The WhatsApp Worm: “Boto Cor-de-Rosa” Campaign Weaponizes Social Trust

A sophisticated malware campaign has surfaced in Brazil, leveraging the ubiquity of WhatsApp to propagate the Astaroth banking trojan. This delivery vector has proven exceptionally potent given the application’s cultural and commercial dominance in the region. Acronis researchers have designated this offensive as “Boto Cor-de-Rosa.”

The infection sequence is initiated by a message harboring a deleterious ZIP archive. Upon extraction, the user encounters a Visual Basic script masquerading as an innocuous file. Once executed, this script orchestrates the retrieval of subsequent components, including a self-propagation module and the primary malicious payload.

The software operates through a dual-stage architecture. The initial module, crafted in Python, exfiltrates the victim’s WhatsApp contact list and broadcasts the identical malicious archive to each entry, thereby facilitating an exponential, chain-reaction dispersal. Concurrently, a secondary module lingers in the background, monitoring browser activity and activating specifically when the user navigates to financial portals to intercept credentials and facilitate fraudulent transactions.

Furthermore, the malware incorporates sophisticated telemetry mechanisms to audit the efficacy of its spread. It aggregates real-time metrics, including the volume of successfully transmitted missives, failed attempts, and the overall velocity of its propagation.

Acronis reports that this activity has been observed since late September 2025. Brazil remains the epicenter of the assault, accounting for over 95% of identified infections, with isolated cases appearing in the United States and Austria. These incursions represent an evolution of previous Astaroth distribution cycles, utilizing multi-stage infection vectors such as PowerShell and Python scripts alongside MSI installation files.

Similar methodologies have historically been employed by threat collectives monitored as Water Saci and PINEAPPLE, who disseminated the Maverick and Casbaneiro malware via analogous messaging platforms. The gradual integration of multilingual components and the strategic adaptation to prevalent communication channels underscore the burgeoning technical sophistication of these adversaries and their focus on exploiting everyday digital habits for mass-scale compromise.