Cybersecurity researchers have uncovered an active malware campaign in Brazil in which Astaroth — a long-running Windows banking trojan (also known as Guildma) — is being distributed via a self-propagating WhatsApp worm. The campaign has been dubbed the Boto Cor-de-Rosa operation.
Here’s how it works:
1. A victim receives a WhatsApp message with a malicious ZIP file attachment.
2. If opened, the ZIP runs a hidden Visual Basic Script disguised as benign, triggering the download of malware components.
3. The malware then splits into two parts:
- A Python-based WhatsApp worm module that harvests the victim’s contact list and automatically sends the malicious ZIP to every contact, allowing it to spread like a worm.
- A banking credential-stealing module that runs silently, monitoring web activity for banking sites and capturing login information.
Most victims are in Brazil, with a small number of cases also noted in the U.S. and Austria.
Why This Is Significant
New Propagation Method
Unlike earlier Astaroth campaigns (which often used phishing emails), this campaign leverages WhatsApp messages and a user’s trust in known contacts to spread.
Worm-like Behavior
Once Astaroth infects a system, the malware actively propagates itself to all WhatsApp contacts without the user’s knowledge — making it much more aggressive and fast-spreading than traditional banking trojans.
Modular and Sophisticated
The malware combines multiple programming languages and components — a Delphi core for banking theft, VBScript for installation, and Python for propagation — showing a higher level of attacker sophistication and modular design.
Risks for Users
If infected, a user’s system can:
- Automatically forward malware to all contacts, amplifying spread.
- Capture banking credentials and personal data silently.
- Enable financial fraud or account takeovers.
Even when a message appears to come from a trusted contact, it may be malicious — because the infected device itself does the sending.
How to Protect Yourself
- Never open ZIP files or executables sent over WhatsApp, even from contacts you know.
- Avoid opening suspicious attachments on computers — malware is Windows-focused.
- Keep antivirus/endpoint protection updated with real-time scanning.
- Educate yourself and others about social engineering tactics.
- Use multi-factor authentication (MFA) on financial accounts.
- Regularly backup important data offline.
These measures help guard both against infection and credential theft in case malware does get executed.
Background on Astaroth
Astaroth (a.k.a. Guildma) is a Brazilian banking trojan first observed back in 2015. It has historically focused on stealing financial credentials and other sensitive data, primarily in Latin America. This campaign represents a notable evolution in delivery — moving from traditional phishing to instant messaging-based propagation.
