Boto-Cor-de-Rosa campaign reveals Astaroth WhatsApp-based worm activity in Brazil
The Boto Cor-de-Rosa campaign reveals Astaroth's new strategy of exploiting WhatsApp Web for propagation. This Brazilian banking malware now uses a Python-based worm module to retrieve victims' WhatsApp contact lists and automatically send malicious messages, expanding its infection reach. The attack begins with a malicious ZIP file sent via WhatsApp, containing a Visual Basic script that downloads additional components. The malware then operates two parallel modules: a propagation module for spreading through WhatsApp contacts, and a banking module for credential stealing. This campaign demonstrates Astaroth's evolution, combining traditional malware techniques with sophisticated social engineering and multi-platform propagation, primarily targeting Brazilian users.
AI Analysis
Technical Summary
The Boto Cor-de-Rosa campaign reveals a new propagation strategy by the Astaroth banking malware family, leveraging WhatsApp Web as a vector for spreading a Python-based worm module. The infection chain begins when a victim receives a malicious ZIP file via WhatsApp containing a Visual Basic script. When executed, this script downloads additional malware components that enable two parallel operations: a propagation module that automatically retrieves the victim's WhatsApp contact list and sends the malicious ZIP file to those contacts, and a banking module designed to steal credentials from infected systems. This dual-module approach allows the malware to rapidly expand its reach through social engineering tactics, exploiting the trust inherent in WhatsApp communications. The use of WhatsApp Web is notable because it enables the malware to operate across platforms where WhatsApp is accessed via browsers, increasing its attack surface. The campaign primarily targets Brazilian users, reflecting Astaroth's historical focus on Brazilian banking institutions and users. The malware employs multiple advanced techniques, including code obfuscation, script execution, and multi-stage payload delivery, to evade detection and maintain persistence. Despite its sophistication, the campaign requires user interaction to open the malicious ZIP file, limiting its automatic spread. No CVEs or patches are currently associated with this threat, and no known exploits are reported outside this campaign. The campaign underscores the evolving threat landscape where traditional banking malware integrates social media and messaging platforms for propagation.
Potential Impact
For European organizations, the Boto Cor-de-Rosa campaign poses a moderate risk primarily through social engineering attacks targeting employees who use WhatsApp Web, especially those with contacts in Brazil or who receive messages from Brazilian numbers. Successful infections can lead to credential theft, potentially compromising corporate banking accounts or personal financial information. The worm-like propagation increases the risk of rapid spread within organizations if multiple users are connected via WhatsApp contacts. This could result in data breaches, financial fraud, and reputational damage. Additionally, the use of Visual Basic scripts and Python modules may evade some traditional endpoint defenses if not properly configured. The campaign’s reliance on user interaction means phishing awareness is critical. European companies with subsidiaries or business relations in Brazil, or with a workforce that frequently communicates with Brazilian contacts, are at heightened risk. The campaign also highlights the need to monitor and control the use of web-based messaging platforms in corporate environments to prevent lateral propagation of malware.
Mitigation Recommendations
1. Conduct targeted user awareness training focusing on the risks of opening unsolicited attachments received via WhatsApp or other messaging platforms, emphasizing the danger of ZIP files and scripts. 2. Restrict or monitor the use of WhatsApp Web on corporate devices, potentially disabling it where not essential. 3. Deploy endpoint detection and response (EDR) solutions capable of detecting script execution, especially Visual Basic scripts and Python-based payloads. 4. Implement network monitoring to identify unusual WhatsApp Web traffic patterns or automated message sending behaviors. 5. Enforce strict email and messaging attachment policies that block or quarantine ZIP files containing scripts. 6. Use multi-factor authentication (MFA) on all banking and critical accounts to reduce the impact of credential theft. 7. Regularly update and patch all systems, even though no specific patches exist for this malware, to reduce the attack surface. 8. Encourage employees to verify unexpected messages from contacts, especially those requesting to open attachments or links. 9. Segment networks to limit lateral movement if an infection occurs. 10. Collaborate with threat intelligence providers to stay updated on evolving Astaroth tactics and indicators of compromise.
