WhatsApp Compromise Leads to Astaroth Deployment

    Friday, November 21, 2025 In: Threat Research Print

    Date: 11/21/2025

    Severity: Medium

    Summary

    Researchers are examining an ongoing, multi-stage malware campaign targeting WhatsApp users in Brazil. First detected on September 24, 2025, the operation—identified as STAC3150—uses archive attachments that contain a downloader script responsible for fetching several second-stage components. Analysts also noted a separate Brazil-focused operation where attackers used WhatsApp to spread the Maverick banking trojan for credential theft. In the STAC3150 campaign, the subsequent payloads include a script that harvests WhatsApp contacts and session details, along with an installer that deploys the Astaroth (Guildma) banking trojan.

    Indicators of Compromise (IOC) List

    Domains\URLs :

    manoelimoveiscaioba.com

    varegjopeaks.com

    docsmoonstudioclayworks.online

    shopeeship.com

    miportuarios.com

    borizerefeicoes.com

    clhttradinglimited.com

    lefthandsuperstructures.com

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "borizerefeicoes.com" or url like "borizerefeicoes.com" or siteurl like "borizerefeicoes.com" or domainname like "lefthandsuperstructures.com" or url like "lefthandsuperstructures.com" or siteurl like "lefthandsuperstructures.com" or domainname like "manoelimoveiscaioba.com" or url like "manoelimoveiscaioba.com" or siteurl like "manoelimoveiscaioba.com" or domainname like "miportuarios.com" or url like "miportuarios.com" or siteurl like "miportuarios.com" or domainname like "shopeeship.com" or url like "shopeeship.com" or siteurl like "shopeeship.com" or domainname like "docsmoonstudioclayworks.online" or url like "docsmoonstudioclayworks.online" or siteurl like "docsmoonstudioclayworks.online" or domainname like "clhttradinglimited.com" or url like "clhttradinglimited.com" or siteurl like "clhttradinglimited.com" or domainname like "varegjopeaks.com" or url like "varegjopeaks.com" or siteurl like "varegjopeaks.com"

    Reference:  

    https://news.sophos.com/en-us/2025/11/20/whatsapp-compromise-leads-to-astaroth-deployment/


    Tags

    MalwareAstarothWhatsappBrazilSTAC3150MaverickGuildmaTrojan

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.