Boto-Cor-de-Rosa campaign reveals Astaroth WhatsApp-based worm activity in Brazil

Jan. 9, 2026, 9:36 a.m.

Description

The Boto Cor-de-Rosa campaign reveals Astaroth's new strategy of exploiting WhatsApp Web for propagation. This Brazilian banking malware now uses a Python-based worm module to retrieve victims' WhatsApp contact lists and automatically send malicious messages, expanding its infection reach. The attack begins with a malicious ZIP file sent via WhatsApp, containing a Visual Basic script that downloads additional components. The malware then operates two parallel modules: a propagation module for spreading through WhatsApp contacts, and a banking module for credential stealing. This campaign demonstrates Astaroth's evolution, combining traditional malware techniques with sophisticated social engineering and multi-platform propagation, primarily targeting Brazilian users.

External References

https://www.acronis.com/en/tru/posts/boto-cor-de-rosa-campaign-reveals-astaroth-whatsapp-based-worm-activity-in-brazil
https://otx.alienvault.com/pulse/695ff377a3c557464db40bea
Tags
social engineering
python
whatsapp
worm
astaroth
banking malware
2026-01-08
boto cor-de-rosa

Date

  • Created: Jan. 8, 2026, 6:12 p.m.
  • Published: Jan. 8, 2026, 6:12 p.m.
  • Modified: Jan. 9, 2026, 9:36 a.m.

Indicators

  • 3b9397493d76998d7c34cb6ae23e3243c75011514b1391d1c303529326cde6d5
  • 1fc9dc27a7a6da52b64592e3ef6f8135ef986fc829d647ee9c12f7cea8e84645
  • 9081b50af5430c1bf5e84049709840c40fc5fdd4bb3e21eca433739c26018b2e
  • 5d929876190a0bab69aea3f87988b9d73713960969b193386ff50c1b5ffeadd6
  • bb0f0be3a690b61297984fc01befb8417f72e74b7026c69ef262d82956df471e
  • 19ff02105bbe1f7cede7c92ade9cb264339a454ca5de14b53942fa8fbe429464
  • c185a36317300a67dc998629da41b1db2946ff35dba314db1a580c8a25c83ea4
  • f262434276f3fa09915479277f696585d0b0e4e72e72cbc924c658d7bb07a3ff
  • 1e101fbc3f679d9d6bef887e1fc75f5810cf414f17e8ad553dc653eb052e1761
  • 073d3c77c86b627a742601b28e2a88d1a3ae54e255f0f69d7a1fb05cc1a8b1e4
  • 4a6db7ffbc67c307bc36c4ade4fd244802cc9d6a9d335d98657f9663ebab900f
  • 01d1ca91d1fec05528c4e3902cc9468ba44fc3f9b0a4538080455d7b5407adcd
  • 3bd6a6b24b41ba7f58938e6eb48345119bbaf38cd89123906869fab179f27433
  • a48ce2407164c5c0312623c1cde73f9f5518b620b79f24e7285d8744936afb84
  • 4b20b8a87a0cceac3173f2adbf186c2670f43ce68a57372a10ae8876bb230832
  • 098630efe3374ca9ec4dc5dd358554e69cb4734a0aa456d7e850f873408a3553
  • 4bc87764729cbc82701e0ed0276cdb43f0864bfaf86a2a2f0dc799ec0d55ef37
  • 6168d63fad22a4e5e45547ca6116ef68bb5173e17e25fd1714f7cc1e4f7b41e1
  • 025dccd4701275d99ab78d7c7fbd31042abbed9d44109b31e3fd29b32642e202
  • 7c54d4ef6e4fe1c5446414eb209843c082eab8188cf7bdc14d9955bdd2b5496d
Download all indicators here!

Attack Patterns

  • Guildma
  • Astaroth - S0373
  • Astaroth

Additional Informations

  • Finance
  • centrogauchodabahia123.com
  • miportuarios.com
  • coffe-estilo.com
  • empautlipa.com
  • Brazil