A new campaign involving the Astaroth banking malware highlights a shift in how financial cybercrime is being distributed. Tracked by security researchers as “Boto Cor-de-Rosa,” the campaign uses WhatsApp Web as a propagation channel, enabling the malware to automatically send infected files to a victim’s personal contacts. By exploiting trusted relationships and everyday messaging behaviour, attackers are able to spread the malware quickly while targeting banking credentials, primarily affecting users in Brazil.

The attack begins when users receive a ZIP file through WhatsApp that appears to be a routine document shared by a known contact. Opening the file triggers a hidden script that installs the malware without clear signs of compromise. Once deployed, the malware operates quietly in the background and establishes persistence on the system.

Following installation, the malware runs two parallel operations. One focuses on propagation by accessing the victim’s WhatsApp contacts and automatically sending malicious files using casual, familiar language intended to appear legitimate. The second functions as a banking trojan, monitoring user activity and activating when financial or banking websites are accessed, enabling credential theft and fraudulent transactions.

The campaign relies heavily on social engineering techniques. Messages are tailored using time-appropriate greetings such as “Good morning,” “Good afternoon,” or “Good evening,” based on the recipient’s local time. This contextualisation makes the messages appear routine and trustworthy, increasing the likelihood that recipients will open the attachment and continue the infection chain.

The malware also includes tracking mechanisms to measure the effectiveness of its spread. It collects victims’ contact lists and records delivery metrics, allowing attackers to monitor reach and adjust propagation strategies in real time. These features point to a high level of organisation and operational maturity behind the campaign.

Although the activity has so far been concentrated in Brazil and uses Portuguese-language messaging, the underlying technique is not region-specific. Similar approaches could be adapted to other languages, regions, and messaging platforms. As instant messaging continues to be widely used for personal and work communication, such platforms are increasingly being leveraged as high-trust channels for malware distribution.

The campaign illustrates a broader trend in cybercrime, where attackers move beyond email-based delivery and take advantage of familiar communication tools to bypass user suspicion and traditional security assumptions.

Join the community of 2M+ industry professionals.

Subscribe to Newsletter to get latest insights & analysis in your inbox.

All about ETCISO industry right on your smartphone!