Boto-Cor-de-Rosa campaign reveals Astaroth WhatsApp-based worm activity in Brazil
Essential information
- Published
- 08/01/2026 18:12
- Modified
- 09/01/2026 09:36
- Tags
- 2026-01-08 astaroth banking malware boto cor-de-rosa python social engineering whatsapp worm
- Related entities
- 20 observables, 1 intrusion sets (apt), 1 techniques (mitre), 2 malware, 6 others
Description
The Boto Cor-de-Rosa campaign reveals Astaroth's new strategy of exploiting WhatsApp Web for propagation. This Brazilian banking malware now uses a Python-based worm module to retrieve victims' WhatsApp contact lists and automatically send malicious messages, expanding its infection reach. The attack begins with a malicious ZIP file sent via WhatsApp, containing a Visual Basic script that downloads additional components. The malware then operates two parallel modules: a propagation module for spreading through WhatsApp contacts, and a banking module for credential stealing. This campaign demonstrates Astaroth's evolution, combining traditional malware techniques with sophisticated social engineering and multi-platform propagation, primarily targeting Brazilian users.