[ad_1]
Cybersecurity researchers have disclosed particulars of a brand new marketing campaign that makes use of WhatsApp as a distribution vector for a Home windows banking trojan known as Astaroth in assaults focusing on Brazil.
The marketing campaign has been codenamed Boto Cor-de-Rosa by Acronis Risk Analysis Unit.
“The malware retrieves the sufferer’s WhatsApp contact checklist and routinely sends malicious messages to every contact to additional unfold the an infection,” the cybersecurity firm stated in a report shared with The Hacker Information.
“Whereas the core Astaroth payload stays written in Delphi and its installer depends on Visible Primary script, the newly added WhatsApp-based worm module is carried out solely in Python, highlighting the risk actors’ rising use of multi-language modular parts.”
Astaroth, additionally known as Guildma, is a banking malware that has been detected within the wild since 2015, primarily focusing on customers in Latin America, significantly Brazil, to facilitate knowledge theft. In 2024, a number of risk clusters tracked as PINEAPPLE and Water Makara have been noticed leveraging phishing emails to propagate the malware.
The usage of WhatsApp as a supply automobile for banking trojans is a brand new tactic that has gained traction amongst risk actors focusing on Brazilian customers, a transfer fueled by the widespread use of the messaging platform within the nation. Final month, Pattern Micro detailed Water Saci’s reliance on WhatsApp to unfold Maverick and a variant of Casbaneiro.
Sophos, in a report revealed in November 2025, stated it is monitoring a multi-stage malware distribution marketing campaign codenamed STAC3150 focusing on WhatsApp customers in Brazil with Astaroth. Greater than 95% of the impacted gadgets have been positioned in Brazil, and, to a lesser extent, within the U.S. and Austria.
The exercise, energetic since a minimum of September 24, 2025, delivers ZIP archives containing a downloader script that retrieves a PowerShell or Python script to gather WhatsApp person knowledge for additional propagation, together with an MSI installer that deploys the trojan. The most recent findings from Acronis is a continuation of this pattern, the place ZIP information distributed by WhatsApp messages act as a jumping-off level for the malware an infection.
“When the sufferer extracts and opens the archive, they encounter a Visible Primary Script disguised as a benign file,” the cybersecurity firm stated. “Executing this script triggers the obtain of the next-stage parts and marks the start of the compromise.”
This contains two modules –
- A Python-based propagation module that gathers the sufferer’s WhatsApp contacts and routinely forwards a malicious ZIP file to every of them, successfully resulting in the unfold of the malware in a worm-like method
- A banking module that operates within the background and constantly displays a sufferer’s internet looking exercise, and prompts when banking-related URLs are visited to reap credentials and allow monetary acquire
“The malware creator additionally carried out a built-in mechanism to trace and report propagation metrics in actual time,” Acronis stated. “The code periodically logs statistics such because the variety of messages efficiently delivered, the variety of failed makes an attempt, and the sending fee measured in messages per minute.”
[ad_2]
