WhatsApp is part of daily life for millions in Brazil, from communicating with friends and family to handling work tasks. That trust has now been exploited by a banking Trojan called Astaroth. The attack campaign has been dubbed Boto Cor-de-Rosa by Acronis, a threat research company.
According to the company, "the malware retrieves the victim's WhatsApp contact list and automatically sends malicious messages to each contact to further spread the infection."
The company further explained how the Trojan attacks work: "While the core Astaroth payload remains written in Delphi and its installer relies on Visual Basic script, the newly added WhatsApp-based worm module is implemented entirely in Python, highlighting the threat actors' growing use of multi-language modular components."
First spotted in 2015, Astaroth (also called Guildma) has long targeted Latin American users, especially in Brazil, stealing banking credentials. In 2024, campaigns named PINEAPPLE and Water Makara used phishing emails to trick victims into downloading it.
The attack starts with a ZIP file sent over WhatsApp. When opened, it runs a hidden script that installs two components: one that spreads the malware through your contacts, and another that monitors banking sites to steal login credentials.
The malware itself combines old and new techniques. Its core is written in Delphi with a Visual Basic installer, but the WhatsApp-spreading module is coded in Python. This multi-language approach makes it more flexible and modular, letting attackers adapt to different environments and spread more efficiently.
The problem isn’t limited to Brazil. While over 95% of infections appear in the country, small clusters have been spotted in the U.S. and Austria, suggesting the tactic could cross borders if users aren’t careful. Researchers have tracked the campaign since September 2025, noting its use of ZIP archives that launch PowerShell or Python scripts, followed by MSI installers that deploy the Trojan.
This method highlights a larger trend: attackers are increasingly targeting widely used messaging apps to bypass traditional email-based security. WhatsApp’s popularity gives malware an easy path to multiply, turning one compromised account into dozens, potentially hundreds, more.
This trend is not isolated. Sorvepotel, another malware campaign just months before Astaroth, also targeted Brazil via WhatsApp. It hijacked active WhatsApp Web sessions to send malicious ZIP files to a victim’s contacts autonomously, using the Selenium browser automation tool to mimic human behaviour. Sorvepotel distributed the Maverick banking Trojan and other info-stealers aimed at Brazilian financial institutions and crypto exchanges, highlighting how attackers are experimenting with automated, platform-specific approaches.
For users, the takeaway is clear. Files from unknown contacts, even friends whose accounts may be compromised, need to be handled with caution. The campaign underscores that malware isn’t just about clever code anymore; it’s about exploiting trust in everyday apps. Awareness and vigilance are now as essential as antivirus protection, because ignoring either could put not just your accounts, but your contacts, at risk.
Emmanuel Oyedeji
