The Boto Cor-de-Rosa campaign is a sophisticated malware operation targeting Windows users primarily in Brazil by leveraging WhatsApp as a propagation vector. The malware, known as Astaroth or Guildma, has been active since 2015 and is a banking trojan designed to steal financial credentials. This campaign innovates by using WhatsApp’s contact list to automatically send malicious ZIP archives containing a Visual Basic Script disguised as a benign file. When executed, this script downloads additional components: a Python-based worm module that harvests contacts and forwards the malicious payload to them, and a banking module that monitors web browsing for banking-related URLs to capture credentials. The malware’s modular design uses multiple programming languages—Delphi for the core payload, Visual Basic Script for installation, and Python for propagation—reflecting increased attacker sophistication. The campaign has been active since at least September 2025, with over 95% of infections in Brazil, exploiting the country’s heavy WhatsApp usage. The malware also includes a mechanism to track propagation success and failure rates in real time, allowing attackers to measure and optimize infection spread. Previous related campaigns have used phishing emails, but this campaign’s use of WhatsApp auto-messaging represents a novel and effective delivery method. The malware’s stealthy background operation and worm-like propagation make it a significant threat to targeted users.

For European organizations, the direct impact is currently limited due to the campaign’s geographic focus on Brazil. However, the presence of infections in Austria and the U.S. indicates potential for spread beyond Latin America. European financial institutions and users with connections to Brazilian contacts or operations could be at risk if the malware propagates further. The trojan’s capability to steal banking credentials threatens confidentiality and financial integrity, potentially leading to financial losses and fraud. The worm-like propagation via WhatsApp contacts increases the risk of rapid spread within networks where WhatsApp is widely used for business or personal communication. Additionally, the malware’s multi-stage infection process and real-time propagation tracking complicate detection and response efforts. If adapted to target European languages or contacts, the campaign could pose a broader threat to European users and organizations, especially those with Windows endpoints and WhatsApp usage.

European organizations should implement targeted measures beyond generic advice: 1) Educate users about the risks of opening unsolicited ZIP files or scripts received via WhatsApp, emphasizing caution even with messages from known contacts. 2) Deploy endpoint detection and response (EDR) solutions capable of detecting multi-language malware components, including suspicious Visual Basic Script and Python execution on Windows hosts. 3) Monitor network traffic for unusual WhatsApp messaging patterns or automated message sending behavior indicative of worm-like propagation. 4) Enforce application whitelisting to prevent execution of unauthorized scripts and installers, particularly Visual Basic Scripts and unknown MSI installers. 5) Implement multi-factor authentication (MFA) and transaction monitoring on financial accounts to mitigate credential theft impact. 6) Collaborate with WhatsApp and messaging platform providers to identify and block malicious message campaigns. 7) Maintain up-to-date threat intelligence feeds focusing on emerging malware campaigns using messaging apps for distribution. 8) Conduct regular phishing and social engineering awareness training tailored to messaging app threats. 9) Segment networks to limit lateral movement and isolate infected devices quickly. 10) Use behavioral analytics to detect anomalous process execution and network activity related to banking trojans.