The Cyber Security Authority (CSA) has cautioned the public against a newly detected cyberattack in which criminals are using WhatsApp Web on Windows devices to distribute a sophisticated banking malware known as Astaroth, capable of stealing sensitive financial and login information from unsuspecting users.
According to the CSA, the malware is being distributed through malicious ZIP files sent to victims via WhatsApp messages, often disguised as legitimate documents and shared under convincing pretexts to lure users into opening them.
The Authority explained that once the ZIP file is extracted and executed on a Windows device, the Astaroth malware is installed and begins operating covertly in the background.
“The malware silently connects to WhatsApp Web, retrieves the victim’s contact list and automatically sends similar malicious messages to all contacts, thereby propagating itself without the victim’s knowledge,” the CSA noted.
The malware is designed to steal sensitive financial and personal information. These include banking login credentials, one-time passwords (OTPs), browser cookies and keystrokes, which could be used to gain unauthorised access to financial accounts and facilitate fraud and other cybercrimes.
The CSA warned that the campaign highlights the evolving tactics of cybercriminals, who are increasingly leveraging trusted and widely used digital platforms to carry out financial crimes.
To mitigate the risk, the Authority urged the public to exercise caution when downloading or opening ZIP files and unexpected attachments received via WhatsApp, even when they appear to come from known contacts.
Users were also advised to be wary of messages that demand urgent action or require file downloads, as these are common social engineering techniques.
The CSA further recommended that users regularly check active WhatsApp Web sessions and log out of any unfamiliar sessions, avoid leaving WhatsApp Web signed in on shared or public computers, and ensure that Windows operating systems and applications are updated with the latest security patches.
The use of reputable and up-to-date endpoint security software capable of detecting and blocking malware activity was also strongly encouraged.
The Authority reminded the public that it operates a 24-hour Cybersecurity/Cybercrime Incident Reporting Point of Contact for reporting cyber incidents and seeking guidance. Reports can be made by calling or texting 292, via WhatsApp on 0501603111, or by email at report@csa.gov.gh.
