Sophos analysts are investigating a persistent, multi-stage malware distribution marketing campaign focusing on WhatsApp customers in Brazil. First noticed on September 24, 2025, the marketing campaign (tracked as STAC3150) delivers archive attachments containing a downloader script that retrieves a number of second-stage payloads. In early October, Counter Risk Unit™ (CTU) researchers detailed exercise related to a separate Brazil-based marketing campaign during which the risk actors leveraged WhatsApp to deploy the Maverick banking trojan for credential theft.
In STAC3150, the second-stage payloads embody a script that collects WhatsApp contact data and session knowledge, and an installer that deploys the Astaroth (also referred to as Guildma) banking trojan (see Determine 1).
Determine 1: Assault chain within the WhatsApp STAC3150 marketing campaign
Assault development
The assaults begin with a message that’s despatched utilizing the WhatsApp “View As soon as” choice (see Determine 2).
Determine 2: WhatsApp lure (left) and translation (proper)
The lure delivers a ZIP archive that comprises a malicious VBS or HTA file. When executed, this malicious file launches PowerShell to retrieve second-stage payloads, together with a PowerShell or Python script that collects WhatsApp person knowledge and, in later instances, an MSI installer that delivers the Astaroth malware. Determine 3 exhibits the adjustments in downloader scripts and second-stage information over the course of the marketing campaign.
Determine 3: File codecs used within the STAC3150 marketing campaign between September 24 and October 31, 2025
In late September incidents, Sophos analysts noticed PowerShell getting used to retrieve the second-stage payloads by way of IMAP from an attacker-controlled e mail account. In early October, the marketing campaign shifted to HTTP-based communication, leveraging PowerShell’s Invoke-WebRequest command to contact a distant command and management (C2) server hosted on https: //www . varegjopeaks . com (see Determine 4).
Determine 4: First-stage PowerShell instructions launched from malicious VBS file
The downloaded second-stage PowerShell or Python script (see Determine 5) makes use of the Selenium Chrome WebDriver and the WPPConnect JavaScript library to hijack WhatsApp Net periods, harvest contact data and session tokens, and facilitate spam distribution.
Determine 5: PowerShell (left) and Python (proper) scripts for WhatsApp knowledge assortment
In late October, the second-stage information started to additionally embody an MSI file (installer.msi) that delivers Astaroth malware. The installer file writes information to disk and creates a startup registry key to keep up persistence. When executed, it launches the Astaroth malware by way of a malicious AutoIt script that masquerades as a .log file (see Determine 6). The malware communicates with a C2 server hosted at manoelimoveiscaioba . com.
Determine 6: AutoIt payload execution
Victimology
Sophos analysts noticed this marketing campaign affecting greater than 250 clients, with roughly 95% of the impacted units positioned in Brazil. The remaining had been positioned in different Latin American international locations, the U.S., and Austria (see Determine 7).
Determine 7: Distribution of Sophos buyer units impacted by the WhatsApp marketing campaign deploying Astaroth between October 23 and October 28, 2025
Suggestions, detections, and indicators
Organizations ought to educate staff concerning the dangers of opening archive attachments despatched by way of social media and on the spot messaging platforms, even when obtained from recognized contacts.
SophosLabs has developed the countermeasures in Desk 1 to detect exercise related to this risk.
| Identify | Description |
| VBS/DwnLdr-ADJT | Detection for preliminary VBS file |
| VBS/DwnLdr-ADJW | Detection for preliminary VBS file |
| VBS/DwnLdr-ADJS | Detection for second-stage VBS file |
| Troj/Mdrop-KEP | Detection for second-stage MSI file |
| Troj/Mdrop-KES | Detection for second-stage MSI file |
| Troj/AutoIt-DJB | Detection for AutoIt payload |
| Troj/HTADrp-CE | Detection for HTA script |
Desk 1: Sophos detections related to this risk
The risk indicators in Desk 2 can be utilized to detect exercise associated to this risk. The domains could comprise malicious content material, so think about the dangers earlier than opening them in a browser.
| Indicator | Sort | Context |
| manoelimoveiscaioba[.]com | Area identify | C2 server utilized in WhatsApp STAC3150 marketing campaign |
| varegjopeaks[.]com | Area identify | C2 server utilized in WhatsApp STAC3150 marketing campaign |
| docsmoonstudioclayworks[.]on-line | Area identify | C2 server utilized in WhatsApp STAC3150 marketing campaign |
| shopeeship[.]com | Area identify | C2 server utilized in WhatsApp STAC3150 marketing campaign |
| miportuarios[.]com | Area identify | C2 server utilized in WhatsApp STAC3150 marketing campaign |
| borizerefeicoes[.]com | Area identify | C2 server utilized in WhatsApp STAC3150 marketing campaign |
| clhttradinglimited[.]com | Area identify | C2 server utilized in WhatsApp STAC3150 marketing campaign |
| lefthandsuperstructures[.]com | Area identify | C2 server utilized in WhatsApp STAC3150 marketing campaign |
Desk 2: Indicators for this risk
