Cybersecurity researchers have uncovered a new malware campaign that abuses WhatsApp as a distribution channel to spread the Astaroth banking trojan across Brazil. The operation specifically targets Windows users and represents an evolution in how financial malware is propagated in the region.
The campaign has been named Boto Cor-de-Rosa by the Acronis Threat Research Unit.
According to Acronis, the malware is capable of extracting a victim’s WhatsApp contact list and automatically sending malicious messages to every contact, enabling rapid and uncontrolled spread. While the core Astaroth payload remains written in Delphi and its installer continues to rely on Visual Basic Script, the newly introduced WhatsApp worm component is fully developed in Python. This shift highlights the growing adoption of multi language and modular malware architectures by threat actors.
Background on Astaroth Malware
Astaroth, also known as Guildma, is a well established banking trojan that has been active since 2015. It has historically focused on Latin American users, with Brazil being the primary target. The malware is designed to steal sensitive financial data and enable fraudulent transactions.
Throughout 2024, multiple threat clusters tracked as PINEAPPLE and Water Makara were observed distributing Astaroth through phishing emails. The transition to WhatsApp based delivery marks a significant tactical change.
WhatsApp as a Malware Delivery Vector
The use of WhatsApp for spreading banking trojans has gained momentum due to the platform’s massive adoption in Brazil. Threat actors are increasingly exploiting user trust in personal messages to bypass traditional email based security controls.
In recent activity, Trend Micro documented Water Saci leveraging WhatsApp to distribute Maverick malware and a modified version of Casbaneiro. The current Astaroth campaign aligns closely with this emerging pattern.
Multi Stage Infection Chain
Sophos, in a report published in November 2025, revealed a related multi stage campaign tracked as STAC3150, which also targeted WhatsApp users in Brazil with Astaroth. More than 95 percent of the affected systems were located in Brazil, with limited spillover into the United States and Austria.
The campaign, active since at least September 24, 2025, distributes ZIP archives via WhatsApp messages. These archives contain a downloader script that retrieves either a PowerShell or Python script to collect WhatsApp user data, along with an MSI installer that deploys the banking trojan.
Acronis noted that its latest findings are a direct continuation of this trend. Once a victim extracts and opens the ZIP archive, a Visual Basic Script disguised as a harmless file is executed. This action initiates the download of additional components and marks the start of the system compromise.
Worm Like Propagation and Banking Theft
The infection process deploys two main modules.
- A Python based propagation module that collects WhatsApp contacts and automatically forwards a malicious ZIP archive to each contact, enabling worm like spread
- A banking module that runs silently in the background, monitors web browsing activity, and activates when banking related websites are accessed to steal credentials and facilitate financial fraud
Acronis researchers also identified a built in tracking mechanism within the malware. This system records real time propagation metrics, including successful message deliveries, failed attempts, and the rate of message transmission per minute. These statistics allow attackers to monitor and optimize the campaign’s spread.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
