This persistent malware distribution campaign, active since September 2025, targets WhatsApp users by exploiting the 'View Once' message feature to deliver malicious ZIP archives containing VBS or HTA files. Upon execution, these files invoke PowerShell to fetch second-stage payloads, including scripts that harvest WhatsApp user data and an MSI installer that deploys the Astaroth banking trojan, known for credential theft and financial fraud. The campaign initially used IMAP for payload retrieval but shifted to HTTP-based communication with a remote command and control server, improving stealth and flexibility. It employs Selenium Chrome WebDriver alongside the WPPConnect JavaScript library to hijack WhatsApp Web sessions, enabling attackers to steal session tokens and contact lists, facilitating spam campaigns and further propagation. The malware establishes persistence mechanisms and uses multiple tactics such as obfuscation, credential dumping, and session hijacking (aligned with MITRE ATT&CK techniques T1140, T1555, T1102, T1204, T1059.001, T1547.001, T1566, T1027, T1553, T1573, T1056, T1095, T1059.006, T1132, T1071.001). Although primarily impacting Brazilian users (95% of victims), there is evidence of spread to Austria. The campaign affects over 250 users and is notable for combining social engineering, multi-stage payload delivery, and advanced session hijacking to deploy a financially motivated banking trojan. No CVE identifiers or known exploits in the wild have been reported, and the campaign is currently assessed as medium severity.

For European organizations, the primary impact lies in potential compromise of employee or customer WhatsApp accounts, which could lead to credential theft, unauthorized access to sensitive communications, and propagation of spam or malware within corporate networks. The deployment of the Astaroth banking trojan poses a direct financial threat through theft of banking credentials and fraudulent transactions. Session hijacking of WhatsApp Web could expose confidential contact information and internal communications, increasing risks of social engineering and targeted phishing attacks. Although the campaign is currently concentrated in Brazil, the presence of affected devices in Austria indicates potential for spread within Europe, especially in countries with significant WhatsApp usage. Organizations could face reputational damage, financial loss, and operational disruption if employees' devices are compromised. The use of PowerShell and script-based payloads also increases the risk of lateral movement within corporate environments if endpoint protections are insufficient.

1. Implement strict endpoint protection policies that monitor and restrict execution of PowerShell scripts and VBS/HTA files, especially those originating from email or messaging attachments. 2. Educate users about the risks of opening ZIP archives and executing files received via WhatsApp, particularly those sent with 'View Once' messages which may evade casual inspection. 3. Deploy network monitoring to detect unusual HTTP traffic patterns indicative of command and control communication, focusing on domains linked to the campaign (e.g., borizerefeicoes.com, clhttradinglimited.com). 4. Enforce multi-factor authentication (MFA) on WhatsApp Web and related services to reduce session hijacking risks. 5. Monitor for suspicious Selenium WebDriver activity or automated browser control tools on endpoints, which may indicate session hijacking attempts. 6. Regularly audit and revoke stale WhatsApp Web sessions and tokens to limit attacker persistence. 7. Integrate threat intelligence feeds to update blocklists and detection rules for domains and indicators associated with this campaign. 8. Conduct phishing simulations and awareness campaigns emphasizing the dangers of social engineering via messaging apps. 9. Use application whitelisting to prevent unauthorized MSI installers from executing. 10. Coordinate with incident response teams to quickly isolate and remediate infected devices.