{
	"id": "8de9eb44-04f3-48af-8c80-4b7cfb240b33",
	"created_at": "2026-04-06T00:17:08.918095Z",
	"updated_at": "2026-04-10T03:21:18.684622Z",
	"deleted_at": null,
	"sha1_hash": "d49d80baacfdaf0cd232d4f6cbe3a690301b3d82",
	"title": "We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan - Cofense",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1381226,
	"plain_text": "We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan\r\n- Cofense\r\nBy Cofense\r\nPublished: 2018-09-10 · Archived: 2026-04-05 16:04:16 UTC\r\nBy Jerome Doaty and Garrett Primm\r\nThe Cofense™ Phishing Defense Center (PDC) has recently defended against a resurgence of Astaroth, with\r\ndozens of hits across our customer base in the last week. In just one week, some estimated 8,000 machines have\r\nbeen potentially compromised.\r\nThe Astaroth trojan, named for its use of satanic variable names (the “Great Duke of Hell” in ancient lore), has\r\nbeen around since late 2017. Astaroth is known for infecting victims through fake invoice emails, the majority of\r\nwhich originate from a malicious sender impersonating legitimate services using cam.br domains.\r\nFig. 1 Impersonating TicketLog\r\nThis revived campaign has been well planned and supported, exclusively targeting South Americans. All the\r\ncampaign’s URLs are Cloudflare hosted, only delivering their payloads to South American IP addresses.\r\nhttps://web.archive.org/web/20200302071436/https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/\r\nPage 1 of 13\n\nFig. 2 Successful payload download\r\nAstaroth’s initial payload is a malicious .lnk file, a common delivery method used by threat actors. Malicious .lnk\r\nfiles contain a link to a URL (instead of the expected local URI) to grab the next payload.\r\nLeveraging Existing Windows Services to Deliver Malware\r\nWindows Management Instrumentation Console (WMIC) provides a command line interface to WMI. WMIC is a\r\ngood tool for managing windows hosts and is widely favored by desktop administrators. The verb get can be used\r\nin a myriad of ways to retrieve information for a machine, however in this case os get /format: is being abused to\r\ndownload payloads from non-local resources with .xsl extensions. Downloading stylesheets allows for emended\r\nJavaScript and VBS to be run from within them, at which point any type of malware could be staged and run quite\r\neasily. In the case of Astaroth trojan, the .lnk file contains an argument into WMIC.exe to run in non-interactive\r\nmode, which forgoes opening a window that the victim could notice, to download the hardcoded url in the .lnk.\r\nand exit.\r\nFig. 3 WMIC abuse\r\nAstaroth retrieves a .php file from this URL containing a style sheet with embedded JavaScript. Navigating to the\r\nweb page manually to view:source reveals the code, which at the time of writing happened to not be obfuscated in\r\nany significant way.\r\nhttps://web.archive.org/web/20200302071436/https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/\r\nPage 2 of 13\n\nFig. 4 Embedded JS in .xsl.\r\nAfter defining several variables, some of which contain ActiveX objects for file execution and manipulation later,\r\nthe script uses a function to “roll” a random number.\r\nFig. 5 “radador” dice roll function\r\nThe number selected is then used to select a payload URL from a list.\r\nhttps://web.archive.org/web/20200302071436/https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/\r\nPage 3 of 13\n\nFig. 6 Domain list\r\nThe code frequently reuses the “xVRxastaroth” variable, potentially useful for future fingerprinting. All the 154\r\ndomains listed were hosted on CloudFlare. An increasingly popular tactic by threat actors is to use legitimate\r\nhosting services like Google Cloud or CloudFlare for their payload and C2  infrastructure, making it much more\r\ndifficult to safely block IPs.\r\nFig. 7 CloudFlare hosting\r\nAfter the domain has been selected, the payload URL to another stylesheet is loaded using WMIC yet again. The\r\ndomain that is selected will have the hard-coded value of /Seu7v130a.xsl? appended to it as well as a randomly\r\nselected number between 1111111 and 9999999.