Hacking

Astaroth Banking Trojan Spreads via WhatsApp in Brazil

Published  ·  4 min read

Researchers in cybersecurity have discovered a new campaign involving malware that uses WhatsApp as an avenue for spreading the Astaroth banking trojan (a long-time existing piece of malware) with a focus on users in Brazil. The Boto Cor de Rosa operation (as tracked by the Acronis Threat Research Unit) reflects a major change in strategy regarding how this group delivers malware to victims, as the group is now relying on peer-to-peer (automated) and trusted third-party delivery methods (WhatsApp), shifting from traditional email phishing campaigns to new technologies.

According to Acronis, the Early-stage banking trojan memory-ranked (aka Guildma) was first seen about 2015 and has primarily operated in South America, focusing heavily on Brazil. The primary functionality of the trojan is to monitor web browsing activity (by using trojan-based key-loggers) in order to identify when victims visit a banking site (or an electronic payment provider). Once a trojan detects that a user is accessing a digital bank or checking account (or an electronic payment provider), the trojan's malicious routines are initiated.

In the first quarter of 2024, several campaigns related to two different clusters (PINEAPPLE and Water Makara) that both utilized phishing emails for their distribution methods were made available to the public. The attack conducted against victims was labelled as Boto Cor de Rosa, and it represented a significant operational change for this actor in that it took advantage of WhatsApp's vast usage across Brazil to greatly increase their ability to infect more systems.

Astaroth's main payload is written in Delphi with an installer program built using Visual Basic script. Recently, researchers found a new propagation module created with Python that allows for abuse of WhatsApp. The ability of threat actors to quickly create new features for Astaroth is due to its modular architecture and multi-language support, while still being able to integrate with existing components of the malware.

How It Works
The initial part of the attack occurs when a ZIP file containing malicious files is received via WhatsApp. After the ZIP file is extracted, victims will see a VBScript file disguised as a harmless document. When the victim double-clicks the VBScript file, the infection process begins, which involves: downloading the next stage of payloads; gathering information about the victim's WhatsApp account; and sending the victim the banking trojan.

The operation has similarities to a previous operation tracked by Sophos (STAC3150), which was also started in September 2025 and where over 95% of infections were within Brazil, with little spillover into the U.S. or Austria.

Acronis' recent report found the following two basic malware components:

1. Propagation Module (Python): This module steals all of a victim's WhatsApp contact information, allowing for automatic distribution of the infected ZIP file to those contacts, which then enables the rapid lateral movement of the malware.

2. Banking Module: This module runs in the background and is responsible for tracking users' browsing activity. Specifically, it will monitor users' interactions with financial pages to steal their login credentials or provide fraudulent activity.

Additionally, this malware contains the code to gather telemetry and reports on the effectiveness of its propagation. This includes the number of successful deliveries, the volume of messages sent and other factors based upon real-time statistics.

Acronis' investigation of this malware shows that it has become an increasing trend for certain cybercriminal organizations operating in South America, an increasing trend where they are using trusted communication channels (such as WhatsApp) in order to circumvent suspicion by the end-user and circumvent standard security measures.

Since WhatsApp is such an important form of communication, both personally and professionally, it becomes problematic for all of those individuals and organizations defending against these new types of socially dependent threats due to this exploitation of trusted channels and validated participants versus traditional bulk spam.

Source: The Hacker News

Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067