Urgent Alert for WhatsApp Users: The Rise of Boto Cor-de-Rosa – A New Astaroth Malware Threat Spreading via Chats

In the ever-evolving landscape of cyber threats, the Acronis Threat Research Unit has uncovered a sophisticated campaign dubbed “Boto Cor-de-Rosa,” which marks a significant evolution in the Astaroth banking malware (also known as Guildma). Primarily targeting Brazilian users, this operation leverages WhatsApp as a propagation vector, blending traditional credential-stealing tactics with innovative social engineering. The malware, written in Delphi with Visual Basic scripts for installation, now includes a Python-based module that automates the spread through WhatsApp Web, harvesting contact lists and sending malicious ZIP files disguised as benign attachments. This approach exploits the cultural familiarity of WhatsApp in Brazil, using casual Portuguese messages to build trust and encourage victims to open the files.

How the Worm Spreads: A Detailed Infection Chain

The infection begins when a victim receives a seemingly innocuous ZIP file via WhatsApp, often named with random digits and hex characters. Upon extraction, an obfuscated VBS script downloads additional components, including an MSI installer that deploys the core payload to a disguised directory. The Python spreader, zapbiu.py, then takes over, installing Python if needed and scanning the victim’s WhatsApp contacts. It crafts personalized messages with time-based greetings like “Bom dia” or “Boa noite” to mimic natural conversations, attaching new malicious ZIPs and tracking metrics such as sent messages and failures. Meanwhile, a parallel banking module monitors browser activity, activating to steal credentials when banking sites are visited, creating a self-sustaining worm that rapidly amplifies its reach across networks.

Implications and Defenses – Critical Alert for WhatsApp Users in Brazil and Beyond

This campaign underscores a troubling trend where cybercriminals fuse technical prowess with psychological manipulation, making detection harder in trust-based platforms like messaging apps. WhatsApp users, especially in Brazil, should be on high alert: avoid clicking on or opening unsolicited ZIP files or attachments from contacts, even if the message appears friendly or familiar; verify the sender directly if something seems off. Acronis emphasizes the need for layered security solutions like their EDR/XDR tools, which effectively block such threats, alongside general vigilance such as enabling two-factor authentication and keeping apps updated. As Astaroth continues to adapt, organizations and individuals must prioritize monitoring for indicators of compromise, including specific file hashes and domains, to mitigate the risks of data theft and widespread infection.