Astaroth Banking Trojan Spreads via WhatsApp Worm in Brazil

Astaroth, the Delphi-based banking trojan that's plagued Brazilian users since 2015, has gained a new trick: self-propagation through WhatsApp. Researchers at Acronis Threat Research Unit have identified a campaign they're calling Boto Cor-de-Rosa that automatically spreads malicious ZIP files to every contact in a victim's address book.

Over 95% of infections hit Brazil, with scattered cases in the United States and Austria.

How the Worm Spreads

The attack begins with a WhatsApp message containing a ZIP archive with a randomly generated filename. Inside is a heavily obfuscated Visual Basic script that, when executed, downloads both the core Astaroth payload and a newly developed Python-based propagation module.

The malware then splits into two parallel operations. One component monitors browsing activity and activates credential-stealing routines when it detects visits to banking websites. The other harvests the victim's WhatsApp contact list and fires off malicious ZIP files to each entry.

What makes the social engineering effective is attention to detail. The Python module checks the victim's system time to select an appropriate Portuguese greeting—"Bom dia" (Good morning), "Boa tarde" (Good afternoon), or "Boa noite" (Good evening). The message includes a line that translates to: "Here is the requested file. If you have any questions, I'm available!"

Coming from a known contact with a contextually appropriate greeting, many recipients trust the message.

Why Python?

The core Astaroth payload remains written in Delphi, and the installer still relies on Visual Basic. But the WhatsApp worm module is implemented entirely in Python, suggesting the threat actors are expanding their technical toolkit.

This multilanguage, modular approach allows attackers to update specific components without rebuilding the entire package. It also complicates attribution and analysis—defenders now need expertise across multiple languages to fully reverse-engineer the malware.

Astaroth's Evolution

Astaroth (also known as Guildma) has continually adapted since its first appearance nearly a decade ago. In February 2025, researchers documented a variant capable of bypassing two-factor authentication to steal Gmail and Microsoft logins. By October, the malware was abusing GitHub to hide backup files inside images.

The WhatsApp propagation represents another leap. Previous versions required active distribution through phishing campaigns. Now the malware spreads itself, creating a self-sustaining infection loop that doesn't depend on attacker infrastructure for distribution.

Tracking the Campaign

Acronis first identified Boto Cor-de-Rosa in January 2026. Related activity tracked as STAC3150 by Sophos was observed as early as September 2025, delivering archive attachments with downloader scripts that retrieve multiple second-stage payloads.

The threat clusters PINEAPPLE and Water Makara have also been linked to previous Astaroth operations, though definitive attribution for the WhatsApp variant remains unclear.

Defensive Recommendations

1. Treat unexpected file attachments with suspicion - Even from known contacts, unexpected ZIP files warrant verification through a separate channel
2. Monitor for unusual WhatsApp Web activity - The worm operates through the web interface; unusual automation patterns may indicate compromise
3. Keep antivirus updated - Major vendors have signatures for known Astaroth variants
4. Watch for VBS execution - Flag or block Visual Basic scripts running outside expected contexts

For organizations with Brazilian operations or employees, this campaign deserves particular attention. The malware fundamentals guide covers baseline protections, but messaging app-based threats require additional user awareness training.

Why This Matters

Messaging platform abuse isn't new—attackers have long used social networks and chat apps to spread malware. But Astaroth's automated approach removes the human bottleneck from distribution. Each infection generates new distribution points, potentially creating exponential growth.

For WhatsApp's user base of over two billion people, this represents a meaningful escalation in risk. The platform's end-to-end encryption, designed to protect privacy, also prevents network-level scanning that might catch these payloads in transit. Detection has to happen at the endpoint.