Cybersecurity researchers have disclosed details of a new campaign that uses WhatsApp as a distribution vector for a Windows banking trojan called Astaroth in attacks targeting Brazil.
"The malware retrieves the victim's WhatsApp contact list and automatically sends malicious messages to each contact to further spread the infection," the cybersecurity company said in a report shared with The Hacker News.
"While the core Astaroth payload remains written in Delphi and its installer relies on Visual Basic script, the newly added WhatsApp based worm module is implemented entirely in Python, highlighting the threat actors' growing use of multi language modular components."
Astaroth, also called Guildma, is a banking malware that has been detected in the wild since 2015, primarily targeting users in Latin America, notably Brazil, to facilitate data theft. In 2024, two different threat clusters tracked as PINEAPPLE and Water Makara were observed leveraging phishing emails to propagate the malware.
The use of WhatsApp as a delivery vehicle for banking trojans is a new tactic that has gained traction among threat actors targeting Brazilian users, a move fueled by the widespread use of the messaging platform in the country. Last month, Trend Micro detailed Water Saci's reliance on WhatsApp to spread Maverick and a variant of Casbaneiro.
According to a report by Sophos in November 2025, the firm noticed a threat actor distributing malware in stages, nicknamed “STAC3150,” where Astaroth-infected WhatsApp users in Brazil are being targeted on WhatsApp. Over 95% of the affected devices are in Brazil, while the rest are spread across the US and Austria.
The malware, which has been active at least since September 24, 2025, contains a script that unloads a script based on PowerShell or Python, which harvests WhatsApp user data, as well as a script that installs a trojan through an MSI installer package that loads a trojan. The most recent discovery made by Acronis follows this pattern, using WhatsApp.zip as a landing page in order to establish a malware infection via WhatsApp messages.
“When the victim unlocks the archive, they will see a Visual Basic Script file, which is labeled as harmless,” said the cybersecurity firm. “The execution of the Visual Basic Script file marks the beginning of the compromise, as it will download the components for the second stage.”
This includes two modules
A Python based propagation module that gathers the victim's WhatsApp contacts and automatically forwards a malicious ZIP file to each of them, effectively leading to the spread of the malware in a worm like manner
A banking module that operates in the background and continuously monitors a victim's web browsing activity, and activates when banking related URLs are visited to harvest credentials and enable financial gain
"The malware author also incorporated a built in mechanism to track real time propagation metrics," Acronis continued to explain. "The malware code occasionally records various details, including how many messages have been successfully delivered, how many failed transmission attempts, and message transmission speed in terms of messages per minute."
👉🏻 Found this article interesting? Follow us on Facebook, Twitter and whatsapp to read more exclusive content we post.
