Cybersecurity researchers have disclosed particulars of a brand new marketing campaign that makes use of WhatsApp as a distribution vector for a Home windows banking trojan known as Astaroth in assaults focusing on Brazil.
The marketing campaign has been codenamed Boto Cor-de-Rosa by Acronis Risk Analysis Unit.
“The malware retrieves the sufferer’s WhatsApp contact record and robotically sends malicious messages to every contact to additional unfold the an infection,” the cybersecurity firm stated in a report shared with The Hacker Information.
“Whereas the core Astaroth payload stays written in Delphi and its installer depends on Visible Primary script, the newly added WhatsApp-based worm module is carried out completely in Python, highlighting the menace actors’ rising use of multi-language modular parts.”
Astaroth, additionally known as Guildma, is a banking malware that has been detected within the wild since 2015, primarily focusing on customers in Latin America, significantly Brazil, to facilitate information theft. In 2024, a number of menace clusters tracked as PINEAPPLE and Water Makara had been noticed leveraging phishing emails to propagate the malware.
The usage of WhatsApp as a supply car for banking trojans is a brand new tactic that has gained traction amongst menace actors focusing on Brazilian customers, a transfer fueled by the widespread use of the messaging platform within the nation. Final month, Pattern Micro detailed Water Saci’s reliance on WhatsApp to unfold Maverick and a variant of Casbaneiro.
Sophos, in a report printed in November 2025, stated it is monitoring a multi-stage malware distribution marketing campaign codenamed STAC3150 focusing on WhatsApp customers in Brazil with Astaroth. Greater than 95% of the impacted units had been positioned in Brazil, and, to a lesser extent, within the U.S. and Austria.
The exercise, energetic since not less than September 24, 2025, delivers ZIP archives containing a downloader script that retrieves a PowerShell or Python script to gather WhatsApp person information for additional propagation, together with an MSI installer that deploys the trojan. The newest findings from Acronis is a continuation of this development, the place ZIP recordsdata distributed by WhatsApp messages act as a jumping-off level for the malware an infection.
“When the sufferer extracts and opens the archive, they encounter a Visible Primary Script disguised as a benign file,” the cybersecurity firm stated. “Executing this script triggers the obtain of the next-stage parts and marks the start of the compromise.”
This consists of two modules –
- A Python-based propagation module that gathers the sufferer’s WhatsApp contacts and robotically forwards a malicious ZIP file to every of them, successfully resulting in the unfold of the malware in a worm-like method
- A banking module that operates within the background and constantly displays a sufferer’s net searching exercise, and prompts when banking-related URLs are visited to reap credentials and allow monetary acquire
“The malware writer additionally carried out a built-in mechanism to trace and report propagation metrics in actual time,” Acronis stated. “The code periodically logs statistics such because the variety of messages efficiently delivered, the variety of failed makes an attempt, and the sending fee measured in messages per minute.”
