Jan 08, 2026Ravie LakshmananMalware / Monetary Crime
Cybersecurity researchers have disclosed particulars of a brand new marketing campaign that makes use of WhatsApp as a distribution vector for a Home windows banking trojan known as Astaroth in assaults focusing on Brazil.
The marketing campaign has been codenamed Boto Cor-de-Rosa by Acronis Menace Analysis Unit.
“The malware retrieves the sufferer’s WhatsApp contact listing and routinely sends malicious messages to every contact to additional unfold the an infection,” the cybersecurity firm stated in a report shared with The Hacker Information.
“Whereas the core Astaroth payload stays written in Delphi and its installer depends on Visible Fundamental script, the newly added WhatsApp-based worm module is applied fully in Python, highlighting the menace actors’ rising use of multi-language modular parts.”
Astaroth, additionally known as Guildma, is a banking malware that has been detected within the wild since 2015, primarily focusing on customers in Latin America, significantly Brazil, to facilitate information theft. In 2024, a number of menace clusters tracked as PINEAPPLE and Water Makara had been noticed leveraging phishing emails to propagate the malware.
Using WhatsApp as a supply automobile for banking trojans is a brand new tactic that has gained traction amongst menace actors focusing on Brazilian customers, a transfer fueled by the widespread use of the messaging platform within the nation. Final month, Development Micro detailed Water Saci’s reliance on WhatsApp to unfold Maverick and a variant of Casbaneiro.
Sophos, in a report printed in November 2025, stated it is monitoring a multi-stage malware distribution marketing campaign codenamed STAC3150 focusing on WhatsApp customers in Brazil with Astaroth. Greater than 95% of the impacted units had been situated in Brazil, and, to a lesser extent, within the U.S. and Austria.
The exercise, lively since a minimum of September 24, 2025, delivers ZIP archives containing a downloader script that retrieves a PowerShell or Python script to gather WhatsApp consumer information for additional propagation, together with an MSI installer that deploys the trojan. The most recent findings from Acronis is a continuation of this development, the place ZIP recordsdata distributed by way of WhatsApp messages act as a jumping-off level for the malware an infection.
“When the sufferer extracts and opens the archive, they encounter a Visible Fundamental Script disguised as a benign file,” the cybersecurity firm stated. “Executing this script triggers the obtain of the next-stage parts and marks the start of the compromise.”
This consists of two modules –
A Python-based propagation module that gathers the sufferer’s WhatsApp contacts and routinely forwards a malicious ZIP file to every of them, successfully resulting in the unfold of the malware in a worm-like method
A banking module that operates within the background and repeatedly displays a sufferer’s net shopping exercise, and prompts when banking-related URLs are visited to reap credentials and allow monetary acquire
“The malware creator additionally applied a built-in mechanism to trace and report propagation metrics in actual time,” Acronis stated. “The code periodically logs statistics such because the variety of messages efficiently delivered, the variety of failed makes an attempt, and the sending price measured in messages per minute.”
