CSA flags WhatsApp Web scam using “Astaroth” malware to harvest OTPs and bank logins
From the Authority’s account, the scheme is engineered mainly for Windows computer users and typically begins with a ZIP attachment delivered through WhatsApp.
The Cyber Security Authority (CSA) has raised an alert over a coordinated cyberattack campaign in which criminals are weaponising WhatsApp Web to steal sensitive user data, including banking credentials and one-time passwords (OTPs) such as mobile money verification codes.
From the Authority’s account, the scheme is engineered mainly for Windows computer users and typically begins with a ZIP attachment delivered through WhatsApp. The files are made to look routine, often presented as:
work documents
invoices
“shared files” from a contact
CSA says the malware behind the campaign has been identified as Astaroth, described as an advanced information-stealing virus.
The bait: “document” ZIP sent via WhatsApp
Attackers push malicious ZIP files through WhatsApp messages, using believable storylines to lower suspicion.
The trigger: download + extract on Windows
Once the victim downloads and extracts the ZIP on a Windows device, the malware installs quietly, with no obvious red flags.
The amplifier: WhatsApp Web used to self-propagate
After installation, the malware:
connects to WhatsApp Web in the background
pulls the victim’s contacts list
automatically sends the same malicious file/message to those contacts
That creates a rapid spread loop, often before the victim realises anything is wrong.
The objective: credential and OTP harvesting
CSA indicates the malware then runs data-exfiltration activities, including:
stealing bank login details
capturing OTPs (including MoMo verification codes)
taking browser cookies
recording keystrokes (keylogging)
This package of stolen data can be leveraged to access bank accounts, compromise mobile money wallets, and execute unauthorised transactions.
CSA is urging users to tighten operational hygiene on messaging apps, especially when receiving attachments, even from people they know:
Do not download or open unexpected ZIP files or attachments
Update Windows and apps regularly (security patches matter)
Run reputable antivirus/endpoint protection and keep it updated
Treat any “urgent document” request as a red flag, even from a familiar contact
Report unusual account activity immediately
CSA says affected users can contact their engineers via:
Email: report@csa.gov.gh
Call: 292
SMS: 292
WhatsApp: 0501603111
Mobile App: CSA GHANA
