The Reveal Platform
Intel Name: Whatsapp compromise leads to astaroth deployment
Date of Scan: November 21, 2025
Impact: Medium
Summary: Researchers are examining an ongoing, multi-stage malware campaign targeting WhatsApp users in Brazil. First detected on September 24, 2025, the operation—identified as STAC3150—uses archive attachments that contain a downloader script responsible for fetching several second-stage components. Analysts also noted a separate Brazil-focused operation where attackers used WhatsApp to spread the Maverick banking trojan for credential theft. In the STAC3150 campaign, the subsequent payloads include a script that harvests WhatsApp contacts and session details, along with an installer that deploys the Astaroth (Guildma) banking trojan.
