Full Report
Cybersecurity researchers have disclosed details of a new campaign that uses WhatsApp as a distribution vector for a Windows banking trojan called Astaroth in attacks targeting Brazil. The campaign has been codenamed Boto Cor-de-Rosa by Acronis Threat Research Unit. "The malware retrieves the victim's WhatsApp contact list and automatically sends malicious messages to each contact to further
Analysis Summary
# Incident Report: Boto Cor-de-Rosa Campaign Spreading Astaroth Banking Trojan via WhatsApp
## Executive Summary
Cybersecurity researchers have uncovered the "Boto Cor-de-Rosa" campaign, which leverages WhatsApp as a primary infection vector to distribute the Astaroth banking trojan against targets primarily in Brazil. The malware employs a worm-like mechanism in Python to self-propagate by accessing and messaging the victim's contact list after initial execution via malicious ZIP archives. The impact is primarily financial data theft against users in Latin America.
## Incident Details
- Discovery Date: January 8, 2026 (Date of disclosure by Acronis)
- Incident Date: Active since at least September 24, 2025
- Affected Organization: Individual end-users/customers of financial institutions (No specific organizational compromise disclosed)
- Sector: Financial Services (Targeted impact), Technology (Distribution vector)
- Geography: Brazil (Over 95% impacted), USA, Austria
## Timeline of Events
### Initial Access
- Date/Time: Active since approximately September 24, 2025
- Vector: Malicious ZIP archives distributed via WhatsApp messages.
- Details: The initial ZIP archive contains a Visual Basic Script (VBS) disguised as a benign file. Executing this script triggers the download of next-stage components.
### Lateral Movement
- Date/Time: Immediately following successful execution of the VBS.
- Vector: Python-based propagation module acting as a worm.
- Details: The malware collects the victim's WhatsApp contacts and automatically sends the malicious ZIP file payload to every contact, ensuring rapid spread.
### Data Exfiltration/Impact
- Date/Time: Upon visiting financial URLs.
- Vector: Banking module monitoring web activity.
- Details: The banking module harvests credentials when the victim browses banking-related URLs. The malware also tracks and reports propagation metrics in real-time.
### Detection & Response
- Date/Time: Disclosed on January 8, 2026, by Acronis Threat Research Unit.
- Details: Detection was based on analysis of the novel Astaroth variant exhibiting multi-language components (Python worm module) and WhatsApp distribution. Response information (containment/eradication) is not provided in the source as this is a research disclosure.
## Attack Methodology
- Initial Access: Execution of a VBS from a ZIP file delivered via WhatsApp message.
- Persistence: Not explicitly detailed, but typical for banking trojans to establish persistence for ongoing monitoring.
- Privilege Escalation: Not explicitly detailed.
- Defense Evasion: The mechanism relies on social engineering (WhatsApp) and file disguise (VBS disguised as benign file). The core payload is written in Delphi, with the worm module in Python, demonstrating modularity.
- Credential Access: Keylogging or session hijacking when banking-related URLs are visited.
- Discovery: Monitoring web browsing activity for specific financial domains.
- Lateral Movement: Automated sending of malicious ZIPs to all WhatsApp contacts using a Python script.
- Collection: Harvesting account credentials being entered on banking websites.
- Exfiltration: Mechanism for sending stolen data back to the threat actor (not detailed, but implied for financial gain).
- Impact: Financial loss due to credential theft.
## Impact Assessment
- Financial: High potential financial damage due to banking credential theft.
- Data Breach: Sensitive financial login credentials for victims, particularly in Brazil.
- Operational: N/A (Impact is on individual users, not enterprise operations).
- Reputational: Potential reputational damage to financial institutions targeted, and general loss of trust in WhatsApp security.
## Indicators of Compromise
- File indicators: MSI installer for trojan deployment; ZIP archives containing downloader scripts (VBS, PowerShell, or Python).
- Behavioral indicators: Automatic sending of messages/files via WhatsApp using a Python script after infection; network activity monitoring browsing to banking URLs.
## Response Actions
(Note: The article describes a research disclosure, not an active enterprise IR engagement. General required actions are inferred.)
- Containment measures: Disconnecting affected machines from the network; blocking known malware hashes/signatures at network perimeter.
- Eradication steps: Deleting initial VBS, Python, and MSI components; removing residual persistence mechanisms.
- Recovery actions: Resetting all potentially compromised banking credentials; restoring user data/configurations if necessary.
## Lessons Learned
- Social engineering through popular messaging apps like WhatsApp is a highly effective current vector for malware distribution, especially in regions where adoption is high (like Brazil).
- Threat actors are increasingly adopting modular, multi-language components (Delphi core, Python worm) to enhance functionality and evade detection.
- Real-time propagation tracking is being integrated into malware to optimize worm-like spread.
## Recommendations
- Increase user awareness training specifically covering unsolicited financial requests or suspicious attachments received via WhatsApp.
- Implement gateway scanning/filtering for common archive types (ZIP) originating from external sources, even if they appear to come from known contacts, especially if they contain suspicious scripts (VBS/PowerShell).
- Financial institutions should alert customers to Astaroth and similar threats, encouraging multi-factor authentication (MFA) on all banking portals regardless of credentials being typed.