Sophos analysts are investigating a persistent, multi-stage malware distribution marketing campaign concentrating on WhatsApp customers in Brazil. First noticed on September 24, 2025, the marketing campaign (tracked as STAC3150) delivers archive attachments containing a downloader script that retrieves a number of second-stage payloads. In early October, Counter Menace Unit\u2122 (CTU) researchers detailed<\/a> exercise related to a separate Brazil-based marketing campaign wherein the menace actors leveraged WhatsApp to deploy the Maverick banking trojan for credential theft.<\/p>\n In STAC3150, the second-stage payloads embrace a script that collects WhatsApp contact info and session information, and an installer that deploys the Astaroth (also called Guildma) banking trojan (see Determine 1). The assaults begin with a message that’s despatched utilizing the WhatsApp \u201cView As soon as\u201d choice (see Determine 2). Determine 2: WhatsApp lure (left) and translation (proper)<\/em><\/p>\n The lure delivers a ZIP archive that accommodates a malicious VBS or HTA file. When executed, this malicious file launches PowerShell to retrieve second-stage payloads, together with a PowerShell or Python script that collects WhatsApp consumer information and, in later instances, an MSI installer that delivers the Astaroth malware. Determine 3 exhibits the modifications in downloader scripts and second-stage information over the course of the marketing campaign.<\/p>\n Determine 3: File codecs used within the STAC3150 marketing campaign between September 24 and October 31, 2025<\/em><\/p>\n In late September incidents, Sophos analysts noticed PowerShell getting used to retrieve the second-stage payloads through IMAP from an attacker-controlled e-mail account. In early October, the marketing campaign shifted to HTTP-based communication, leveraging PowerShell\u2019s Invoke-WebRequest command to contact a distant command and management (C2) server hosted on https: \/\/www . varegjopeaks . com (see Determine 4).<\/p>\n Determine 4: First-stage PowerShell instructions launched from malicious VBS file<\/em><\/p>\n The downloaded second-stage PowerShell or Python script (see Determine 5) makes use of the Selenium Chrome WebDriver and the WPPConnect JavaScript library to hijack WhatsApp Net classes, harvest contact info and session tokens, and facilitate spam distribution.<\/p>\n Determine 5: PowerShell (left) and Python (proper) scripts for WhatsApp information assortment<\/em><\/p>\n In late October, the second-stage information started to additionally embrace an MSI file (installer.msi) that delivers Astaroth malware. \u00a0The installer file writes information to disk and creates a startup registry key to take care of persistence. When executed, it launches the Astaroth malware through a malicious AutoIt script that masquerades as a .log file (see Determine 6). The malware communicates with a C2 server hosted at manoelimoveiscaioba . com.<\/p>\n![\"Diagram](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/11\/WhatsAppAstaroth2511-fig1.png\")
<\/a>Determine 1: Assault chain within the WhatsApp STAC3150 marketing campaign<\/em><\/p>\nAssault development<\/h3>\n
![\"WhatsApp](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/11\/WhatsAppAstaroth2511-fig2.png\")
<\/a><\/p>\n![\"Changes](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/11\/WhatsAppAstaroth2511-fig3.png\")
<\/a><\/p>\n![\"Display](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/11\/WhatsAppAstaroth2511-fig4.png\")
<\/a><\/p>\n![\"Extracts](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/11\/WhatsAppAstaroth2511-fig5.png\")
<\/a><\/p>\n
![\"AutoIT](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/11\/WhatsAppAstaroth2511-fig6.png\")
<\/a><\/p>\n![\"Map](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/11\/WhatsAppAstaroth2511-fig7.png\")
<\/a><\/p>\n