Comprehensive Threat Exposure Management Platform
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
The Boto Cor-de-Rosa campaign represents a significant and dangerous evolution of the well-established Astaroth banking trojan (also known as Guildma), first observed in April 2025 targeting Brazilian financial services customers and banking institutions. This Astaroth campaign introduces unprecedented WhatsApp-based worm propagation capabilities that fundamentally transform the malware from a traditional banking trojan into a self-spreading social engineering platform. The Boto Cor-de-Rosa Astaroth variant leverages WhatsApp Web automation to systematically harvest victim contact lists and distribute malicious ZIP archives containing heavily obfuscated Visual Basic Script downloaders to every contact, creating exponential infection chains through trusted personal relationships.
The Astaroth Boto Cor-de-Rosa malware operates through a sophisticated dual-functionality architecture combining aggressive propagation mechanisms with traditional credential theft capabilities. The propagation module maintains self-reinforcing infection loops through culturally-appropriate Portuguese-language social engineering that exploits the inherent trust users place in messages from known contacts. Simultaneously, the banking module silently monitors victim browsing activity in the background, waiting to intercept and steal financial credentials whenever victims access banking websites or financial service URLs. This combination of worm-like spreading behavior and targeted credential theft creates a particularly dangerous threat profile for Brazilian banking customers.
The Astaroth Boto Cor-de-Rosa campaign demonstrates highly targeted geographic and cultural specificity, exclusively focusing on Brazilian victims through Portuguese-language lures and regionally-appropriate social engineering tactics. The malware incorporates time-of-day awareness, automatically adjusting greeting messages based on local Brazilian time zones with culturally appropriate phrases like “Bom dia” (good morning), “Boa tarde” (good afternoon), or “Boa noite” (good evening). This cultural customization, combined with the exploitation of WhatsApp as a trusted communication platform prevalent throughout Brazil, significantly increases the campaign’s effectiveness and infection success rates compared to traditional email-based phishing attacks.
Astaroth is a well-established Brazilian banking trojan written in the Delphi programming language that has demonstrated continuous evolution and adaptation since its first documented appearances, consistently updating its tooling and delivery methodologies to maintain operational effectiveness against improving security defenses. The Boto Cor-de-Rosa campaign marks a particularly notable inflection point in Astaroth’s evolutionary trajectory by introducing a WhatsApp-based worm component written entirely in Python programming language. This architectural shift highlights the threat actors’ strategic adoption of a multi-language, modular malware design that separates propagation functionality from credential theft operations.
The introduction of WhatsApp as a distribution vector represents a fundamental strategic pivot for Astaroth operators, moving beyond reliance on traditional email phishing or malicious advertising toward exploiting trusted messaging platforms and leveraging existing social relationships. By abusing WhatsApp and impersonating messages from known contacts already present in victims’ address books, the Astaroth Boto Cor-de-Rosa campaign dramatically reduces victim suspicion and increases the likelihood of successful infection. This modern approach blends traditional banking credential theft with relationship-driven infection techniques that exploit human trust rather than technical vulnerabilities.
The Astaroth Boto Cor-de-Rosa infection process initiates with an apparently innocuous WhatsApp message delivering a malicious ZIP archive file named using randomized alphanumeric character strings designed to evade pattern-based detection. Once the victim extracts the compressed archive, the contents reveal a heavily obfuscated Visual Basic Script file that masquerades as a legitimate document or utility through deceptive file naming. Executing this VBS payload silently launches a sophisticated two-track infection chain that simultaneously deploys both the core Astaroth banking module and the WhatsApp propagation worm.
On the primary infection track, the Visual Basic Script downloader fetches an MSI installer package that deploys the core Astaroth banking trojan payload into a hidden directory within the victim’s user profile. The Astaroth malware leverages a legitimate AutoIt script interpreter application paired with an encoded loader component to decrypt and execute its primary malicious modules directly in system memory, implementing fileless execution techniques that help evade traditional file-based antivirus scanning and detection mechanisms. This in-memory execution approach represents a sophisticated evasion technique that leaves minimal forensic artifacts on the compromised system’s storage devices.
Operating in parallel to the banking trojan deployment, the Visual Basic Script installer deploys a complete Python runtime environment and drops the zapbiu.py propagation module responsible for WhatsApp-based worm spreading functionality. This Astaroth WhatsApp component systematically harvests the victim’s complete WhatsApp contact list by interfacing with WhatsApp Web, then automatically sends malicious ZIP archive attachments to every discovered contact using carefully crafted Portuguese-language social engineering messages. The propagation messages are dynamically customized based on the current time of day in Brazilian time zones, incorporating culturally appropriate greetings such as “Bom dia” (good morning), “Boa tarde” (good afternoon), or “Boa noite” (good evening) to increase perceived authenticity.
