The Cyber Security Authority (CSA) has issued a public alert over a new cyberattack campaign targeting Windows users through WhatsApp Web, warning that the malware involved poses serious financial risks.
On January 27, 2026, the CSA issued an alert as part of ongoing efforts to protect individuals and organizations from emerging cyber threats.
The agency warned that cybercriminals are distributing a sophisticated banking malware called Astaroth through malicious ZIP files sent via WhatsApp messages, often disguised as legitimate documents to trick users into opening them.
Get the latest news, updates by joining our WhatsApp channel here: Join on WhatsApp.
Once executed on a Windows computer, the malware installs itself silently and links to WhatsApp Web. It then retrieves the victim’s contact list and automatically sends similar malicious files to those contacts, allowing the malware to spread rapidly without the user’s knowledge.
Beyond self-propagation, Astaroth is designed to steal sensitive financial and personal data. The malware harvests banking login credentials, one-time passwords (OTPs), browser cookies, and keystrokes, enabling attackers to gain unauthorised access to financial accounts and commit fraud.
The CSA notes that the campaign highlights the evolving tactics of cybercriminals, who increasingly exploit trusted digital platforms and everyday communication tools to carry out financial crimes.
To reduce the risk of infection, the Authority has advised the public to avoid downloading or opening ZIP files and unexpected attachments received via WhatsApp, even when they appear to come from known contacts.
Users are also urged to be cautious of messages that demand urgent action, as these are common social engineering tactics.
The CSA further recommends that users regularly check active WhatsApp Web sessions and log out of any unfamiliar devices, keep their Windows systems and applications updated with the latest security patches, and install reputable endpoint security software capable of detecting and blocking malware.
The Authority has encouraged anyone affected or in need of guidance to report incidents through its 24-hour Cybersecurity and Cybercrime Incident Reporting channels by calling or texting 292, sending a WhatsApp message to 0501603111, or emailing report@csa.gov.gh.
