The Cyber Security Authority (CSA) of Ghana has issued an urgent public alert regarding a sophisticated banking malware campaign targeting Windows users who utilize WhatsApp Web. This dangerous campaign leverages the widespread trust in WhatsApp to deploy the Astaroth malware, specifically designed to harvest sensitive financial data, including banking login credentials and one-time passwords (OTPs).
WhatsApp stopped working on our laptops yesterday in the evening around 8 pm at the Ghana Education News workstation. We had to work around the clock to restore the service this morning by reverting to the old WhatsApp instead of the WhatsApp Web
The Modus Operandi: How the Attack Works
Cybercriminals behind this campaign initiate the attack by sending malicious ZIP files directly to victims through WhatsApp messages. These files are frequently disguised as legitimate business documents or shared under convincing pretexts to manipulate users into downloading and opening them.
Once a user extracts and executes the ZIP file on a Windows device, the Astaroth malware is silently installed. Following installation, the malware performs several covert actions:
Propagation: It connects to the victim’s WhatsApp Web account, retrieves their contact list, and automatically sends identical malicious messages to all contacts without the user’s knowledge.
Data Harvesting: In the background, Astaroth conducts extensive data harvesting, stealing banking credentials, browser cookies, and even logging keystrokes.
Financial Fraud: This stolen information allows attackers to gain unauthorized access to financial accounts, leading to direct theft and further criminal activity.
Critical Recommendations for Protection
To safeguard your personal and financial information, the CSA recommends the following immediate actions:
Exercise Extreme Caution: Do not download or open unexpected ZIP files or attachments received via WhatsApp, even if they appear to come from known contacts.
Watch for Social Engineering: Be wary of messages that demand immediate action or require file downloads, as these are common psychological tactics used by hackers.
Manage Active Sessions: Regularly check your active WhatsApp Web sessions and log out of any devices you do not recognize. Avoid leaving your account signed in on shared or public computers.
System Updates: Ensure your Windows operating system and all installed applications are updated with the latest security patches.
Security Software: Utilize reputable and up-to-date endpoint security software capable of detecting and blocking malware like Astaroth.
READ:WhatsApp won’t work on 21 Phones in 2025: Check full list here
Reporting Incidents
If you suspect you have been targeted or infected, the CSA maintains a 24-hour Cybersecurity/Cybercrime Incident Reporting Point of Contact. You can call or text 292, contact via WhatsApp at 0501603111, or email report@csa.gov.gh.
🚨 PUBLIC ALERT: WhatsApp Web Banking Malware 🚨
Targeting Windows Users in Ghana
🔍 1.0 Background
Cybersecurity experts have discovered a dangerous banking malware called Astaroth spreading via WhatsApp Web on Windows. It is specifically designed to steal banking logins, OTPs, and private credentials.
⚙️ 2.0 Modus Operandi (How it Works)
- 📩 Phishing: Attackers send malicious ZIP files disguised as legitimate documents via WhatsApp.
- 🕷️ Infection: Once the ZIP is opened, Astaroth malware installs silently on your PC.
- 🔄 Propagation: The malware sends itself to all your contacts automatically without your knowledge.
- 💳 Theft: It harvests banking OTPs, browser cookies, and logs every key you press.
✅ 3.0 Mandatory Recommendations
- Do NOT download ZIP files from WhatsApp, even from “known” contacts.
- Log out of WhatsApp Web from all public or shared computers immediately.
- Ensure your Windows Security and antivirus software are fully updated.
📞 REPORT INCIDENTS IMMEDIATELY
Call/Text: 292 | WhatsApp: 0501603111
Email: report@csa.gov.gh | Ref: CSA/CERT/MPA/2026-01/01