By: Benjamin Nii Nai Anyetei
The Cyber Security Authority (CSA) has issued a public alert warning Windows computer users of a new WhatsApp Web–based banking malware campaign that poses serious financial and data security risks. According to the CSA, cybersecurity experts have identified a malicious operation that exploits WhatsApp Web to spread a dangerous banking malware known as Astaroth. The attackers take advantage of the widespread use and trust associated with WhatsApp to deceive users into infecting their computers.
The Authority explains that the malware is designed to steal sensitive banking and login information, exposing both individuals and organisations to potential financial loss and fraud. The campaign highlights evolving cybercriminal tactics, where everyday digital tools are increasingly being weaponised to carry out financial crimes.
How the Attack Works
The CSA says threat actors typically initiate the attack by sending malicious ZIP files to victims through WhatsApp messages. These files are often disguised as legitimate documents or shared under convincing pretexts to encourage recipients to download and open them. Once the ZIP file is extracted and executed on a Windows device, the Astaroth malware is installed. The malware then silently connects to WhatsApp Web, where it retrieves the victim’s contact list and automatically sends similar malicious messages to those contacts—allowing the malware to spread without the victim’s knowledge.
In the background, the malware carries out extensive data harvesting, including the theft of banking login credentials, one-time passwords (OTPs), browser cookies and keystrokes. This information can be used to gain unauthorised access to financial accounts, commit fraud and support further criminal activity.
Safety Recommendations
The Cyber Security Authority is urging the public to exercise caution when downloading or opening ZIP files or unexpected attachments received via WhatsApp, even if they appear to come from known contacts. Users are also advised to be wary of messages that demand immediate action or require file downloads, as these are common social engineering techniques used by cyber criminals.
Additionally, the CSA recommends that users regularly check active WhatsApp Web sessions and log out of any unfamiliar sessions, while avoiding leaving WhatsApp Web signed in on shared or public computers. Keeping Windows operating systems and applications up to date with the latest security patches, as well as using reputable and updated endpoint security software, is also strongly encouraged.
The CSA has a 24-hour Cybersecurity and Cybercrime Incident Reporting Point of Contact for reporting cybercrimes and seeking assistance. The public can call or text 292, contact WhatsApp 0501603111, or email report@csa.gov.gh.
The alert was issued by the Cyber Security Authority on January 27, 2026, under reference CSA/CERT/MPA/2026-01/01.
READ FULL STATEMENT HERE
