Threat Identified by Authorities

The Ghana Cyber Security Authority has issued an emergency security alert about a malware threat which uses WhatsApp Web to steal banking credentials and financial verification codes from users. The warning was released on January 27 2026, and it describes a campaign which uses deceptive messages to target Windows computer users and spread malware while stealing their private information.

How the Attack Works

Cybercriminals who lead the campaign send their targets WhatsApp messages which contain ZIP file attachments that masquerade as authentic documents. The user will download the ZIP file which will lead to Astaroth malware installation because the malware begins its process when the user extracts the contents of the ZIP file.

The malware establishes a hidden connection with WhatsApp Web to collect vital information which includes banking login details and one-time passwords and browser cookies and keystrokes. The malware identifies contacts in the infected system and spreads itself by sending identical malicious files to all contacts without alerting the user.

Risks to Financial Security

Cybercriminals gain complete access to all financial accounts when they obtain stolen banking credentials together with mobile money verification codes. The system permits attackers to execute unauthorized financial activities which result in substantial monetary losses that affect both individual victims and business entities.

The CSA reports that the Brazilian campaign which started in Brazil has now spread to various countries including Ghana. The malware uses WhatsApp as a trusted platform to create deceptive threats which increase the chances of users downloading harmful attachments.

Advice and Protective Measures

The Cyber Security Authority urges the public to:

• Avoid downloading attachments from messaging platforms until they receive complete verification.
• People need to maintain their operating systems and security software through continuous installation of new updates.
• People need to use reliable antivirus and anti-malware software for the purpose of detecting and preventing security threats.
• All financial account holders must report every instance of suspicious behavior without delay.

Ongoing Monitoring

The CSA keeps track of cyber threats which require organizations to maintain continuous security monitoring because scammers create new methods of attack. The organization provides three contact methods which include an email address, phone number and WhatsApp contact for people who require assistance or want to report suspicious behavior.