The Astaroth WhatsApp messages are carefully crafted to appear routine and cooperative, typically claiming to share a previously requested file or document and offering additional assistance if the recipient requires further information or clarification. This conversational tone mimics normal friendly communication patterns between Brazilian contacts, significantly reducing recipient suspicion compared to obvious spam or phishing attempts. Behind the user-visible messaging interface, the Astaroth spreader component meticulously monitors its own propagation activities, maintaining detailed logs of delivery statistics after every 50 messages sent, and exfiltrating complete contact lists and propagation metrics to remote command-and-control servers for operator tracking and campaign effectiveness measurement.
While the WhatsApp propagation module works to expand the Astaroth botnet’s reach through social networks, the core banking trojan module silently operates in the background monitoring the victim’s web browsing activity for access to Brazilian banking websites and financial service portals. When the Astaroth banking module detects that the victim has navigated to a targeted financial institution’s website, the malware activates its credential interception functionality to capture authentication credentials, session tokens, and transaction details entered by the victim during their banking session.
The impact of the Astaroth Boto Cor-de-Rosa campaign proves particularly severe throughout Brazil, where the malware primarily targets individual retail banking customers alongside organizations operating in the financial services sector. The worm-like propagation behavior creates exponential growth potential, as each newly infected system immediately attempts to compromise every contact present in the victim’s WhatsApp address book. This dual-module design enables Astaroth to spread laterally through personal and professional social networks while simultaneously stealing banking credentials from every compromised system, dramatically expanding both the botnet’s geographic reach and its capacity for large-scale financial fraud operations.
From a comprehensive risk assessment perspective, the Astaroth Boto Cor-de-Rosa campaign represents a high-priority threat warranting immediate defensive attention from organizations with Brazilian operations, Brazilian customer bases, or employees with Brazilian banking relationships. The deliberate abuse of WhatsApp, a messaging platform that users inherently trust for communications from known contacts, dramatically increases infection success rates compared to traditional email-based phishing attacks that recipients approach with greater skepticism. Combined with culturally and regionally tailored social engineering incorporating appropriate Portuguese-language idioms and time-zone-aware greetings, these targeting factors make the Astaroth Boto Cor-de-Rosa campaign exceptionally dangerous for its intended Brazilian victim demographic, justifying elevated security alertness and proactive defensive measures.
Users must exercise extreme caution when receiving unexpected ZIP archive files, executable installers, or script files through WhatsApp messaging, even when these attachments appear to originate from known and trusted contacts. The Astaroth Boto Cor-de-Rosa campaign specifically exploits the trust inherent in messages from familiar contacts whose accounts have been compromised. Before opening any file attachments received via WhatsApp, users should verify the legitimacy of the file transfer request through an independent communication channel such as a separate direct message, phone call, or in-person confirmation, ensuring the contact actually intended to send the file and it represents legitimate content rather than malware propagation.
Users should immediately disable automatic media and file download features in WhatsApp and other messaging applications to prevent accidental execution of malicious content without deliberate user interaction. Disabling automatic downloads creates a critical control point that forces users to make conscious decisions about which files to retrieve, providing an opportunity to assess legitimacy before the file reaches the device’s storage where it might be inadvertently opened. This configuration change significantly reduces the risk of Astaroth infection through impulsive or accidental file interaction.
Organizations operating in Brazil or serving Brazilian customers should implement strict application control policies limiting the execution of scripting engines including VBScript, AutoIt, and Python, particularly when scripts are launched from user-writable directories such as Downloads, Temp, or user profile folders. Blocking execution of unsigned scripts and installers can effectively break the Astaroth Boto Cor-de-Rosa infection chain during early stages before the malware fully establishes persistence. Application whitelisting policies that only permit execution of approved, digitally-signed applications provide robust defense against script-based malware delivery mechanisms employed by Astaroth.
Brazilian banking customers should avoid storing banking credentials in web browser password managers, as the Astaroth banking module specifically targets browser-based credential storage. Multi-factor authentication should be enabled for all financial service accounts wherever supported by the banking institution, adding a critical second authentication factor that Astaroth credential theft alone cannot bypass. Users should regularly monitor their banking accounts for unusual login activities, unexpected transaction authorizations, or other indicators that credentials may have been compromised, enabling rapid detection and response to potential Astaroth infections.
Organizations must deploy next-generation antivirus (NGAV) and endpoint detection and response (EDR) solutions capable of identifying and blocking sophisticated malware like Astaroth through behavioral analysis rather than relying exclusively on signature-based detection. Modern security solutions should leverage machine learning-based anomaly detection to identify suspicious process behaviors characteristic of Astaroth’s multi-stage infection chain, in-memory execution techniques, and WhatsApp automation activities. Behavioral detection provides critical visibility into malware operations that evade traditional antivirus through obfuscation and fileless execution techniques.
