WhatsApp Worm Distributes Astaroth Banking Malware

Cybersecurity experts have identified a new scheme where hackers are using WhatsApp to disseminate a Windows banking virus called Astaroth, primarily targeting users in Brazil. This scheme, dubbed Boto Cor-de-Rosa by the Acronis Threat Research Unit, involves the virus accessing a victim's WhatsApp contacts to send malicious messages, thereby propagating the infection. Astaroth, also known as Guildma, has been active since 2015, focusing on Latin American targets, especially in Brazil, to steal information.

The virus's core remains in Delphi, with the installer in Visual Basic script, but the new WhatsApp spreading mechanism is written in Python, indicating a multi-language approach by hackers. The use of WhatsApp for spreading banking viruses is gaining traction due to the app's widespread use in Brazil. Recent reports from Trend Micro and Sophos highlight similar tactics by other groups using WhatsApp to spread different banking viruses.

Since September 2025, a campaign named STAC3150 has been targeting Brazilian WhatsApp users with Astaroth, using ZIP files containing scripts that download further malicious components. These scripts, often disguised as harmless Visual Basic Scripts, initiate the infection process. The virus also includes tracking capabilities to monitor its spread in real-time.

The report emphasizes the importance of modern cybersecurity measures like Zero Trust and AI-powered cloud security to detect and mitigate such hidden threats. Additionally, the rapid development of agentic AI poses new risks, necessitating vigilant monitoring and control to prevent security breaches.

Stay secure — stay Wavasec. 🔐