Affected Countries
Portugal, Spain, Italy, Germany, France, United Kingdom
Indicators of Compromise
- hash: 1495a3b85b7019f70fad4aa8802a01d3
- hash: 1dd519a59eb8ab76c8a9f5363df3cf26
- hash: 2a84a809ab767f554377f2fc4e6cd9c9
- hash: 45027d8ea53921b59c70c38d90dd8c14
- hash: 71c0973acf67404f7afb97ffe35b78ab
- hash: 71d7897f604430b0376f1e41e1aef569
- hash: db0eab25b047f82a4644b3b86767a1aa
- hash: 28182389481679525f108b69c92e43724bb25fda
- hash: 29ebad781c64cfada12ef4c231761755f393a5b6
- hash: 2c104871ad0aa37076f124804a9d4420e8dbfc4b
- hash: aad6029d3c76f5745a9a485171fd10c6a4fbedec
- hash: adb9ab88e287418fdbc0af2dd80fc78e56045771
- hash: bd1bd56a9021aecaf89046b6ea6946bd7823987c
- hash: fc03a6ffac6bcc6817489f006b6d5684b5ef3ab0
- hash: 01d1ca91d1fec05528c4e3902cc9468ba44fc3f9b0a4538080455d7b5407adcd
- hash: 025dccd4701275d99ab78d7c7fbd31042abbed9d44109b31e3fd29b32642e202
- hash: 073d3c77c86b627a742601b28e2a88d1a3ae54e255f0f69d7a1fb05cc1a8b1e4
- hash: 098630efe3374ca9ec4dc5dd358554e69cb4734a0aa456d7e850f873408a3553
- hash: 19ff02105bbe1f7cede7c92ade9cb264339a454ca5de14b53942fa8fbe429464
- hash: 1e101fbc3f679d9d6bef887e1fc75f5810cf414f17e8ad553dc653eb052e1761
- hash: 1fc9dc27a7a6da52b64592e3ef6f8135ef986fc829d647ee9c12f7cea8e84645
- hash: 3b9397493d76998d7c34cb6ae23e3243c75011514b1391d1c303529326cde6d5
- hash: 3bd6a6b24b41ba7f58938e6eb48345119bbaf38cd89123906869fab179f27433
- hash: 4a6db7ffbc67c307bc36c4ade4fd244802cc9d6a9d335d98657f9663ebab900f
- hash: 4b20b8a87a0cceac3173f2adbf186c2670f43ce68a57372a10ae8876bb230832
- hash: 4bc87764729cbc82701e0ed0276cdb43f0864bfaf86a2a2f0dc799ec0d55ef37
- hash: 5d929876190a0bab69aea3f87988b9d73713960969b193386ff50c1b5ffeadd6
- hash: 6168d63fad22a4e5e45547ca6116ef68bb5173e17e25fd1714f7cc1e4f7b41e1
- hash: 7c54d4ef6e4fe1c5446414eb209843c082eab8188cf7bdc14d9955bdd2b5496d
- hash: 9081b50af5430c1bf5e84049709840c40fc5fdd4bb3e21eca433739c26018b2e
- hash: a48ce2407164c5c0312623c1cde73f9f5518b620b79f24e7285d8744936afb84
- hash: bb0f0be3a690b61297984fc01befb8417f72e74b7026c69ef262d82956df471e
- hash: c185a36317300a67dc998629da41b1db2946ff35dba314db1a580c8a25c83ea4
- hash: f262434276f3fa09915479277f696585d0b0e4e72e72cbc924c658d7bb07a3ff
- domain: centrogauchodabahia123.com
- domain: coffe-estilo.com
- domain: empautlipa.com
- domain: miportuarios.com
Boto-Cor-de-Rosa campaign reveals Astaroth WhatsApp-based worm activity in Brazil
Description
The Boto Cor-de-Rosa campaign reveals Astaroth's new strategy of exploiting WhatsApp Web for propagation. This Brazilian banking malware now uses a Python-based worm module to retrieve victims' WhatsApp contact lists and automatically send malicious messages, expanding its infection reach. The attack begins with a malicious ZIP file sent via WhatsApp, containing a Visual Basic script that downloads additional components. The malware then operates two parallel modules: a propagation module for spreading through WhatsApp contacts, and a banking module for credential stealing. This campaign demonstrates Astaroth's evolution, combining traditional malware techniques with sophisticated social engineering and multi-platform propagation, primarily targeting Brazilian users.