SHA256: 098630efe3374ca9ec4dc5dd358554e69cb4734a0aa456d7e850f873408a3553, 073d3c77c86b627a742601b28e2a88d1a3ae54e255f0f69d7a1fb05cc1a8b1e4, bb0f0be3a690b61297984fc01befb8417f72e74b7026c69ef262d82956df471e, c185a36317300a67dc998629da41b1db2946ff35dba314db1a580c8a25c83ea4, 5d929876190a0bab69aea3f87988b9d73713960969b193386ff50c1b5ffeadd6, 9081b50af5430c1bf5e84049709840c40fc5fdd4bb3e21eca433739c26018b2e, 3b9397493d76998d7c34cb6ae23e3243c75011514b1391d1c303529326cde6d5, 1e101fbc3f679d9d6bef887e1fc75f5810cf414f17e8ad553dc653eb052e1761, 01d1ca91d1fec05528c4e3902cc9468ba44fc3f9b0a4538080455d7b5407adcd, 025dccd4701275d99ab78d7c7fbd31042abbed9d44109b31e3fd29b32642e202, 19ff02105bbe1f7cede7c92ade9cb264339a454ca5de14b53942fa8fbe429464, 1fc9dc27a7a6da52b64592e3ef6f8135ef986fc829d647ee9c12f7cea8e84645, 3bd6a6b24b41ba7f58938e6eb48345119bbaf38cd89123906869fab179f27433, 4a6db7ffbc67c307bc36c4ade4fd244802cc9d6a9d335d98657f9663ebab900f, 4b20b8a87a0cceac3173f2adbf186c2670f43ce68a57372a10ae8876bb230832, 4bc87764729cbc82701e0ed0276cdb43f0864bfaf86a2a2f0dc799ec0d55ef37, 6168d63fad22a4e5e45547ca6116ef68bb5173e17e25fd1714f7cc1e4f7b41e1, 7c54d4ef6e4fe1c5446414eb209843c082eab8188cf7bdc14d9955bdd2b5496d, a48ce2407164c5c0312623c1cde73f9f5518b620b79f24e7285d8744936afb84, f262434276f3fa09915479277f696585d0b0e4e72e72cbc924c658d7bb07a3ff
Malicious Domains: centrogauchodabahia123[.]com, coffe-estilo[.]com, empautlipa[.]com, miportuarios[.]com, varegjopeaks[.]com
T1566 – Phishing: The Astaroth Boto Cor-de-Rosa campaign uses phishing techniques distributed through WhatsApp messaging rather than traditional email vectors.
T1566.001 – Spearphishing Attachment: Malicious ZIP archives containing obfuscated Visual Basic Script files are distributed through WhatsApp messages to victim contacts, representing spearphishing attachment attacks through an alternative communication platform.
T1059 – Command and Scripting Interpreter: Astaroth leverages multiple scripting interpreters throughout its infection chain to execute malicious code.
T1059.005 – Visual Basic: The initial infection stage employs heavily obfuscated VBScript files as the primary downloader component.
T1059.006 – Python: The WhatsApp propagation worm module is implemented entirely in Python, requiring Python runtime installation on compromised systems.
T1059.010 – AutoHotKey & AutoIT: Astaroth utilizes legitimate AutoIt script interpreters to decrypt and execute the core banking trojan payload in memory.
T1204 – User Execution: The infection chain requires user interaction to extract and execute the malicious VBScript file from the ZIP archive.
T1204.002 – Malicious File: Victims must manually open the malicious file attachment received through WhatsApp to trigger the infection sequence.
T1218 – System Binary Proxy Execution: Astaroth abuses legitimate system binaries and trusted applications to execute malicious payloads.
T1218.007 – Msiexec: The malware uses Windows Installer (msiexec.exe) to deploy the core banking trojan through MSI installer packages, leveraging this trusted system binary for malicious purposes.
T1027 – Obfuscated Files or Information: The Visual Basic Script downloader employs heavy obfuscation techniques to evade analysis and detection by security software.
T1036 – Masquerading: Malicious files use deceptive naming conventions to appear as legitimate documents or applications, reducing victim suspicion.
T1105 – Ingress Tool Transfer: The malware downloads additional payloads including the MSI installer and Python runtime from remote servers after initial compromise.
T1087 – Account Discovery: The WhatsApp propagation module enumerates the victim’s WhatsApp contact list to identify potential targets for worm spreading.
T1005 – Data from Local System: Astaroth collects victim contact lists, browsing data, and banking credentials from compromised systems.
T1071 – Application Layer Protocol: The malware communicates with command-and-control infrastructure using standard application layer protocols.
T1071.001 – Web Protocols: Astaroth uses HTTP/HTTPS web protocols for downloading additional payloads and exfiltrating stolen data.
T1041 – Exfiltration Over C2 Channel: Stolen banking credentials, contact lists, and propagation statistics are exfiltrated through established command-and-control communication channels.
https://www.acronis.com/en/tru/posts/boto-cor-de-rosa-campaign-reveals-astaroth-whatsapp-based-worm-activity-in-brazil/
Get through updates and upcoming events, and more directly in your inbox