Headline
Astaroth Banking Trojan Targets Brazilians via WhatsApp Messages
Researchers at Acronis have discovered a new campaign called Boto Cor-de-Rosa, where the Astaroth banking malware spreads like a worm through WhatsApp Web to steal contact lists and banking credentials.
A well-known, dangerous banking malware called Astaroth has found a new way to break into people’s lives by sneaking into WhatsApp. The findings come from the Acronis Threat Research Unit (TRU), with the formal report released on Thursday, January 8, 2026.
Acronis has identified a new campaign dubbed Boto Cor-de-Rosa in which the malware acts like a digital worm, spreading automatically from one person’s contact list to the next, and mainly targeting Brazilians.
Lead researchers Jozsef Gegeny and Jonathan Micael noted in the blog post, shared with Hackread.com, that while its operators have usually exploited email, this new tactic exploits the trust we place in our chat apps.
****How the Malware Breaks In****
For any user, getting a file from a friend on WhatsApp feels much safer than opening a random email. This is exactly what the hackers are counting on. The attack begins with a message containing a ZIP archive (basically a compressed folder), usually named with a confusing string of digits like 552_516107-a9af16a8-552.zip.
If a victim opens this folder, a hidden script triggers a chain reaction. Further probing revealed that the malware hides its main files in a very specific spot on the computer: C:\Public\MicrosoftEdgeCache_6.60.2.9313.
Once settled, it runs two different modules at the same time:
- The Banking Module: This stays quiet and watches for when you log into a bank.
- The WhatsApp Spreader: This is a new piece of code written in Python (a file named zapbiu.py) that steals your contact list and starts sending out copies of the virus to everyone you know.
Attack Chain (Source: Acronis)
****Polite Messages and Tracking Progress****
It is worth noting that the hackers have added a surprisingly human touch to the messages. The software actually checks the time on your computer to send the right greeting in Portuguese. Depending on when it sends the message, it will start with “Bom dia” (Good morning), “Boa tarde” (Good afternoon), or “Boa noite” (Good evening).
The message usually says: “Here is the requested file. If you have any questions, I’m available!” This makes it look like a follow-up to a real conversation. Researchers note that the malware even tracks its own success rate, printing out a progress report every 50 messages to see how many people it has successfully reached.
The WhatsApp Message (Source: Acronis)
****Consistent Evolution****
Astaroth is a Delphi-based virus that has been a headache for security experts for a long time. For your information, this isn’t the first time Hackread.com has reported on its tricks. In February 2025, a version of Astaroth was found that could bypass two-factor authentication to steal Gmail and Microsoft logins.
Later, in October 2025, it was found abusing GitHub to hide its backup files inside images. This shows that the hackers are always looking for new hiding spots, and WhatsApp is simply their latest target.
Nevertheless, while the latest version is currently focused on Brazil, its discovery shows that these attackers are finding smarter ways to hide in plain sight. Therefore, regardless of your location, watch out for this and other similar threats and visit Hackread.com for more.