A new wave of cybercrime is hurting all of Brazil’s cyber-taxis! Another banking malware, known as Astaroth or Guildma, is spreading quickly over WhatsApp. This insidious menace has been plying its trade since 2015. It mostly aims at users in Latin America, with more than 95% of targeted devices in Brazil. Recent issue campaigns have shown us a better way. Now, they’re leveraging WhatsApp’s widespread messaging capabilities to deploy this disruptive trojan.
Since as early as September 24, 2025, the covert influence operation known as STAC3150 has persistently harassed WhatsApp users. It serves up malicious ZIP archives that include a downloader Powershell script. This script downloads a PowerShell or Python installation script. It then steals user data including from WhatsApp contacts, allowing it to proliferate the Astaroth malware further. The attack on Europe is now in the United States and in Austria. Still, the amount of infections there is quite small compared to those occurring in Brazil.
Characteristics of Astaroth
Astaroth is known for its two primary components: a Python-based propagation module and a banking module. The propagation module automatically collects victims’ WhatsApp contacts and sends malicious messages to each one, increasing the malware’s reach.
“The malware retrieves the victim’s WhatsApp contact list and automatically sends malicious messages to each contact to further spread the infection,” – Acronis
Once installed there, the banking module lurks quietly in the shadows, tracking users’ web browsing sessions. Once users are redirected to banking-related URL, the module pops up to collect banking credentials, thus letting the cybercriminal make financial profit.
“While the core Astaroth payload remains written in Delphi and its installer relies on Visual Basic script, the newly added WhatsApp-based worm module is implemented entirely in Python, highlighting the threat actors’ growing use of multi-language modular components,” – Acronis
Distribution Tactics
The method of distribution used by Astaroth is more worrisome because it uses deep trust vectors, such as WhatsApp. Victims are sent ZIP archives that seem harmless until extracted. Upon extraction, users are met with a Visual Basic Script disguised as an Excel file.
“When the victim extracts and opens the archive, they encounter a Visual Basic Script disguised as a benign file,” – Acronis
The code used to deliver the malware is surprisingly completely benign. It records astute metrics of its spread including percent delivery success and the rate at which messages are being sent in messages/min.
“The code periodically logs statistics such as the number of messages successfully delivered, the number of failed attempts, and the sending rate measured in messages per minute,” – Acronis
Ongoing Threat Landscape
Cybersecurity professionals are widely on high alert. They recently discovered two threat clusters, called PINEAPPLE and Water Makara, leveraging phishing emails to deliver Astaroth in 2024. However, this malware is constantly changing. Cybercriminals are raising the bar, evolving their tactics to take advantage of the tools people use most in communications.
The Astaroth campaign in Brazil is changing quickly and dramatically. While many messaging apps have built-in protections, there’s no substitute for user vigilance and caution when faced with unsolicited communications on novel messaging platforms. Regular updates and vigilant monitoring of online activities can help mitigate the risks associated with this type of banking trojan.