VERY IMPORTANT

A persistent malware distribution campaign targeting WhatsApp users in Brazil has been observed since September 24, 2025. The attack begins with a message sent using WhatsApp's 'View Once' option, delivering a ZIP archive containing malicious VBS or HTA files. When executed, these files launch PowerShell to retrieve second-stage payloads, including scripts that collect WhatsApp user data and an MSI installer that deploys the Astaroth banking trojan. The campaign has evolved over time, shifting from IMAP-based retrieval to HTTP-based communication with a remote C2 server. The attack leverages Selenium Chrome WebDriver and WPPConnect JavaScript library to hijack WhatsApp Web sessions, harvest contact information and session tokens, and facilitate spam distribution. The campaign has affected over 250 customers, with 95% of impacted devices located in Brazil.