Sophisticated WhatsApp Worm Uses Fake “View Once” Lure to Hijack Sessions and Deploy Astaroth Banking Trojan

Sophos analysts are tracking a persistent and fast-evolving malware distribution campaign targeting WhatsApp users in Brazil, where attackers are leveraging fake “View Once” messages, malicious archive attachments, hijacked WhatsApp Web sessions, and the notorious Astaroth (Guildma) banking trojan. The campaign—officially tracked as STAC3150—has been active since September 24, 2025, and has already impacted more than 250 customers.

The attack sequence shows a flow from WhatsApp phishing → malicious archives → VBS/HTA downloader → C2 → WhatsApp session hijacking → Astaroth deployment.

The lure contains friendly Portuguese messages such as:

The “file” is actually a ZIP archive containing either:

• Malicious VBS, or
• Malicious HTA

When executed, these launch PowerShell to retrieve additional payloads.

Throughout late September, the threat actors used IMAP to pull payloads from attacker email accounts: “PowerShell being used to retrieve the second-stage payloads via IMAP from an attacker-controlled email account.”

However, by early October the campaign shifted: “The campaign shifted to HTTP-based communication… contacting a remote command and control (C2) server hosted on https://www.varegjopeaks.com.”

The second-stage PowerShell or Python scripts, shown side-by-side, automate WhatsApp Web session theft.

Sophos explains, “The script uses the Selenium Chrome WebDriver and the WPPConnect JavaScript library to hijack WhatsApp Web sessions, harvest contact information and session tokens, and facilitate spam distribution.”

This enables the attackers to:

• Send malicious ZIPs to new victims
• Steal session cookies
• Gather full WhatsApp contact lists
• Reactivate the infection cycle at scale

By late October, the attack grew more aggressive: “Second-stage files began to also include an MSI file (installer.msi) that delivers Astaroth malware.”

This MSI installer:

• Writes multiple files to disk
• Creates a startup registry key (persistence)
• Executes a malicious AutoIt script disguised as a .log file

Sophos notes: “The malware communicates with a C2 server hosted at manoelimoveiscaioba.com.”

The campaign has already infected more than 250 customer devices, overwhelmingly in Brazil.

Related Posts:

• Astaroth Malware Uses Steganography in GitHub Images for Covert C2 Backup and Brazilian Bank Theft
• Astaroth Phishing Kit Bypasses 2FA, Steals Accounts
• Threat Actors Weaponize Google Cloud Run for Global Payload Delivery
• “Water Makara” Employs Astaroth Malware in Targeted Attacks on Brazilian Organizations
• CISA Flags Two Actively Exploited Vulnerabilities: TP-Link Router Reset Flaw and WhatsApp Zero-Day Chain