{
	"id": "2178b32e-4f0e-40fa-9f2e-15ad5c8595e7",
	"created_at": "2026-04-06T00:07:25.550201Z",
	"updated_at": "2026-04-10T03:23:51.527164Z",
	"deleted_at": null,
	"sha1_hash": "6a0b6bb856dc63825eec3f04eaf67ff025d1185c",
	"title": "Latest Astaroth attacks are even more invisible but not less observable",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1688350,
	"plain_text": "Latest Astaroth attacks are even more invisible but not less\r\nobservable\r\nBy Microsoft Defender Security Research Team\r\nPublished: 2020-03-23 · Archived: 2026-04-05 13:50:00 UTC\r\nFollowing a short hiatus, Astaroth came back to life in early February sporting significant changes in its attack\r\nchain. Astaroth is an info-stealing malware that employs multiple fileless techniques and abuses various legitimate\r\nprocesses to attempt running undetected on compromised machines. The updated attack chain, which we started\r\nseeing in late 2019, maintains Astaroth’s complex, multi-component nature and continues its pattern of detection\r\nevasion.\r\nFigure 1. Microsoft Defender ATP data showing revival of Astaroth campaigns\r\nhttps://www.microsoft.com/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/\r\nPage 1 of 11\n\nFigure 2. Geographic distribution of Astaroth campaigns this year, with majority of encounters recorded in Brazil\r\nWhen we first blogged about Astaroth’s methods, we noted how it completely lived off the land to avoid\r\ndetection: only system tools that are already existing on the machine are ever executed. In fact, it was an unusual\r\nspike in activities related to Windows Management Instrumentation Command-line (WMIC) that prompted our\r\ninvestigation and eventually exposed the Astaroth campaign.\r\nAstaroth now completely avoids the use of WMIC and related techniques to bypass existing detections. Instead,\r\nthe attackers introduced new techniques that make the attack chain even stealthier:\r\nAbusing Alternate Data Streams (ADS) to hide malicious payloads\r\nAbusing the legitimate process ExtExport.exe, a highly uncommon attack vector, to load the payload\r\nAstaroth exemplifies how living-off-the-land techniques have become standard components of today’s attacks\r\nintent on evading security solutions. However, as we mentioned in our previous blog on Astaroth, fileless threats\r\nare very much observable. These threats still leave a great deal of memory footprint that can be inspected and\r\nblocked as they happen. Next-generation protection and behavioral containment and blocking capabilities in\r\nMicrosoft Defender Advanced Threat Protection (Microsoft Defender ATP) lead the charge in exposing threats\r\nlike Astaroth.\r\nIn this blog, we’ll share our technical analysis of the revamped Astaroth attack chain and demonstrate how\r\nspecific Microsoft technologies tackle the multiple advanced components of the attack.\r\nDismantling the new Astaroth attack chain\r\nThe attackers were careful to ensure the updates didn’t make Astaroth easier to detect; on the contrary, the updates\r\nonly make Astaroth’s activities even more invisible.\r\nOne of the most significant updates is the use of Alternate Data Stream (ADS), which Astaroth abuses at several\r\nstages to perform various activities. ADS is a file attribute that allows a user to attach data to an existing file. The\r\nstream data and its size are not visible in File Explorer, so attacks abuse this feature to hide malicious code in\r\nplain sight.\r\nhttps://www.microsoft.com/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/\r\nPage 2 of 11\n\nFigure 2. Astaroth attack chain 2020\r\nIn the case of Astaroth, attackers hide binary data inside the ADS of the file desktop.ini, without changing the file\r\nsize. By doing this, the attackers create a haven for the payloads, which are read and decrypted on the fly.\r\nFigure 3. Desktop.ini before and after infection\r\nThe complex attack chain, which involves the use of multiple living-off-the-land binaries (LOLBins), results in\r\nthe eventual loading of the Astaroth malware directly in memory. When running, Astaroth decrypts plugins that\r\nallow it to steal sensitive information, like email passwords and browser passwords.\r\nIn the succeeding sections, we describe each step of Astaroth’s attack chain in detail.