WhatsApp Worm Spreads Astaroth Banking Trojan Across Brazil via Contact Auto-Messaging

Published:

8 januari 2026 om 17:10:00

Alert date:

8 januari 2026 om 18:02:39

Source:

thehackernews.com

Mobile & IoT, Ransomware & Malware, Email & Messaging

A new cybersecurity campaign codenamed Boto Cor-de-Rosa by Acronis Threat Research Unit uses WhatsApp as a distribution vector for the Astaroth banking trojan targeting Brazil. The malware retrieves victims' WhatsApp contact lists and automatically sends malicious messages to each contact to spread further. This represents an innovative use of WhatsApp's messaging platform for malware distribution. The campaign specifically targets Brazilian users with banking trojan capabilities. The self-propagating nature through contact auto-messaging makes this a particularly concerning threat.

Technical details

The Boto Cor-de-Rosa campaign uses WhatsApp to distribute Astaroth banking trojan in Brazil. The malware consists of multiple modules: a core Delphi-written payload with Visual Basic script installer, and a new Python-based WhatsApp worm module. The attack begins with ZIP archives distributed via WhatsApp messages containing a Visual Basic Script disguised as benign files. When executed, it downloads two main modules: 1) A Python propagation module that harvests WhatsApp contacts and automatically forwards malicious ZIP files to spread worm-like, and 2) A banking module that monitors web browsing activity and activates when banking URLs are visited to steal credentials. The malware includes real-time propagation tracking that logs delivery statistics, failed attempts, and sending rates.

Mitigation steps:

Affected products:

WhatsApp
Windows operating systems

Related CVE's:

Related threat actors:

PINEAPPLE

Water Makara

Water Saci

IOC's:

This article was created with the assistance of AI technology by Perceptive.