Cybersecurity researchers have revealed details of a new campaign that uses WhatsApp as a distribution vector for a Windows banking Trojan called Astaroth in an attack targeting Brazil.
The campaign has been codenamed “Boto Cor-de-Rosa” by Acronis Threat Research Unit.
“The malware obtains the victim’s WhatsApp contact list and automatically sends malicious messages to each contact to further spread the infection,” the cybersecurity firm said in a report shared with The Hacker News.
“While the core Astaroth payload is still written in Delphi and its installer relies on Visual Basic scripts, the newly added WhatsApp-based worm module is implemented entirely in Python, highlighting the increasing use of multilingual module components by threat actors.”
Astaroth, also known as Guildma, is a banking malware that has been detected in the wild since 2015 and primarily targets users in Latin America, especially Brazil, to facilitate data theft. In 2024, multiple threat clusters tracked as PINEAPPLE and Water Makara were observed leveraging phishing emails to spread malware.
Using WhatsApp as a delivery vehicle for banking Trojans is a new tactic gaining traction among attackers targeting users in Brazil, driven by the messaging platform’s proliferation in the country. Trend Micro last month detailed Water Sashi’s reliance on WhatsApp to spread its Maverick and Kasbaneiro variants.
In a report published in November 2025, Sophos said it was tracking a multi-stage malware distribution campaign codenamed STAC3150 that used Astaroth to target WhatsApp users in Brazil. More than 95% of the affected devices were located in Brazil, and to a lesser extent in the United States and Austria.
The campaign has been active since at least September 24, 2025, and delivers a ZIP archive containing a downloader script that retrieves a PowerShell or Python script that collects WhatsApp user data for further propagation, and an MSI installer that deploys the Trojan. Acronis’ latest findings are a continuation of this trend, with ZIP files distributed through WhatsApp messages acting as a starting point for malware infections.
“When victims extract and open the archive, they will encounter Visual Basic Script disguised as a harmless file,” the cybersecurity firm said. “Running this script triggers the download of the next stage component and begins the compromise.”
It contains two modules –
A Python-based propagation module that collects a victim’s WhatsApp contacts and automatically transfers a malicious ZIP file to each contact. In effect, it leads to the spread of malware in a worm-like manner. It is a banking module that runs in the background and continuously monitors the victim’s web browsing activities and is activated when a bank-related URL is visited and collects credentials for financial gain.
“Malware authors also implemented built-in mechanisms to track and report propagation metrics in real time,” Acronis said. “This code periodically records statistics such as the number of successfully delivered messages, the number of failed attempts, and the sending rate measured in messages per minute.”
Source link