\r\nhttps://www.microsoft.com/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/\r\nPage 3 of 11\n\nArrival\r\nThe attack begins with an email with a message in Portuguese that translates to: “Please find in the link below the\r\nSTATEMENT #56704/2019 AND LEGAL DECISION, for due purposes”. The email contains a link that points to\r\nURL hosting an archive file, Arquivo_PDF_\u003cdate\u003e.zip, which contains a LNK file with a similarly misleading\r\nname. When clicked, the LNK file runs an obfuscated BAT command line.\r\nFigure 4. Sample email used in latest Astaroth attacks\r\nThe BAT command drops a single-line JavaScript file to the Pictures folder and invokes explorer.exe to run the\r\nJavaScript file.\r\nThe dropped one-liner script uses the GetObject technique to fetch and run the much larger main JavaScript\r\ndirectly in memory:\r\nBITSAdmin abuse\r\nThe main script then invokes multiple instances of BITSAdmin using a benign looking command-line to\r\ndownload multiple binary blobs from a command-and-control (C2) server:\r\nThe downloaded payloads are encrypted and have the following file names:\r\nmasihaddajjaldwwn.gif\r\nmasihaddajjalc.jpg\r\nmasihaddajjala.jpg\r\nmasihaddajjalb.jpg\r\nhttps://www.microsoft.com/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/\r\nPage 4 of 11\n\nmasihaddajjaldx.gif\r\nmasihaddajjalg.gif\r\nmasihaddajjalgx.gif\r\nmasihaddajjali.gif\r\nmasihaddajjalxa.~\r\nmasihaddajjalxb.~\r\nmasihaddajjalxc.~\r\nmasihaddajjal64w.dll\r\nmasihaddajjal64q.dll\r\nmasihaddajjal64e.dll\r\nAlternate Data Streams abuse\r\nAs mentioned, the new Astaroth attacks use a clever technique of copying downloaded data to the ADS of\r\ndesktop.ini. For each download, the content is copied to the ADS, and then the original content is deleted. These\r\nsteps are repeated for all downloaded payloads.\r\nAnother way that Astaroth abuses ADS is when it runs a script to find installed security products. A malicious\r\nscript responsible for enumerating security products is dropped and then copied as an ADS to an empty text file.\r\nThe execution command-line looks like this:\r\nExtExport.exe abuse\r\nThe main script combines three separately downloaded binary blobs to form the first-stage malware code:\r\nThe script then uses a LOLBin not previously seen in Astaroth attacks to load the first-stage malware code:\r\nExtExport.exe, which is a legitimate utility shipped as part of Internet Explorer. Attackers can load any DLL by\r\npassing an attacker-controlled path to the tool. The tool searches for any DLL with the following file names:\r\nmozcrt19.dll, mozsqlite3.dll, or sqlite3.dll. Attackers need only to rename the malicious payload to one of these\r\nnames, and it is loaded by ExtExport.exe.\r\nUserinit.exe abuse\r\nhttps://www.microsoft.com/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/\r\nPage 5 of 11\n\nThe newly loaded DLL (mozcrt19.dll, mozsqlite3.dll, or sqlite3.dll) is a proxy that reads three binary ADS streams\r\n(desktop.ini:masihaddajjalxa.~, desktop.ini:masihaddajjalxb.~, and desktop.ini:masihaddajjalxc.~) and combines\r\nthese into a DLL. The newly formed DLL is the second-stage malware code and is loaded in the same process\r\nusing the reflective DLL loading technique.\r\nThe newly loaded DLL is also a proxy that reads and decrypts another ADS stream\r\n(desktop.ini:masihaddajjalgx.gif) into a DLL. This DLL is injected into userinit.exe using the process hollowing\r\ntechnique.\r\nThe newly loaded DLL inside userinit.exe is again a proxy that reads and decrypts another ADS stream\r\n(desktop.ini:masihaddajjalg.gif) into a DLL. This DLL is the malicious info-stealer known as Astaroth and is\r\nreflectively loaded inside userinit.exe. Hence, Astaroth never touches the disk and is loaded directly in memory,\r\nmaking it very evasive.\r\nAstaroth payload\r\nWhen running, the Astaroth payload then reads and decrypts more components from the ADS stream of\r\ndesktop.ini (desktop.ini:masihaddajjaldwwn.gif, desktop.ini:masihaddajjalc.jpg, desktop.ini:masihaddajjala.jpg,\r\ndesktop.ini:masihaddajjalb.jpg, and desktop.ini:masihaddajjali.gif).\r\nSome of these components are credential-stealing plugins hidden inside the ADS stream of desktop.ini. Astaroth\r\nabuses these plugins to steal information from compromised systems:\r\nNirSoft’s MailPassView – an email client password recovery tool\r\nNirSoft’s WebBrowserPassView – a web browser password recovery tool\r\nAs mentioned, Astaroth also finds installed security products. It then attempts to disable these security products.