WhatsApp Worm Spreads Astaroth Banking Trojan Across Brazil via Contact Auto-Messaging
These articles are AI-generated summaries. Please check the original sources for full details.
WhatsApp Worm Spreads Astaroth Banking Trojan Across Brazil
A new campaign, codenamed Boto Cor-de-Rosa by Acronis, uses WhatsApp to distribute the Astaroth banking trojan in Brazil. The malware exploits WhatsApp’s auto-messaging feature to propagate, retrieving contact lists and sending malicious ZIP files, impacting over 95% of devices in Brazil as of November 2025 according to Sophos.
Why This Matters
Current security models often rely on user awareness to avoid opening malicious attachments, but automated propagation via trusted communication platforms like WhatsApp bypasses this defense. This is particularly dangerous as Astaroth has been active since 2015, demonstrating a sustained threat and evolving tactics. The potential financial losses from successful credential theft can scale rapidly, making this a significant concern for both individuals and financial institutions.
Key Insights
- Boto Cor-de-Rosa campaign, January 2026: WhatsApp used as a primary distribution vector for Astaroth.
- Multi-language modularity: Astaroth utilizes Delphi, Visual Basic, and now Python, showcasing increasing sophistication in its development.
- STAC3150 campaign, November 2025: Sophos identified a multi-stage distribution campaign targeting WhatsApp users with Astaroth, demonstrating a coordinated effort.
Working Example
# Example Python code snippet (illustrative - actual malware code is obfuscated)
import os
import zipfile
def create_zip_archive(file_to_compress, archive_name):
"""Creates a ZIP archive containing the specified file."""
with zipfile.ZipFile(archive_name, 'w', zipfile.ZIP_DEFLATED) as zipf:
zipf.write(file_to_compress, os.path.basename(file_to_compress))
# Example usage:
file_to_compress = "malicious_script.vbs"
archive_name = "benign_file.zip"
create_zip_archive(file_to_compress, archive_name)
print(f"Created archive: {archive_name}")Practical Applications
- Financial Institutions: Implement enhanced fraud detection systems to identify and block transactions originating from compromised devices.
- Pitfall: Relying solely on signature-based detection; Astaroth’s modularity allows for rapid code changes to evade detection.
References:
Continue reading
Next article
Zero-Server WebP Conversion with Client-Side WASM
Related Content
Python-Based WhatsApp Worm Distributes Eternidade Stealer in Brazil
Eternidade Stealer, a Delphi-based banking trojan, is spreading via a Python-scripted WhatsApp worm campaign targeting Brazilian users.
Brazil Faces Advanced Cyberattacks via WhatsApp Worms and NFC Relay Fraud
Brazilian users targeted by Water Saci banking trojan and RelayNFC malware using WhatsApp worms and real-time NFC payment theft.
PyStoreRAT: GitHub-Distributed JavaScript RAT Targets Developers
A new JavaScript-based RAT, PyStoreRAT, is spreading through malicious GitHub repositories, leveraging OSINT and utility tool facades to compromise systems and steal cryptocurrency wallets.