Cybersecurity researchers have uncovered a new malware that uses WhatsApp as a distribution method to spread a Windows banking trojan named Astaroth (also known as Guildma). Astaroth is a banking trojan that has been active since 2024 and was specifically developed to steal the personal and financial information of users, particularly in Latin America.

In 2025, two cybercrime groups named PINEAPPLE and Water Makara spread this malware via phishing emails.Recently, cyber attackers have started spreading banking malware more frequently via WhatsApp messages. Due to the widespread use of WhatsApp globally, this method has rapidly become popular.  Since at least September 24, 2025, attackers have been sending ZIP files via WhatsApp. Inside these ZIP files, there are:

• PowerShell or Python programs that secretly collect WhatsApp user information

• An MSI installation file that installs the malware on the computer  

When the ZIP file is opened, the malware is installed on the computer and can capture sensitive information such as bank login credentials and personal data.

Some of the precautions we need to take to protect against these types of attacks include:

• Do not open emails from untrusted sources.

• Use multi-factor authentication (MFA).

• Keep your system updated to the latest version at all times.

• Monitor login logs regularly.

Track the security of mobile devices.

For detailed information, you can reach out to our experts at info@zerosecond.com.ae