‘Astaroth’ Attack: How a simple WhatsApp file could empty your bank account

Cybersecurity authorities have raised serious concerns over a newly identified and highly sophisticated malware campaign that is exploiting the widespread trust and popularity of WhatsApp Web to infect Windows users with a dangerous banking Trojan. The attack, which has already drawn the attention of cybersecurity experts, demonstrates how cybercriminals are increasingly leveraging familiar digital platforms to carry out large-scale fraud and data theft while remaining largely undetected.

At the center of this campaign is a banking Trojan known as Astaroth, a powerful and well-documented piece of malware designed primarily to steal sensitive financial and personal data from infected systems. What makes this latest campaign particularly alarming is not just the malware itself, but the method of delivery. By using WhatsApp Web—a platform trusted by millions of users for daily communication—the attackers are able to bypass skepticism and security awareness that might otherwise prevent infection.

Cyber Security Authority Issues Public Alert

According to a public alert issued by the Cyber Security Authority (CSA), the malware campaign specifically targets Windows computer users who interact with WhatsApp Web. The CSA revealed that “cybersecurity experts have discovered a new malware attack that uses WhatsApp Web on Windows computers to spread a dangerous banking malware called Astaroth.” This confirmation underscores the growing trend of cybercriminals exploiting legitimate services to mask their malicious activities.

The authority further emphasized the psychological manipulation behind the attack, noting that the criminals are “taking advantage of the popularity and the trust people have in WhatsApp to trick users into getting infected.” WhatsApp’s reputation as a secure and private messaging platform plays a key role in the success of this campaign, as users are less likely to question files or links received through the service—especially when they appear to come from friends, family members, or colleagues.

How the Attack Begins: Malicious Files Disguised as Legitimate Documents

The attack typically begins with threat actors sending malicious ZIP archive files directly to potential victims through WhatsApp messages. These files are not sent randomly; instead, they are carefully crafted and disguised to appear legitimate. In many cases, the ZIP files are presented as work-related documents, invoices, exam materials, or important updates, often accompanied by a convincing explanation designed to prompt urgency or curiosity.

Cybersecurity analysts warn that these social engineering techniques are central to the malware’s success. The messages may claim that the file contains important information that must be reviewed immediately, exploiting human instincts to act quickly without proper verification. Once a user downloads the ZIP file and extracts its contents, the danger escalates rapidly.

When the enclosed file is executed on a Windows computer, the Astaroth malware is silently installed in the background. At this stage, the victim may notice nothing unusual, as the malware is designed to operate discreetly without triggering obvious system warnings or alerts.

Malware Hijacks WhatsApp Web to Spread Itself

Following installation, the infection takes a particularly dangerous and deceptive turn. As explained by the CSA, “After installation, the malware silently connects to WhatsApp Web, where it retrieves the victim’s contact list and automatically sends similar malicious messages to all contacts, thereby propagating itself without the victim’s knowledge.”

This feature enables the malware to spread rapidly, using the infected user’s own WhatsApp account as a distribution channel. By sending malicious files to contacts directly from a trusted account, the attackers significantly increase the likelihood that recipients will open the files.

Friends, colleagues, and family members are far more likely to trust messages that appear to come from someone they know, creating a chain reaction of infections. This method of self-propagation is particularly effective because it removes the need for attackers to initiate contact with each new victim themselves.

Extensive Data Harvesting and Financial Theft

While the malware spreads through WhatsApp Web, it simultaneously carries out harmful activities in the background. The CSA reported that the Trojan engages in “extensive data harvesting activities,” with a primary focus on financial and authentication-related information.

This includes the theft of “banking login credentials, one-time passwords (OTPs), browser cookies, and keystrokes.” These forms of data give attackers direct and indirect access to victims’ online banking platforms, financial services, and personal accounts.

According to cybersecurity experts, the stolen data “can be used to gain unauthorized access to financial accounts, commit fraud, and facilitate further criminal activity.” Victims may experience unauthorized transactions, drained bank accounts, identity theft, or long-term financial damage. In some cases, the stolen information may be sold on underground cybercrime markets.

Why This Attack Is Particularly Dangerous

Security experts warn that this campaign highlights a troubling shift in cybercrime tactics. Messaging platforms, once seen as relatively safe communication tools, are now being weaponized to spread malware at scale.

Because WhatsApp messages often bypass corporate email filters and traditional security monitoring tools, malware delivered through the platform can evade detection more easily. The use of trusted contacts as carriers also makes it harder for users to identify malicious activity until significant damage has already been done.

CSA Issues Safety Recommendations to the Public

In response to the growing threat, the CSA has issued several key recommendations aimed at reducing the risk of infection. Users are urged to exercise extreme caution when downloading or opening ZIP files or unexpected attachments received via WhatsApp, “even if they come from known contacts.”

The authority also advises users to be skeptical of messages demanding immediate action or downloads, noting that urgency is a common social engineering tactic used by cybercriminals.

To counter WhatsApp Web hijacking, individuals are encouraged to regularly review their active WhatsApp Web sessions and “log out of any you do not recognise.” Users should also avoid leaving WhatsApp Web signed in on shared or public computers.

Maintaining up-to-date Windows operating systems and security software is another critical defense, as updates often contain patches for known vulnerabilities exploited by malware.

Reporting Cyber Incidents and Seeking Help

The CSA has reminded the public that support is available for those who suspect they may have been affected by the malware. The authority operates a 24-hour Cybersecurity and Cybercrime Incident Reporting Point of Contact, where individuals and organizations can report incidents and receive professional guidance.

A Growing Reminder of the Need for Cyber Awareness

As cybercriminals continue to refine their methods, this incident serves as a stark reminder that trust and convenience can be exploited. Staying alert, questioning unexpected files, and practicing good cybersecurity habits remain essential in protecting personal and financial information in an increasingly connected digital world.