The Cyber Security Authority (CSA) has discovered a new WhatsApp web malware called Astaroth used to steal banking details of unsuspecting Ghanaians.
In a statement issued on Tuesday, the CSA said the new malware attack uses WhatsApp Web on Windows computers to spread the dangerous banking malware.
Explaining how it works, the CSA said criminals take advantage of the popularity and the trust people have in WhatsApp to trick users into getting infected. The Authority described the malware as “dangerous” as it is designed to steal banking details and login information, putting individuals and organisations at serious risk.
How the malware works
Threat actors initiate the attack by sending malicious ZIP files to victims through WhatsApp messages. These files are often disguised as legitimate documents or shared under convincing pretexts to encourage users to download and open them.
Once the ZIP file is extracted and executed on a Windows device, the Astaroth malware is installed. After installation, the malware silently connects to WhatsApp Web, where it retrieves the victim’s contact list and automatically sends malicious messages to all contacts, thereby propagating itself without the victim’s knowledge.
The malware then conducts extensive data harvesting activities in the background including the theft of banking login credentials, one-time passwords (OTPs), browser cookies, and keystrokes.
The CSA noted that this information can be used to gain unauthorized access to financial accounts, commit fraud, and facilitate further criminal activity.
The Authority has since made the following recommendations to users to avoid being victims of this malware;
- Exercise caution when downloading or opening ZIP files or unexpected attachments received via WhatsApp, even if they come from known contacts.
- Be cautious of messages that call for immediate action or require file downloads, as these are commonly used social engineering tactics.
- Check active WhatsApp Web sessions and log out of any you do not recognise. Avoid leaving WhatsApp Web signed in on shared or public computers.
- Ensure that Windows operating systems and installed applications are kept up to date with the latest security patches.
- Use reputable and up-to-date endpoint security software capable of detecting and blocking malware activity.
Anyone affected by the malware can reach out to engineers at the CSA for assistance via the contacts below:
- Email :[email protected]
- Call:292
- SMS: 292
- Whatsapp: 0501603111
- Mobile App : CSA GHANA









