A new WhatsApp-based malware campaign is actively spreading Astaroth, a well-known banking trojan, by abusing user trust and contact lists. The attack uses malicious ZIP files sent directly through WhatsApp chats, allowing the malware to propagate automatically from one victim to another.

Once a user opens the ZIP file and runs the embedded content, the malware installs itself silently and begins harvesting sensitive financial information. What makes this campaign more dangerous is its worm-like behavior. The infected system automatically sends the same malicious file to all WhatsApp contacts, helping the threat spread quickly without any further user interaction.

TL; DR

A new malware campaign is spreading the Astaroth banking trojan through WhatsApp messages. Victims receive a ZIP file that looks harmless. Opening it installs malware that steals banking credentials and automatically forwards the same file to all WhatsApp contacts. The attack mainly affects users in Brazil and spreads fast because it abuses trust between contacts.

How the Attack Works

The infection starts with a WhatsApp message containing a ZIP archive that appears harmless. Inside the archive is a disguised file that triggers a chain of scripts when opened. These scripts download additional malware components from remote servers and activate the Astaroth payload on the system.

A newly observed Python-based module handles the worm functionality. This component scans the infected device for WhatsApp contact data and automatically forwards the malicious ZIP file to saved contacts. Meanwhile, the core Astaroth malware runs in the background, monitoring user activity.

Banking Data Is the Main Target

Astaroth focuses on stealing banking credentials and other sensitive financial data. It monitors browser sessions and looks for activity related to online banking portals. Once detected, it captures login details that can later be used for fraud and account takeover.

This malware family has been active for several years and is known for its modular design. While earlier campaigns relied on phishing emails, this WhatsApp-driven approach significantly increases its reach and success rate.

Impact and Affected Regions

Most of the infections linked to this campaign have been observed in Brazil, with a smaller number of cases reported in other countries. The heavy concentration in one region suggests the attackers are tailoring the lure messages and malware behavior to local users and banking systems.

Because the malware spreads through personal contact lists, users are more likely to trust the message and open the attachment, even when it comes from someone they know.

Why This Campaign Is Hard to Stop

Unlike traditional phishing attacks, this campaign doesn’t rely on random email blasts. It uses a trusted messaging platform and social relationships to spread, which makes detection and prevention more difficult. Many users don’t expect malware to arrive via WhatsApp, especially from familiar contacts.

What Users Should Do

Users should avoid opening ZIP files or attachments received on WhatsApp unless they are absolutely sure about the source. Even messages from known contacts should be treated with caution if the attachment seems unexpected. Keeping operating systems and security software updated can also help reduce the risk of infection.

This campaign highlights how cybercriminals are shifting toward messaging platforms to distribute financial malware at scale, turning everyday communication tools into attack vectors.

FAQs

What is the Astaroth malware?
Astaroth, also known as Guildma, is a long-running banking trojan designed to steal login credentials and financial data from infected systems.

How does the WhatsApp worm spread?
The malware spreads through WhatsApp messages containing a malicious ZIP file. Once a device is infected, it automatically sends the same file to the user’s contacts.

Why is this attack dangerous?
It uses trusted contacts to spread. People are more likely to open files received from friends or family, which increases the infection rate.

Which platforms are affected?
The attack mainly targets Windows systems, even though the delivery happens through WhatsApp.

Which regions are most impacted?
Most reported infections are in Brazil, with limited cases seen in other countries.

Can mobile phones be infected directly?
The malware itself targets computers, but mobile devices act as the delivery channel through WhatsApp messages.

How can users stay safe?
Avoid opening ZIP files or unexpected attachments on WhatsApp, even if they come from known contacts. Use updated antivirus software and keep systems patched.

Is this a new malware family?
No. Astaroth has existed for years, but this campaign is notable because it adds worm-like spreading through WhatsApp.