AI-Powered Analysis
Technical Analysis
The Boto Cor-de-Rosa campaign reveals a new propagation strategy by the Astaroth banking malware family, leveraging WhatsApp Web as a vector for spreading a Python-based worm module. The infection chain begins when a victim receives a malicious ZIP file via WhatsApp containing a Visual Basic script. When executed, this script downloads additional malware components that enable two parallel operations: a propagation module that automatically retrieves the victim's WhatsApp contact list and sends the malicious ZIP file to those contacts, and a banking module designed to steal credentials from infected systems. This dual-module approach allows the malware to rapidly expand its reach through social engineering tactics, exploiting the trust inherent in WhatsApp communications. The use of WhatsApp Web is notable because it enables the malware to operate across platforms where WhatsApp is accessed via browsers, increasing its attack surface. The campaign primarily targets Brazilian users, reflecting Astaroth's historical focus on Brazilian banking institutions and users. The malware employs multiple advanced techniques, including code obfuscation, script execution, and multi-stage payload delivery, to evade detection and maintain persistence. Despite its sophistication, the campaign requires user interaction to open the malicious ZIP file, limiting its automatic spread. No CVEs or patches are currently associated with this threat, and no known exploits are reported outside this campaign. The campaign underscores the evolving threat landscape where traditional banking malware integrates social media and messaging platforms for propagation.
Potential Impact
For European organizations, the Boto Cor-de-Rosa campaign poses a moderate risk primarily through social engineering attacks targeting employees who use WhatsApp Web, especially those with contacts in Brazil or who receive messages from Brazilian numbers. Successful infections can lead to credential theft, potentially compromising corporate banking accounts or personal financial information. The worm-like propagation increases the risk of rapid spread within organizations if multiple users are connected via WhatsApp contacts. This could result in data breaches, financial fraud, and reputational damage. Additionally, the use of Visual Basic scripts and Python modules may evade some traditional endpoint defenses if not properly configured. The campaign’s reliance on user interaction means phishing awareness is critical. European companies with subsidiaries or business relations in Brazil, or with a workforce that frequently communicates with Brazilian contacts, are at heightened risk. The campaign also highlights the need to monitor and control the use of web-based messaging platforms in corporate environments to prevent lateral propagation of malware.
Mitigation Recommendations
1. Conduct targeted user awareness training focusing on the risks of opening unsolicited attachments received via WhatsApp or other messaging platforms, emphasizing the danger of ZIP files and scripts. 2. Restrict or monitor the use of WhatsApp Web on corporate devices, potentially disabling it where not essential. 3. Deploy endpoint detection and response (EDR) solutions capable of detecting script execution, especially Visual Basic scripts and Python-based payloads. 4. Implement network monitoring to identify unusual WhatsApp Web traffic patterns or automated message sending behaviors. 5. Enforce strict email and messaging attachment policies that block or quarantine ZIP files containing scripts. 6. Use multi-factor authentication (MFA) on all banking and critical accounts to reduce the impact of credential theft. 