{ "name": "Boto-Cor-de-Rosa campaign reveals Astaroth WhatsApp-based worm activity in Brazil", "slug": "boto-cor-de-rosa-campaign-reveals-astaroth-whatsapp-based-worm-activity-in-brazil", "description": "The Boto Cor-de-Rosa campaign reveals Astaroth's new strategy of exploiting WhatsApp Web for propagation. This Brazilian banking malware now uses a Python-based worm module to retrieve victims' WhatsApp contact lists and automatically send malicious messages, expanding its infection reach. The attack begins with a malicious ZIP file sent via WhatsApp, containing a Visual Basic script that downloads additional components. The malware then operates two parallel modules: a propagation module for spreading through WhatsApp contacts, and a banking module for credential stealing. This campaign demonstrates Astaroth's evolution, combining traditional malware techniques with sophisticated social engineering and multi-platform propagation, primarily targeting Brazilian users.", "published": "2026-01-08T17:12:03+00:00", "created_at": "2026-01-08T17:12:03+00:00", "modified_at": "2026-01-09T08:36:37+00:00", "created_at_opencti": "2026-01-08T17:12:03+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2026-01-08", "astaroth", "banking malware", "boto cor-de-rosa", "python", "social engineering", "whatsapp", "worm" ], "related_entities": { "observables": [ { "id": "", "name": "3b9397493d76998d7c34cb6ae23e3243c75011514b1391d1c303529326cde6d5" }, { "id": "", "name": "1fc9dc27a7a6da52b64592e3ef6f8135ef986fc829d647ee9c12f7cea8e84645" }, { "id": "", "name": "9081b50af5430c1bf5e84049709840c40fc5fdd4bb3e21eca433739c26018b2e" }, { "id": "", "name": "5d929876190a0bab69aea3f87988b9d73713960969b193386ff50c1b5ffeadd6" }, { "id": "", "name": "bb0f0be3a690b61297984fc01befb8417f72e74b7026c69ef262d82956df471e" }, { "id": "", "name": "19ff02105bbe1f7cede7c92ade9cb264339a454ca5de14b53942fa8fbe429464" }, { "id": "", "name": "c185a36317300a67dc998629da41b1db2946ff35dba314db1a580c8a25c83ea4" }, { "id": "", "name": "f262434276f3fa09915479277f696585d0b0e4e72e72cbc924c658d7bb07a3ff" }, { "id": "", "name": "1e101fbc3f679d9d6bef887e1fc75f5810cf414f17e8ad553dc653eb052e1761" }, { "id": "", "name": "073d3c77c86b627a742601b28e2a88d1a3ae54e255f0f69d7a1fb05cc1a8b1e4" }, { "id": "", "name": "4a6db7ffbc67c307bc36c4ade4fd244802cc9d6a9d335d98657f9663ebab900f" }, { "id": "", "name": "01d1ca91d1fec05528c4e3902cc9468ba44fc3f9b0a4538080455d7b5407adcd" }, { "id": "", "name": "3bd6a6b24b41ba7f58938e6eb48345119bbaf38cd89123906869fab179f27433" }, { "id": "", "name": "a48ce2407164c5c0312623c1cde73f9f5518b620b79f24e7285d8744936afb84" }, { "id": "", "name": "4b20b8a87a0cceac3173f2adbf186c2670f43ce68a57372a10ae8876bb230832" }, { "id": "", "name": "098630efe3374ca9ec4dc5dd358554e69cb4734a0aa456d7e850f873408a3553" }, { "id": "", "name": "4bc87764729cbc82701e0ed0276cdb43f0864bfaf86a2a2f0dc799ec0d55ef37" }, { "id": "", "name": "6168d63fad22a4e5e45547ca6116ef68bb5173e17e25fd1714f7cc1e4f7b41e1" }, { "id": "", "name": "025dccd4701275d99ab78d7c7fbd31042abbed9d44109b31e3fd29b32642e202" }, { "id": "", "name": "7c54d4ef6e4fe1c5446414eb209843c082eab8188cf7bdc14d9955bdd2b5496d" } ], "malware": [ { "id": "legacy:malware:cfb24bcb4521ad20", "name": "Astaroth", "slug": "astaroth" }, { "id": "legacy:malware:bf0f65728482a52f", "name": "Astaroth - S0373", "slug": "astaroth-s0373" } ], "intrusion_sets": [ { "id": "bc3738c1-07f3-4710-938d-23ba56bd3ed4", "name": "Astaroth", "slug": "astaroth" } ], "attack_patterns": [ { "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d", "name": "T1566" } ], "others": [ { "id": "", "name": "Brazil" }, { "id": "", "name": "Finance" }, { "id": "", "name": "centrogauchodabahia123.com" }, { "id": "", "name": "miportuarios.com" }, { "id": "", "name": "coffe-estilo.com" }, { "id": "", "name": "empautlipa.com" } ] }, "external_refs": [ "https://www.acronis.com/en/tru/posts/boto-cor-de-rosa-campaign-reveals-astaroth-whatsapp-based-worm-activity-in-brazil", "https://otx.alienvault.com/pulse/695ff377a3c557464db40bea" ] }