A Worm on the Android Floor: How Astaroth Crawls Through WhatsApp in Brazil

For years, banking trojans relied on email to enter their victims’ systems. Today, the infection no longer knocks on the inbox door. Instead, it crawls silently across the Android floor, moving from contact to contact through one of the most trusted communication platforms in Brazil: WhatsApp. The campaign known as Boto Cor-de-Rosa marks a significant evolution in the distribution of Astaroth (Guildma), transforming a well-known banking trojan into a self-propagating worm that abuses social trust, messaging habits, and cross-platform infection paths to scale rapidly.

Phase 1 — The Worm Finds Its First Host

The campaign begins when a WhatsApp user in Brazil receives a message from a trusted contact containing a ZIP file. The message appears routine and personal, benefiting from WhatsApp’s high adoption rate and implicit trust between contacts. More than 95% of observed infections are located in Brazil, confirming that the attackers are deliberately targeting local users who regularly exchange files via the platform.

When the victim downloads and extracts the ZIP file on a Windows system, they encounter what appears to be a harmless file. In reality, it is a Visual Basic Script (VBS) acting as the initial downloader. At this point, the worm has successfully entered the host.

Phase 2 — The Dropper Opens the Burrow

Once executed, the VBS downloader retrieves additional components that deploy Astaroth, a banking trojan active since 2015 and widely used in Latin America. While Astaroth’s core remains written in Delphi, the campaign introduces a new modular architecture. The installer triggers either PowerShell or Python scripts, depending on the stage, marking a shift toward multi-language malware development designed for flexibility and evasion.

This phase establishes the foothold on the system, preparing both the banking functionality and the propagation logic that allows the worm to move further.

Phase 3 — The Worm Learns to Crawl

The most significant evolution in this campaign is the Python-based worm module. Once active, it retrieves the victim’s WhatsApp contact list and automatically sends the same malicious ZIP file to every contact. Each newly infected system becomes another segment of the worm, capable of spreading the malware without any additional infrastructure or manual interaction from the attackers.

To optimize its reach, the malware tracks and reports propagation metrics in real time, including the number of messages sent, delivery failures, and the sending rate measured in messages per minute. This telemetry allows the attackers to monitor the effectiveness of the campaign and adjust their strategy dynamically.

Phase 4 — Feeding on Financial Data

While the worm spreads horizontally, the banking module operates quietly in the background. Astaroth continuously monitors the victim’s web browsing activity and activates when banking-related URLs are detected. At that point, it harvests credentials and other sensitive data, enabling financial fraud.

This dual-function design allows the malware to both expand its footprint and generate direct financial gain, turning every infected host into both a carrier and a source of stolen data.

Phase 5 — Scaling Through Trust, Not Exploits

Unlike traditional worms that rely on network vulnerabilities or software flaws, Boto Cor-de-Rosa scales by exploiting human trust and platform ubiquity. WhatsApp becomes the delivery infrastructure, contacts become distribution channels, and ZIP files act as the bridge between mobile messaging and Windows-based malware execution. This approach significantly lowers detection barriers and increases success rates, particularly in environments where messaging apps are not treated as high-risk vectors.

The Boto Cor-de-Rosa campaign demonstrates a critical shift in threat actor thinking. Malware no longer needs to breach networks through technical exploits when it can simply crawl from one trusted contact to the next. By combining WhatsApp-based propagation, modular multi-language malware, and proven banking trojan capabilities, Astaroth has evolved into a highly efficient, trust-driven worm.

Measures to Defend Against the WhatsApp Worm

• Block executable scripts inside compressed files, especially VBS, PowerShell, and Python payloads delivered via ZIP archives.

• Restrict script execution on endpoints, limiting the use of VBS, PowerShell, and Python to approved use cases only.

• Treat WhatsApp as a high-risk malware delivery channel, applying security controls equivalent to email attachments.

• Educate users to distrust ZIP files, even when received from known or trusted contacts.

• Monitor endpoint behavior for banking activity anomalies, including unusual browser interactions and credential harvesting patterns.

• Deploy endpoint protection capable of detecting multi-stage malware, including script-based droppers and modular loaders.

• Harden Windows execution policies, such as disabling unnecessary scripting engines where possible.

• Track propagation indicators, including abnormal file-sharing patterns and rapid message dissemination behavior.

Defenders must recognize that messaging platforms like WhatsApp are no longer peripheral to enterprise risk. They are active malware highways. Blocking executable content inside archives, restricting script execution, educating users to distrust file transfers—even from known contacts—and monitoring financial anomalies are no longer optional measures. In modern threat landscapes, stopping the worm means cutting off its ability to crawl, not just cleaning up after it has already fed.

The Hacker News

https://thehackernews.com/2026/01/whatsapp-worm-spreads-astaroth-banking.html?m=1