Astaroth Banking Trojan: How WhatsApp Became a Vector for Financial Malware in Brazil

The Attack Chain

Stage 1: Social Engineering

Attackers sent WhatsApp messages impersonating banks with urgency-driven content and malicious download links.

Stage 2: Payload Delivery

The download used obfuscation, stolen code signing certificates, and fileless execution to evade detection.

Stage 3: Credential Theft

Astaroth operated as an overlay trojan — displaying fake login screens over legitimate banking apps to capture credentials and intercept SMS 2FA codes.

Stage 4: Financial Exploitation

Attackers accessed victim accounts with captured credentials and intercepted 2FA, executing unauthorized transfers.

Scale

Hundreds of thousands of Brazilian banking customers across multiple banks were affected. Success rates significantly exceeded email phishing due to WhatsApp trust.

Financial Malware Through Messaging Platforms

On January 8, 2026, The Hacker News reported on the Astaroth banking trojan being distributed through WhatsApp in Brazil. Astaroth steals banking credentials, payment card data, and cryptocurrency wallet information. The WhatsApp vector was significant because Brazilian banks deeply integrate WhatsApp into customer communication — training customers to trust banking messages on the platform.

The campaign exploited this trust with messages resembling legitimate bank communications, directing users to download a malicious "banking app update." Once installed, Astaroth captured credentials via overlay screens, intercepted SMS 2FA codes, and exfiltrated financial data.

For DORA, this illustrates a risk category that ICT risk frameworks may underestimate: weaponization of legitimate communication platforms used by financial institutions. When a bank integrates WhatsApp, it creates a trust vector that adversaries exploit.

DORA and Communication Channel Risk

Art. 5-6 — Channel Risk Assessment

ICT risk management must assess social engineering risks created by each customer communication channel.

Art. 9 — Customer-Facing Security

Protection measures must extend to customer interactions: anti-impersonation measures, awareness programmes, and impersonation campaign detection.

Art. 45-49 — Trojan Intelligence Sharing

Pillar V sharing should include banking trojan IOCs, distribution methods, and social engineering techniques — particularly for multi-institution campaigns.

For European institutions, the Brazilian campaign is a preview of attacks that may target banks using WhatsApp or similar platforms for customer communication.

Messaging Platforms as Attack Surface

Every channel a bank uses for customer communication becomes a channel adversaries can impersonate. More channels = larger impersonation surface. More customer trust in a channel = more effective impersonation.

Recommendations

• Include communication channel risk in DORA Art. 5-6 assessments
• Implement anti-impersonation measures (verified sender, digital signatures)
• Share trojan IOCs via DORA Art. 45
• Prioritize app-based authentication over SMS 2FA
• Consider reducing third-party messaging for sensitive banking communications in favor of in-app messaging