Pierluigi Paganini
January 08, 2026
Astaroth, a long-running Brazilian banking malware, has evolved in a new campaign dubbed Boto Cor-de-Rosa by abusing WhatsApp Web for propagation. The malware harvests the victim’s WhatsApp contact list and automatically sends malicious messages to each contact, spreading itself like a worm. While the main Astaroth payload remains written in Delphi and its installer uses Visual Basic Script, the new WhatsApp worm component is fully implemented in Python, showing increased modularity and multi-language development.
The campaign continues to focus almost exclusively on Brazilian victims, using region-specific lures, local ecosystem knowledge, and culturally familiar communication channels to boost infection success.
The attack chain starts with a WhatsApp message carrying a malicious ZIP file. When opened, it runs a disguised VBScript that downloads additional payloads.
The malware then splits into two modules: one spreads the infection by auto-messaging malicious ZIPs to the victim’s WhatsApp contacts, while the other runs silently to monitor banking activity and steal credentials for financial fraud.
“Propagation module: This component harvests the victim’s WhatsApp contacts and automatically sends each of them a new malicious ZIP file, sustaining a continuous and self‑reinforcing propagation loop.” reads the report published by Acronis. “Banking module: Operating silently in the background, this component monitors the victim’s browsing activity. When banking‑related URLs are accessed, it activates credential‑stealing functionality and other fraudulent behaviors aimed at financial gain.”
The attack relies on an obfuscated VBScript hidden in a malicious WhatsApp ZIP file. Once opened, the script downloads and runs two components: the Astaroth banking malware and a Python-based WhatsApp spreader. Astaroth is installed via an MSI dropper that uses a legitimate AutoIt interpreter and an encoded loader to decrypt and execute the payload, helping it evade detection. The Python module installs its own runtime and enables worm-like spreading through WhatsApp.
“The propagation component is introduced by the initial downloader, which is responsible for installing a bundled copy of Python along with the malicious Python module zapbiu.py, enabling the new WhatsApp-based worming functionality.” continues the report. “Once executed, this module handles the WhatsApp-based spreading mechanism, enabling the malware to harvest contact lists and dispatch new malicious ZIP archives — effectively continuing the infection loop.”
It steals the victim’s contact list and automatically sends infected ZIP files using casual, localized messages in Portuguese, adapted to the time of day. The spreader also tracks delivery statistics in real time and exfiltrates contacts to a remote server, combining social engineering with automated propagation.
The latest Astaroth campaign shows how banking malware is evolving by mixing credential theft with social engineering and WhatsApp-based propagation to spread faster and exploit user trust.
“This campaign underscores the importance of user vigilance, particularly when receiving unsolicited files through messaging platforms, and highlights the need for organizations to deploy layered defenses that monitor both traditional attack vectors and emerging social-engineering techniques.” concludes the report that also includes Indicators of Compromise (IoCs). “Astaroth’s integration of messaging-based propagation with financial credential theft represents a concerning trend in malware evolution, illustrating how attackers continue to blend technical innovation with psychological manipulation to maximize their impact.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)
