SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Asia

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Dark whatsapp malware tentacles target brazilian online banking
#
Malware
#
Phishing
#
Email Security

Brazilian banking trojan hijacks WhatsApp for spread

Thu, 15th Jan 2026
Author image
By Karen Joy Bacudo, Finance Editor

Acronis Threat Research Unit has identified a Brazilian banking malware campaign that uses WhatsApp as a self-propagating channel alongside credential theft.

The activity, which researchers refer to internally as Boto Cor-de-Rosa, centres on Astaroth, a long-running banking trojan associated with targeting in Brazil. The researchers said the malware now hijacks WhatsApp Web after a victim opens a malicious attachment received in a WhatsApp conversation.

The campaign combines two functions. One module spreads the infection through WhatsApp contacts. Another module runs banking-focused theft and fraud functions in parallel when victims visit Brazilian banking websites, according to the researchers.

WhatsApp delivery

The infection sequence starts with a WhatsApp message that contains a malicious ZIP archive. The archive name changes between incidents, according to Acronis, but it follows a pattern of digits and hexadecimal characters separated by underscores and dashes.

After the victim extracts and opens the archive, a Visual Basic script runs. The script downloads further components that install the malware on the machine, the researchers said.

Acronis said the malware then splits into two parallel tracks. The propagation module harvests the victim's WhatsApp contacts. It then sends each contact a new malicious ZIP file from the victim's account. The banking module monitors the victim's browsing activity and activates when the user accesses banking-related URLs.

Worm behaviour

Acronis described the change as the first documented use of WhatsApp Web by Astaroth for self-propagation. The researchers said the malware steals WhatsApp contact lists and uses them as a distribution list for new malicious messages.

The researchers also said the malware tracks delivery success as it sends messages. They said it records the number of messages delivered, the number of failed attempts, and a sending rate measured in messages per minute. The code prints progress updates after processing a set number of messages, according to the analysis.

The campaign also includes exfiltration of the victim's contact list to a remote server, Acronis said. That behaviour gives operators access to contact data beyond the immediate spread of the malware through WhatsApp conversations.

Banking focus

Astaroth has a history of targeting Brazilian users, Acronis said. In this campaign, the banking component runs quietly in the background while the WhatsApp module spreads the malicious ZIP files through chats.

The banking module monitors browsing activity and triggers credential theft and fraud functions when it detects banking-related URLs, according to Acronis. The researchers said the approach allows the operators to expand their reach through messaging while retaining a direct path to financial theft once a victim uses online banking services.

Acronis said the campaign uses region-specific lures and cultural familiarity in its messaging. The malware's message template uses Portuguese phrasing. It includes a short line that translates to: "Here is the requested file. If you have any questions, I'm available!"

The researchers said the malware also adds a time-of-day greeting in Portuguese. The code selects "Bom dia", "Boa tarde" or "Boa noite" based on the local time.

Multi-language tooling

Acronis said the core Astaroth payload remains written in Delphi. The installer relies on a Visual Basic script. The new worm module is written in Python, according to the researchers.

The researchers said the installer downloads both the banking payload and the WhatsApp spreader. They also said the malware deploys an MSI package that installs files into a directory on the machine, including a legitimate AutoIt interpreter bundled with an encoded loader. The loader decrypts and loads the main Astaroth payload from disk, according to Acronis.

Messaging platforms

Acronis said the campaign points to a shift in how cybercriminals use consumer messaging services. Acronis Threat Research Unit said it highlights a troubling shift that cybercriminals are increasingly abusing trusted messaging platforms to bypass user scepticism and traditional security controls.

Acronis said the campaign continues to target Brazilian banking customers and uses WhatsApp conversations as a rapid distribution mechanism. The researchers said the combination of automated propagation and banking credential theft reflects a continuing evolution in banking malware operations.

Related stories
Dark web ‘fraud superstore’ struggles with AI checks
Rockwell opens Singapore SOC to secure Asia Pacific OT
Why the all-AI social network looks more fad than legacy
Safer Internet Day spotlights AI, trust & child safety
Rockwell opens Singapore hub for industrial cyber defence

Top stories

Google boosts AI research, skills & safety in Singapore
Fireblocks & Thales deepen bank crypto key control
SentinelOne debuts lifecycle platform for AI security
CelcomDigi survey to tackle AI-driven scams at unis
Synology gains ISO 27001:2022 for security management