Danny Weber
23:54 25-11-2025
© E. Vartanyan
Sophos warns of STAC3150, a fast-shifting WhatsApp malware campaign using VBS/HTA, PowerShell and Selenium to hijack sessions, now delivering Astaroth trojan.
Sophos specialists have spotted a large-scale malware push running through WhatsApp. The operation, labeled STAC3150, has been active since September 24, 2025, and has already affected more than 250 users. The attackers keep their infrastructure in flux and refresh their toolset often, turning the campaign into a moving target for defenders.
The attack starts with a phishing message in Portuguese. The recipient is urged to open a file “for one-time viewing,” but instead of a document receives a ZIP archive. Inside are VBS or HTA scripts that trigger PowerShell and pull down additional malicious modules. The lure is simple and direct, which likely helps it blend into everyday chat traffic.
In late September, those modules communicated with the operators’ servers over IMAP, extracting the second stage from specially prepared mailboxes. In early October, the scheme shifted: downloads began to come over an HTTP connection to the domain varegjopeaks[.]com. From there, PowerShell and Python scripts take over, using Selenium WebDriver and WPPConnect to automate the interception of WhatsApp web sessions. That enables token theft, copying of contact lists, and the automated spread of infected ZIP archives to the next wave of victims—turning compromised accounts into unwitting amplifiers.
By late October, the campaign evolved again as the attackers introduced an MSI installer that delivers the Astaroth (Guildma) banking trojan. After installation, it creates auxiliary files, adds itself to startup, and launches a malicious AutoIt script disguised as a routine .log file. According to Sophos, most detected infections are in Brazil, and the tactics are changing at a rapid clip—a pace that matches the campaign’s broader pattern of quick pivots.