7. Regularly update and patch all systems, even though no specific patches exist for this malware, to reduce the attack surface. 8. Encourage employees to verify unexpected messages from contacts, especially those requesting to open attachments or links. 9. Segment networks to limit lateral movement if an infection occurs. 10. Collaborate with threat intelligence providers to stay updated on evolving Astaroth tactics and indicators of compromise.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.acronis.com/en/tru/posts/boto-cor-de-rosa-campaign-reveals-astaroth-whatsapp-based-worm-activity-in-brazil"]
- Adversary
- Astaroth
- Pulse Id
- 695ff377a3c557464db40bea
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash1495a3b85b7019f70fad4aa8802a01d3 | — | |
hash1dd519a59eb8ab76c8a9f5363df3cf26 | — | |
hash2a84a809ab767f554377f2fc4e6cd9c9 | — | |
hash45027d8ea53921b59c70c38d90dd8c14 | — | |
hash71c0973acf67404f7afb97ffe35b78ab | — | |
hash71d7897f604430b0376f1e41e1aef569 | — | |
hashdb0eab25b047f82a4644b3b86767a1aa | — | |
hash28182389481679525f108b69c92e43724bb25fda | — | |
hash29ebad781c64cfada12ef4c231761755f393a5b6 | — | |
hash2c104871ad0aa37076f124804a9d4420e8dbfc4b | — | |
hashaad6029d3c76f5745a9a485171fd10c6a4fbedec | — | |
hashadb9ab88e287418fdbc0af2dd80fc78e56045771 | — | |
hashbd1bd56a9021aecaf89046b6ea6946bd7823987c | — | |
hashfc03a6ffac6bcc6817489f006b6d5684b5ef3ab0 | — | |
hash01d1ca91d1fec05528c4e3902cc9468ba44fc3f9b0a4538080455d7b5407adcd | — | |
hash025dccd4701275d99ab78d7c7fbd31042abbed9d44109b31e3fd29b32642e202 | — | |
hash073d3c77c86b627a742601b28e2a88d1a3ae54e255f0f69d7a1fb05cc1a8b1e4 | — | |
hash098630efe3374ca9ec4dc5dd358554e69cb4734a0aa456d7e850f873408a3553 | — | |
hash19ff02105bbe1f7cede7c92ade9cb264339a454ca5de14b53942fa8fbe429464 | — | |
hash1e101fbc3f679d9d6bef887e1fc75f5810cf414f17e8ad553dc653eb052e1761 | — | |
hash1fc9dc27a7a6da52b64592e3ef6f8135ef986fc829d647ee9c12f7cea8e84645 | — | |
hash3b9397493d76998d7c34cb6ae23e3243c75011514b1391d1c303529326cde6d5 | — | |
hash3bd6a6b24b41ba7f58938e6eb48345119bbaf38cd89123906869fab179f27433 | — | |
hash4a6db7ffbc67c307bc36c4ade4fd244802cc9d6a9d335d98657f9663ebab900f | — | |
hash4b20b8a87a0cceac3173f2adbf186c2670f43ce68a57372a10ae8876bb230832 | — | |
hash4bc87764729cbc82701e0ed0276cdb43f0864bfaf86a2a2f0dc799ec0d55ef37 | — | |
hash5d929876190a0bab69aea3f87988b9d73713960969b193386ff50c1b5ffeadd6 | — | |
hash6168d63fad22a4e5e45547ca6116ef68bb5173e17e25fd1714f7cc1e4f7b41e1 | — | |
hash7c54d4ef6e4fe1c5446414eb209843c082eab8188cf7bdc14d9955bdd2b5496d | — | |
hash9081b50af5430c1bf5e84049709840c40fc5fdd4bb3e21eca433739c26018b2e | — | |
hasha48ce2407164c5c0312623c1cde73f9f5518b620b79f24e7285d8744936afb84 | — | |
hashbb0f0be3a690b61297984fc01befb8417f72e74b7026c69ef262d82956df471e | — | |
hashc185a36317300a67dc998629da41b1db2946ff35dba314db1a580c8a25c83ea4 | — | |
hashf262434276f3fa09915479277f696585d0b0e4e72e72cbc924c658d7bb07a3ff | — |
Domain
| Value | Description | Copy |
|---|---|---|
domaincentrogauchodabahia123.com | — | |
domaincoffe-estilo.com | — | |
domainempautlipa.com | — | |
domainmiportuarios.com | — |
Threat ID: 6960c9cbecefc3cd7c16abcc
Added to database: 1/9/2026, 9:26:35 AM
Last enriched: 1/9/2026, 9:42:22 AM
Last updated: 1/10/2026, 12:35:57 AM
Views: 123
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
ThreatFox IOCs for 2026-01-09
MediumThreat Research: PHALT#BLYX: Fake BSODs and Trusted Build Tools
MediumReborn in Rust: MuddyWater Evolves Tooling with RustyWater Implant
MediumGuloader Malware Being Disguised as Employee Performance Reports
MediumMalicious Process Environment Block Manipulation, (Fri, Jan 9th)
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.