\r\nFor example:\r\nhxxp://ta4dcmj[.]proxy6x-server[.]website/09//Seu7v130a[.]xsl?3314468[.]xsl\r\nhttps://web.archive.org/web/20200302071436/https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/\r\nPage 4 of 13\n\nThis payload contains much more embedded JavaScript and is part of the core functionality of the malware\r\ndelivery. The same variables that are declared in the initial stylesheet are reused here, including the RNG roller for\r\na payload domain. After selecting a payload URL, the script will create copies of certutil and regsvr32 to the\r\ntemp directory for later use.\r\nFig. 8 Making a copy of certutil and regsvr32\r\nCertutil.exe (a copy is renamed to certis.exe by the trojan) is normally used in a windows environment to manage\r\ncertificates, but in this case, it is used by the second stylesheet to download the malware payloads. The script\r\ncreates a function that will run the copied certutil in the temp folder with parameters -urlcache and the options -f\r\nand -split. This will cache a force fetched URL and save the fetched URL to a file.\r\nFig. 9 Caching URLs and downloading payloads\r\nThis function is used repeatedly to retrieve the rest of the malware payload. A check is also performed to ensure\r\neach file has been downloaded to the correct folder before proceeding.\r\nFig. 10 Ensuring the files have been downloaded\r\nhttps://web.archive.org/web/20200302071436/https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/\r\nPage 5 of 13\n\nAfter the malware is downloaded and files verified, the script will check in the C:\\Program Files\\ directory for\r\nthe presence Avast antivirus, which happens to be the most common installed AV worldwide.\r\nFig. 11 AV detection\r\nIf there is no Avast install present, the script proceeds to the final .dll execution using regsvr32 and quits.\r\nFig. 12 The trojan is complete\r\nA database of victims\r\nAfter the malware is successful in infecting a host it will generate a plaintext log (r1.log) located in the tempwl\r\ndirectory. This log contains the external IP, the geographic location, the machine name, the time the machine was\r\ninfected, as well as fields to be logged in the threat actor’s database.\r\nFig. 13 Victim logging\r\nThis information is then sent to a sqlite database located in the root directory of the first payload URL as seen in\r\nthe snippet below. There were multiple open directories in ~/9/. Decrementing the number to 0 revealed several\r\nother open directories with downloadable sqlite databases, more than likely from previous campaigns. These\r\nvictims totaled in the thousands, with approximately 8,000 in a single week.\r\nhttps://web.archive.org/web/20200302071436/https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/\r\nPage 6 of 13\n\nFig. 14 Open directory…\r\nHere is one of the databases viewed in a sqlite browser. Each field is base64 decoded.\r\nFig. 15 Database dump\r\nDecoded, it reveals a detailed log of each affected machine. Note the first entry of a machine hosted on a Canadian\r\nVPS. This was the first entry across every database dump gathered and was certainly an anomaly compared to the\r\notherwise South American machines, the primary target of this malware. It’s difficult to say for sure, but this was\r\npossibly the threat actor testing his infrastructure.\r\nFig. 16 Potentially infected machines \r\nhttps://web.archive.org/web/20200302071436/https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/\r\nPage 7 of 13\n\nThe Malware\r\nAfter the Astaroth trojan verifies that each core file and binary has been run, the malware payload is executed. It is\r\nimportant to note that any payload could be delivered via WMIC stylesheet abuse, and Astaroth should be\r\nconsidered a versatile delivery method. However, the campaign that the PDC has recently observed has been\r\ndelivering this keylogger exclusively. Amongst the downloaded files,  the fake .gif and .jpg files appear to be\r\ndependencies for the malware. However, their magic bytes are not of any known file type and there are no .text or\r\nother PE sections in the hex, suggesting that they are not executable. There does appear to be function names\r\nhowever, including PeekMessageA, which has been previously observed in other keylogging malware. There are\r\nalso several log files present, and a folder called vri that is also populated with logs as the malware runs.