top of page
Search

Astaroth Banking Trojan Spreads Via WhatsApp Worm in Brazil

  • Jan 8
  • 2 min read

Key Findings


  • The Astaroth banking Trojan is spreading in Brazil through a WhatsApp worm that automatically sends malicious messages to victims' contacts.

  • The malware uses a Python-based propagation module to harvest the victim's WhatsApp contacts and automatically forward infected ZIP files, enabling self-spreading capabilities.

  • A separate banking module operates silently in the background, monitoring the victim's browsing activity and stealing credentials when banking-related URLs are accessed.

  • The campaign, dubbed "Boto Cor-de-Rosa," leverages region-specific lures, local ecosystem knowledge, and culturally familiar communication channels to target Brazilian users.

  • The attack chain starts with a malicious WhatsApp message containing a ZIP file, which, when opened, runs a disguised VBScript that downloads additional payloads.

  • The malware employs various techniques, including obfuscation, legitimate interpreters, and encoded loaders, to evade detection.


Background


Astaroth, also known as Guildma, is a long-running banking malware that has primarily targeted users in Latin America, particularly in Brazil. The malware has evolved, and the latest campaign, dubbed "Boto Cor-de-Rosa," uses a WhatsApp-based worm to spread the Trojan across the country.


Propagation Module


The malware's propagation component is responsible for harvesting the victim's WhatsApp contacts and automatically sending each of them a new malicious ZIP file. This self-reinforcing mechanism enables the malware to continuously spread through the messaging platform.


Banking Module


The banking module operates silently in the background, monitoring the victim's browsing activity. When banking-related URLs are accessed, the module activates its credential-stealing functionality and other fraudulent behaviors aimed at financial gain.


Techniques and Obfuscation


The attack chain starts with a malicious WhatsApp message containing a ZIP file. When the file is opened, a disguised VBScript is executed, which then downloads additional payloads. The malware employs various techniques, such as obfuscation, legitimate interpreters, and encoded loaders, to evade detection.


Indicators of Compromise (IoCs)


The report published by Acronis includes a list of Indicators of Compromise (IoCs) associated with the Boto Cor-de-Rosa campaign, which can be used by security analysts and researchers to detect and mitigate the threat.


Sources


  • https://securityaffairs.com/186685/malware/astaroth-banking-trojan-spreads-in-brazil-via-whatsapp-worm.html

  • https://thehackernews.com/2026/01/whatsapp-worm-spreads-astaroth-banking.html

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page