After being exposed to a new and more aggressive distribution campaign involving the Astaroth banking trojan, which is a long-standing malware strain known for targeting financial users in the country, the cyber threat landscape in Brazil is once again coming under scrutiny.
Astaroth has recently launched a new operation, internally referred to as Boto Cor-de-Rosa, which marks a significant shift in the organization's propagation methods by incorporating WhatsApp Web into its infection chain that marks a major shift in its propagation strategies.
A malicious script in this campaign is capable of harvesting the contact list of the victim on WhatsApp and autonomously sending malicious messages to those contacts, effectively turning that compromised WhatsApp account into a self-propagating infection vector.
A number of analysts are observing the Astaroth Boto Cor-de-Rosa operation as a clear indicator of a sharp rise in both technical sophistication and social engineering precision. Using rapid self-propagation capabilities and longstanding ability to steal banking credentials, this operation is a very sophisticated one.
There is a dual-purpose architecture at the heart of this campaign that allows the malware to spread autonomously, while at the same time monitoring the online activity of the victims. It is a simple process of spreading malicious messages via WhatsApp that uses the natural, culturally familiar Portuguese language to reach users, capitalizing on the inherent trust users have placed in communications they receive from familiar people.
In spite of the fact that the banking module is discreetly installed in the background, it keeps track of a victim's browser sessions and activates only when the victim visits a financial institution or payment service website. It then attempts to intercept sensitive information, such as usernames and passwords.
Researchers stress that because of the fusion between worm-like distribution and financial espionage, there is a higher risk to Brazilian banking customers as the threat of infection is heightened along with the threat of precision data theft that it presents.
In addition to the campaign's effectiveness, the campaign's effectiveness is further enhanced by the fact that it has a very narrow geographic focus, with lures that are tailored exclusively for Brazilian users and that are dynamically adjusted to local time zones using greetings such as "Bom dia," and "Good afternoon.".
When the level of cultural customization of the phishing campaign is paired with WhatsApp's being a deeply trusted and widely used communication channel in Brazil, the user suspicion is significantly lowered, which in turn enhances the success rates of infections as compared with conventional email-based phishing campaigns.
Boto Cor-de-Rosa also represents an important evolution step for Astaroth from the standpoint of a technical point of view, as it introduces a Python-based variant of the WhatsApp worm in addition to the trojan's established Delphi core.
A number of analysts perceive the shift from a traditional delivery vector, which is based on a technical flaw, toward a modular, multilingual design as a deliberate move by the operators to enhance flexibility, evade detection, and decouple credential theft from propagation.
Rather than relying on traditional delivery vectors, they are instead opting to exploit human trust rather than technical weaknesses by developing relationship-driven attacks.
Although Astaroth's primary payload is still crafted in Delphi, and its installer is still crafted in Visual Basic scripting, analysts noticed that the newly introduced WhatsApp worm component has been written in Python, which highlights the operators' increasing reliance on modular, multi-lingual development, as evidenced by the new worm component.
By leveraging region-specific social engineering lures, intimate knowledge of the network ecosystems in local areas, and widely trusted communication platforms, Astaroth achieves high infection rates, maximizing its reach and sustaining high infection rates throughout the campaign.
Astaroth, a banking trojan that was identified nearly a decade ago, was also known as Guildma and has consistently maintained a persistent presence in the cybercrime ecosystem since 2015, becoming one of the most prominent banking trojans targeting Latin America, primarily Brazil.
Since this malware has historically been distributed through large-scale phishing campaigns, it has emerged in recent years through two distinct malicious threat clusters. The two threats have been identified as PINEAPPLE and Water Makara, both of which are targeting organizations through deceptive email lures to initiate an infection campaign.
There is a growing trend among threat actors to forego traditional delivery methods and utilize WhatsApp as a means of propagating their attacks as a proxy channel - a tactic that lends itself to all-out adoption among Brazilian users, given WhatsApp's near-ubiquitous status among them.
