Astroidv2 -

3.1 Persistence Mechanisms 3.2 C2 Communication Protocol 3.3 Payload Modules

This paper presents a comprehensive analysis of AstroidV2, a successor to the previously undocumented Astroid malware family. Leveraging a hybrid command-and-control (C2) architecture combining DNS tunneling and decentralized Telegram bot APIs, AstroidV2 demonstrates a 40% improvement in network evasion compared to its predecessor. We detail its anti-analysis techniques, including environmental keying, sleep obfuscation, and direct system call invocation. A reverse-engineered sample reveals modular capabilities for keylogging, credential theft, and lateral movement via SMB. Defensive recommendations include network-level DNS filtering and memory signature detection. astroidv2

4.1 Anti-VM and Anti-Sandbox 4.2 API Hooking Detection including environmental keying