Astaroth is a new distribution vector that uses WhatsApp to carry out targeted attacks. 

According to researchers, there is a new campaign in Brazil against the messaging application that, through a Windows banking trojan, sends malicious systems to users.

The campaign was dubbed Boto Cor-de-Rosa by the Acronis Threat Research Unit. They explain that the malware retrieves the victim's WhatsApp contact list and sends malicious messages to spread the infection.

Astaroth, also called Guildma, is banking malware detected as active since 2015, primarily targeting users in Latin America, especially Brazil, to facilitate data theft.

In 2024, two different threat clusters were observed, identified as PINEAPPLE and Water Makara, which used phishing emails to spread malware.

The use of WhatsApp as a distribution vehicle for banking Trojans is a new tactic that has gained traction among threat actors targeting Brazilian users, driven by the widespread use of the messaging platform in the country.
Sophos, in a report published in November 2025, stated that it was tracking a multi-stage malware distribution campaign, codenamed STAC3150, targeting WhatsApp users in Brazil with Astaroth.

More than 95% of the affected devices were located in Brazil, with the remaining infections scattered across the United States and Austria.
The malware distributes ZIP files containing a download script that retrieves a PowerShell or Python script to collect data from WhatsApp users and thus propagate itself, along with an MSI installer that deploys the Trojan.

The latest findings from Acronis are a continuation of this trend, where ZIP files distributed via WhatsApp messages act as the starting point for malware infection. 

A Python-based propagation module collects the victim's WhatsApp contacts and automatically forwards a malicious ZIP file to each of them, facilitating the malware's spread in a worm-like manner.

A banking module operates in the background, continuously monitoring the victim's web browsing activity. It activates when the victim visits URLs related to banking services to collect credentials and generate revenue.

This new attack demonstrates the sophistication of cybercriminals, highlighting the urgent need for dedicated cybersecurity professionals.