\r\nFig. 17 Complete List of Malware Files\r\nFig. 17-2 Magic Bytes of “.jpg” file\r\nhttps://web.archive.org/web/20200302071436/https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/\r\nPage 8 of 13\n\nFig. 17-3 Function names\r\nTo target specific victims, Astaroth is locale aware; any attempts to run the malware without locale spoofing will\r\nresult in failed downloads and the inability to run the .dll files. Some cursory analysis of one of the .dlls reveals it\r\nwas  coded in Delphi, as well as use the GetLocaleInfoA function, allowing it to pull the locale information of the\r\ninfected machine.\r\nFig. 18-1 Coded with Delphi\r\nFig. 18-2 Locale Aware\r\nThis problem was easily defeated by changing registry values in HKEY_CURRENT_USER\u003eControl\r\nPanel\u003eInternational to reflect a Brazilian locale, as well as enabling a Portuguese keyboard.  The .dlls are first\r\nregistered and run using regsrv32 in silent mode. A startup event is also created to gain persistence.\r\nhttps://web.archive.org/web/20200302071436/https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/\r\nPage 9 of 13\n\nFig. 19-1 regsvr32 running the .dlls\r\nFig. 19-2 A startup event for persistence\r\nThe malware will run 2 .dlls from regsvr32 simultaneously, spawning userinit, ctfmon, and svchost processes.\r\nhttps://web.archive.org/web/20200302071436/https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/\r\nPage 10 of 13\n\nFig. 20 New processes\r\nThe malicious svchost constantly queries ieframe.dll, as well as IWebBrowser2 Interface using CLSID\r\ndc30c1661-cdaf-11D0-8A3E-00c04fc9e26e, both key components to interact with Internet Explorer.\r\nFig. 21 ieframe.dll and IWebBrowser2\r\nThis is crucial because the malware targets Internet Explorer specifically. To ensure its victim will use IE, it will\r\nterminate any process in-focus that is Chrome or Firefox, in hopes the victim will believe the browsers are\r\n“malfunctioning.” Whenever a victim uses IE and browses to specific Brazilian banks or businesses, the malware\r\nwill only then begin to log keystrokes.\r\nhttps://web.archive.org/web/20200302071436/https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/\r\nPage 11 of 13\n\nFig. 22 Keylogging and exfiltrating data\r\nThe exfiltrated data is base64 that decodes into more custom encoded strings that appear to be “/” delimited. They\r\nmore than likely must be XOR-ed against a specific string, so decoding is very difficult if not impossible.\r\nFig. 23-1 Exfiltrated data\r\nFig. 23-2 Custom encoded strings\r\nAstaroth is a particularly potent threat for South American businesses. This is attack vector presents interesting\r\nproblems, as blocking or restricting the use of WMIC may not be a feasible solution for some administrators.\r\nLike malicious OfficeMacros, this form of social engineering-based attack is best mitigated with user training and\r\nawareness. Thousands of global organizations use Cofense PhishMeTM to do just that. Discover what it can do for\r\nyours.\r\nhttps://web.archive.org/web/20200302071436/https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/\r\nPage 12 of 13\n\nAll third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise,\r\nremain the property of their respective holders, and use of these trademarks in no way indicates any relationship\r\nbetween Cofense and the holders of the trademarks.\r\nSource: https://web.archive.org/web/20200302071436/https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/\r\nhttps://web.archive.org/web/20200302071436/https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://web.archive.org/web/20200302071436/https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/"
	],
	"report_names": [
		"seeing-resurgence-demonic-astaroth-wmic-trojan"
	],
	"threat_actors": [],
	"ts_created_at": 1775434628,
	"ts_updated_at": 1775791278,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d49d80baacfdaf0cd232d4f6cbe3a690301b3d82.pdf",
		"text": "https://archive.orkl.eu/d49d80baacfdaf0cd232d4f6cbe3a690301b3d82.txt",
		"img": "https://archive.orkl.eu/d49d80baacfdaf0cd232d4f6cbe3a690301b3d82.jpg"
	}
}