaroth uses an external software known as NetPass to recover passwords. [1]
Enterprise T1027.010 Command Obfuscation Sub-technique

Astaroth has obfuscated and randomized parts of the JScript code it is initiating.[1]
Enterprise T1564.004 NTFS File Attributes Sub-technique

Astaroth can abuse alternate data streams (ADS) to store content for malicious payloads.[3]
Enterprise T1547.001 Registry Run Keys / Startup Folder Sub-technique

Astaroth creates a startup item for persistence. [2]
Enterprise T1218.001 Compiled HTML File Sub-technique

Astaroth uses ActiveX objects for file execution and manipulation. [2]
Enterprise T1568.002 Domain Generation Algorithms Sub-technique

Astaroth has used a DGA in C2 communications.[1]
Enterprise T1059.003 Windows Command Shell Sub-technique

Astaroth spawns a CMD process to execute commands. [1]
Enterprise T1074.001 Local Data Staging Sub-technique

Astaroth collects data in a plaintext file named r1.log before exfiltration. [2]
Relationship explorer

All related ATT&CK context

uses · Technique T1102.001: Dead Drop Resolver Enterprise uses · Technique T1124: System Time Discovery Enterprise uses · Technique T1564.003: Hidden Window Enterprise uses · Technique T1027.013: Encrypted/Encoded File Enterprise uses · Technique T1115: Clipboard Data Enterprise uses · Technique T1082: System Information Discovery Enterprise uses · Technique T1497.001: System Checks Enterprise uses · Technique T1129: Shared Modules Enterprise uses · Technique T1059.005: Visual Basic Enterprise uses · Technique T1057: Process Discovery Enterprise uses · Technique T1204.002: Malicious File Enterprise uses · Technique T1140: Deobfuscate/Decode Files or Information Enterprise uses · Technique T1132.001: Standard Encoding Enterprise uses · Technique T1027.002: Software Packing Enterprise uses · Technique T1218.010: Regsvr32 Enterprise uses · Technique T1518.001: Security Software Discovery Enterprise uses · Technique T1566.001: Spearphishing Attachment Enterprise uses · Technique T1056.001: Keylogging Enterprise uses · Technique T1574.001: DLL Enterprise uses · Technique T1059.007: JavaScript Enterprise uses · Technique T1041: Exfiltration Over C2 Channel Enterprise uses · Technique T1220: XSL Script Processing Enterprise uses · Technique T1016: System Network Configuration Discovery Enterprise uses · Technique T1055.012: Process Hollowing Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.3
Created
Modified
Raw hash
71f65e9ba853f4d2...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.3 Current bundle 71f65e9ba853…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Cybereason Astaroth Feb 2019

    Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.

    Open source URL
  2. [2]
    Cofense Astaroth Sept 2018

    Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved September 25, 2024.

    Open source URL
  3. [3]
    Securelist Brazilian Banking Malware July 2020

    GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.

    Open source URL
  4. [4]
    Guildma

    (Citation: Securelist Brazilian Banking Malware July 2020)

  5. [5]
    mitre-attack S0373
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use