A new report out today from cybersecurity and data protection company Acronis International GmbH details an newly identified campaign linked to the long-running Astaroth banking malware that’s weaponizing WhatsApp as an automated infection vector aimed at Brazilian users.
Dubbed “Boto-Cor-de-Rosa,” the new campaign includes the addition of a WhatsApp web-based worm that allows the malware to spread itself by using a victim’s WhatsApp contacts versus previous Astaroth campaigns that relied solely on email or malicious websites.
The campaign begins with a victim receiving a WhatsApp message containing a ZIP archive with an innocuous-looking but randomly generated filename. The ZIP archive, however, is a trap as hidden within the archive is a heavily obfuscated Visual Basic script that downloads and launches the core Astaroth banking payload and a newly developed Python-based propagation module.
Once active, the malware splits into two paths. One component quietly monitors the victim’s browsing activity and activates credential-stealing routines when it detects visits to banking websites, while the other component — the WhatsApp module — harvests the victim’s contact list and automatically sends malicious ZIP files to each contact. In doing so, it creates a self-sustaining infection loop that expands the campaign’s reach without additional infrastructure.
Though the Boto-Cor-de-Rosa may be targeting users in Brazil, the implications are broader. Acronis argues that it highlights a growing trend toward multilanguage malware frameworks. While Astaroth’s main payload remains written in Delphi and deployed via an MSI installer that uses AutoIt to evade static detection, the WhatsApp worm is implemented entirely in Python.
The campaign is notable for its attention to social engineering detail, with the WhatsApp messages written in casual, familiar Portuguese translated as “Here is the requested file. If you have any questions, I’m available!”
The malware also dynamically selects time greetings such as good morning, good afternoon or good eveining, making the messages appear more natural and increasing the likelihood that recipients will open the attachment.
“The latest Astaroth campaign demonstrates the continued evolution of banking malware, combining traditional credential-stealing techniques with sophisticated social engineering and multiplatform propagation,” explains the report. “By leveraging WhatsApp as a distribution channel, the malware not only accelerates its spread but also exploits trust-based communication patterns to increase the likelihood of victim interaction.”
Image: SiliconANGLE/Ideogram
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