The security industry has documented numerous instances in which such a technique has been used, for instance Water Saci's use of WhatsApp as a platform for disseminating the Maverick trojan and a modified variant of Casbaneiro.
Sophos published a report in November 2025 that described a multi-stage campaign known as STAC3150 as the method used to distribute Astaroth by WhatsApp messages, and the majority of those infections have been reported in Brazil.
The number of confirmed infections has been reduced to about 9 percent in the United States and Austria, which are less prevalent.
There has been a persistent operation in place since at least late September 2025 in which ZIP archives containing downloader components designed to retrieve PowerShell or Python-based scripts that can harvest WhatsApp user information in order to spread it onward, along with MSI installers containing the bank trojan itself, have been distributed since then.
Despite the latest reports from Acronis, the Acronis findings indicate that this technique from the past has not stopped being used in active spam campaigns, because malicious ZIP files sent via WhatsApp remain the primary vector for the dissemination of Astaroth attacks.
There are several factors that determine the effectiveness of a campaign such as Astaroth, primarily a functional split, which conforms to the recommendations made by Acronis. This functional split ensures both maximum reach and the maximum financial return on the investment.
A victim can be the victim of sophisticated malware as soon as they execute a malicious ZIP file delivered by WhatsApp. This malware will deploy two distinct components once they run the malicious ZIP file: one for propagation, which drives continued spread of the malware, and another for credential theft.
Propagation is the process of harvesting the victim's WhatsApp contact list, and distributing the new malicious ZIP archives to each contact automatically as they are created, creating an infection loop that is persistent and self-sustaining.
A parallel component of the malware, the banking component, remains dormant in the background, silently monitoring browsing activity. When the user visits a banking or financial service website, the malware will activate silently, capturing credentials and facilitating fraudulent transactions when the user enters the site.
Technically, the attack relies on an obfuscated Visual Basic script concealed within the ZIP archive, serving as the initial downloader for the malicious program.
Using this script, both the Astaroth banking trojan as well as a WhatsApp spreader based on Python will be retrieved and executed.
As for the trojan itself, it is installed via an MSI dropper using an AutoIt interpreter and a loaded loader to decrypt and run the payload, a method that is meant to blend malicious activities with trusted tools and thus avoid detection.
During the process, the Python module is installed and allows the worm-like propagation of the malware through WhatsApp.
It sends localized, time-sensitive messages to stolen contacts in Portuguese autonomously while tracking delivery metrics and exfiltrating contact information to a remote server while enabling autonomous distribution through WhatsApp.
As Researchers say, this campaign demonstrates how modern banking malware is increasingly combining stealthy credential theft with automated social engineering and trusted messaging platforms for speeding up distribution and exploiting users' trust as a way to efficiently spread their malware.
Cybercriminals are increasingly putting much emphasis on social trust and platform familiarity as opposed to simply technical exploits to gain access to targets as evidenced by the Boto Cor-de-Rosa campaign, which illustrates a wider shift in the threat landscape.
Embedding malicious activity inside everyday communication channels gives campaigns like Astaroth the capability of blurring the line between routine digital interactions and active threats, which makes it more difficult for users and organizations to detect and prevent these threats.
In order to protect themselves from identity theft, Brazilian consumers are advised to be very cautious about unsolicited files or links, even when they appear to come from a known contact.
They should also be wary of compressed attachments that are sent over instant messaging platforms.
It has been recommended that financial institutions and large enterprises, meanwhile, should expand user awareness programs and behavioral monitoring, and make investments in threat detection strategies that take into account message-based malware delivery mechanisms.
There are numerous ways that attackers are developing modular and multi-lingual malware frameworks and exploiting trusted ecosystems at a mass scale. Coordinating efforts among cybersecurity vendors, platform providers, and the end users will be critical in order to limit the reach and impact of such campaigns in the future.
In the context of the Astaroth operation, it should be noted that most effective defenses are not only dependent on technical controls, but also on vigilance, education, and being knowledgeable about the way modern threats adapt to human behavior and how to stop them.