\r\nFor Microsoft Defender Antivirus customers, tamper protection prevents such malicious and unauthorized changes\r\nto security settings.\r\nComprehensive, dynamic protection against living-off-the-land, fileless, and other\r\nsophisticated threats with Microsoft Threat Protection\r\nAttackers are increasingly turning to living-off-the-land techniques to attempt running undetected for as long as\r\npossible on systems. Because these attacks use multiple executables that are native to the system and have\r\nlegitimate uses, they require a comprehensive, behavior-based approach to detection.\r\nMicrosoft Threat Protection combines and orchestrates into a single solution the capabilities of multiple Microsoft\r\nsecurity services to coordinate protection, detection, response, and prevention across endpoints, email, identities,\r\nand apps.\r\nIn the case of Astaroth, Office 365 ATP detects the malware delivery via email. Using detonation-based heuristics\r\nand machine learning, Office 365 ATP inspects links and attachments to identify malicious artifacts.\r\nOn endpoints, next-generation protection capabilities in Microsoft Defender ATP detect and prevent some\r\ncomponents of Astaroth’s new attack chain. Notably, through Antimalware Scan Interface (AMSI), Microsoft\r\nhttps://www.microsoft.com/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/\r\nPage 6 of 11\n\nDefender ATP can inspect the encrypted malicious scripts used in the initial stages of the attack.\r\nFor the more sophisticated sections of the attack chain, behavioral blocking and containment capabilities provide\r\ndynamic protection that can stop malicious behaviors and process trees. Behavior-based protections are key to\r\nexposing living-off-the-land threats that abuse and hide behind legitimate processes. These protections identify\r\nsuspicious behavior sequences and advanced attack techniques observed on the client, which are used as triggers\r\nto analyze the process tree using real-time machine learning models in the cloud.\r\nFigure 5. Preventive and behavior-based blocking \u0026 containment protections against Astaroth\r\nThese behavior-based detections raise alerts in Microsoft Defender Security Center. With behavioral blocking and\r\ncontainment, not only are evasive threats exposed, detected, and stopped; security operations personnel are also\r\nnotified so they can thoroughly investigate and remediate the root cause.\r\nhttps://www.microsoft.com/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/\r\nPage 7 of 11\n\nhttps://www.microsoft.com/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/\r\nPage 8 of 11\n\nFigure 6. Sample Microsoft Defender ATP alerts on behavior-based detections of Astaroth’s activities\r\nMicrosoft Defender ATP’s EDR capabilities also have very strong coverage of advanced techniques employed by\r\nAstaroth, including cross-process migration, code injection, and use of LOLBins.\r\nhttps://www.microsoft.com/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/\r\nPage 9 of 11\n\nFigure 7. Sample Microsoft Defender ATP EDR alert and process tree on Astaroth’s behaviors\r\nWe expect Astaroth to further develop and increase in complexity, as long-running malware campaigns do. We\r\nwill continue to watch this evolving threat and ensure that customers are protected from future updates through\r\ndurable behavior-based protections.\r\nHardik Suri\r\nMicrosoft Defender ATP Research Team\r\nTalk to us\r\nQuestions, concerns, or insights on this story? Join discussions at the Microsoft Threat Protection and Microsoft\r\nDefender ATP tech communities.\r\nhttps://www.microsoft.com/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/\r\nPage 10 of 11\n\nRead all Microsoft security intelligence blog posts.\r\nFollow us on Twitter @MsftSecIntel.\r\nSource: https://www.microsoft.com/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-o\r\nbservable/\r\nhttps://www.microsoft.com/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.microsoft.com/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/"
	],
	"report_names": [
		"latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434045,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6a0b6bb856dc63825eec3f04eaf67ff025d1185c.pdf",
		"text": "https://archive.orkl.eu/6a0b6bb856dc63825eec3f04eaf67ff025d1185c.txt",
		"img": "https://archive.orkl.eu/6a0b6bb856dc63825eec3f04eaf67ff025d1185c.jpg"
	}
}