A new cyber threat campaign is exploiting the widespread use of WhatsApp in Brazil to rapidly spread a long-running banking trojan, highlighting how messaging platforms are increasingly being weaponised by threat actors.
Cybersecurity researchers have uncovered a fresh attack chain that uses WhatsApp to distribute the Windows-based Astaroth banking trojan, primarily targeting users in Brazil. The campaign, tracked by the Acronis Threat Research Unit, has been codenamed Boto Cor-de-Rosa.
“The malware retrieves the victim’s WhatsApp contact list and automatically sends malicious messages to each contact to further spread the infection,” the cybersecurity firm said in a report.
“While the core Astaroth payload remains written in Delphi and its installer relies on Visual Basic script, the newly added WhatsApp-based worm module is implemented entirely in Python, highlighting the threat actors’ growing use of multi-language modular components.”
Astaroth, also known as Guildma, has been active since 2015 and mainly targets users in Latin America, especially Brazil, to steal sensitive financial data. In 2024, separate threat clusters identified as PINEAPPLE and Water Makara were seen spreading the malware through phishing emails.
Researchers say the use of WhatsApp as a delivery channel marks an escalation in tactics, driven by the platform’s massive adoption in Brazil. Earlier, Trend Micro reported that the Water Saci group used WhatsApp to spread Maverick malware and a variant of Casbaneiro.
In November 2025, Sophos disclosed a multi-stage campaign named STAC3150 targeting WhatsApp users in Brazil with Astaroth. More than 95% of infected devices were located in Brazil, with the rest found in the U.S. and Austria. That activity has been active since at least September 24, 2025.
According to the latest findings, malicious ZIP files shared through WhatsApp messages act as the initial infection point. “When the victim extracts and opens the archive, they encounter a Visual Basic Script disguised as a benign file,” researchers said. “Executing this script triggers the download of the next-stage components and marks the beginning of the compromise.”
The malware uses 2 main modules. One is a Python-based propagation module that harvests WhatsApp contacts and forwards a malicious ZIP file to them automatically, spreading like a worm. The second is a banking module that silently monitors web activity and activates when banking-related websites are accessed to steal credentials.
“The malware author also implemented a built-in mechanism to track and report propagation metrics in real time,” Acronis said, adding that the code logs message delivery success, failures, and sending rates per minute.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
