Ethical Hacking News
WhatsApp Worm Spreads Banking Trojan Astaroth Across Brazil via Contact Auto-Messaging: A growing concern for cybersecurity as threat actors turn to social media platforms to spread malware. Learn more about this new campaign and how it's affecting Brazilian users.
Acronis has uncovered a new WhatsApp-based banking trojan campaign, codenamed Boto Cor-de-Rosa, targeting Brazil. The malware uses WhatsApp to spread infection in a worm-like manner by sending malicious messages to each contact. Astaroth is a banking malware that facilitates data theft by monitoring web browsing activity and harvesting credentials when banking-related URLs are visited. WhatsApp has been used as a delivery vehicle for banking trojans, including Water Saci's reliance on WhatsApp to spread Maverick and Casbaneiro. The campaign delivers ZIP archives containing downloader scripts that retrieve PowerShell or Python scripts to collect WhatsApp user data.
In a recent development that has left cybersecurity experts scrambling, a new campaign has been uncovered that utilizes WhatsApp as a distribution vector for a Windows banking trojan called Astaroth in attacks targeting Brazil. The campaign, codenamed Boto Cor-de-Rosa by Acronis Threat Research Unit, is part of a larger trend where threat actors are increasingly using social media platforms to spread malware and conduct financial crimes.
According to the report shared with The Hacker News, the malware retrieves the victim's WhatsApp contact list and automatically sends malicious messages to each contact, effectively spreading the infection in a worm-like manner. This new tactic has gained traction among threat actors targeting Brazilian users, who have been largely affected by previous banking trojans such as PINEAPPLE and Water Makara.
Astaroth, also known as Guildma, is a banking malware that has been detected in the wild since 2015, primarily targeting users in Latin America, particularly Brazil. The malware facilitates data theft by operating in the background and continuously monitoring a victim's web browsing activity, activating when banking-related URLs are visited to harvest credentials.
The use of WhatsApp as a delivery vehicle for banking trojans is a significant development in the world of cybersecurity. Last month, Trend Micro detailed Water Saci's reliance on WhatsApp to spread Maverick and a variant of Casbaneiro. Sophos, in a report published in November 2025, said it's tracking a multi-stage malware distribution campaign codenamed STAC3150 targeting WhatsApp users in Brazil with Astaroth.
The activity, active since at least September 24, 2025, delivers ZIP archives containing a downloader script that retrieves a PowerShell or Python script to collect WhatsApp user data for further propagation. The latest findings from Acronis are a continuation of this trend, where ZIP files distributed through WhatsApp messages act as a jumping-off point for the malware infection.
"When the victim extracts and opens the archive, they encounter a Visual Basic Script disguised as a benign file," said the cybersecurity company. "Executing this script triggers the download of the next-stage components and marks the beginning of the compromise." The malware includes two modules - a Python-based propagation module that gathers the victim's WhatsApp contacts and automatically forwards a malicious ZIP file to each of them, leading to the spread of the malware in a worm-like manner.
The banking module operates in the background and continuously monitors a victim's web browsing activity, activating when banking-related URLs are visited to harvest credentials. The malware author also implemented a built-in mechanism to track and report propagation metrics in real time. The code periodically logs statistics such as the number of messages successfully delivered, the number of failed attempts, and the sending rate measured in messages per minute.
The use of WhatsApp as a delivery vehicle for banking trojans has significant implications for cybersecurity experts and users alike. As more threat actors turn to social media platforms to spread malware, it is essential for users to be aware of the risks associated with WhatsApp and other messaging apps.
"The widespread use of WhatsApp in Brazil has made it an attractive target for threat actors," said a cybersecurity expert. "Users must take necessary precautions to protect themselves from such attacks, including being cautious when opening messages from unknown contacts."
The discovery of this new campaign highlights the evolving nature of cyber threats and the need for continuous vigilance among cybersecurity experts and users.
Related Information:
https://www.ethicalhackingnews.com/articles/WhatsApp-Worm-Spreads-Banking-Trojan-Astaroth-Across-Brazil-via-Contact-Auto-Messaging-A-Growing-Concern-for-Cybersecurity-ehn.shtml
https://thehackernews.com/2026/01/whatsapp-worm-spreads-astaroth-banking.html
Published: Thu Jan 8 11:32:14 2026 by llama3.2 3B Q4_K_M
