Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Anthropic Details Claude 3.5 Sonnet Safeguards and Jailbreak Framework
July 3, 2026
Google Disrupts NetNut Residential Proxy Botnet Exploiting 2 Million Devices
July 3, 2026
AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
July 2, 2026
Home/Threats/New Malware Automatically Send to Contacts via WhatsApp Web Attacks Windows Systems
Threats

New Malware Automatically Send to Contacts via WhatsApp Web Attacks Windows Systems

A new campaign employing the Astaroth banking malware is actively targeting Windows systems, leveraging WhatsApp Web for automated propagation. The campaign, called Boto Cor-de-Rosa, represents a...

David kimber
David kimber
January 9, 2026 2 Min Read
39 0

A new campaign employing the Astaroth banking malware is actively targeting Windows systems, leveraging WhatsApp Web for automated propagation.

The campaign, called Boto Cor-de-Rosa, represents a significant evolution in how malware spreads through messaging platforms.

The threat specifically targets users in Brazil by exploiting WhatsApp Web to harvest contact lists and automatically send malicious messages to every contact, creating a self-sustaining infection loop.

The malware operates through a two-pronged approach that combines aggressive propagation with credential theft.

When victims receive a ZIP file through WhatsApp and extract it, they encounter a Visual Basic script disguised as a legitimate file.

Once executed, this script downloads two components: the core Astaroth banking payload written in Delphi and a Python-based WhatsApp spreader module.

The infection process begins innocuously, with file names following patterns like “552516107-a9af16a8-552.zip” to appear less suspicious.

Acronis researchers identified that the malware uses sophisticated social engineering techniques to increase its success rate.

The Python module automatically detects the time of day and sends appropriate greetings in Portuguese before delivering the malicious payload.

Infection chain (Source - Acronis)
Infection chain (Source – Acronis)

The message template reads “Segue o arquivo solicitado. Qualquer dvida estou disposio!” which translates to “Here is the requested file.

If you have any questions, I’m available!” This casual, familiar phrasing makes recipients more likely to trust the attachment.

Technical Breakdown of the Attack Mechanism

The propagation module includes built-in tracking mechanisms that monitor delivery metrics in real time.

The code calculates statistics such as successful deliveries, failed attempts, and sending rate measured in messages per minute.

After every 50 messages, it generates progress updates showing the percentage of contacts processed and current throughput.

The VBS downloader embedded in the ZIP archive is typically 50 to 100 KB and heavily obfuscated to avoid detection.

Once deobfuscated, it executes PowerShell commands to download components from compromised domains like coffe-estilo.com.

The downloaded MSI package deploys files into “C:MicrosoftEdgeCache6.60.2.9313” directory, including electron.exe and various DLL files that form the complete Astaroth payload.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitMalwareThreat

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

Hackers Actively Exploiting AI Deployments – 91,000+ Attack Sessions Observed

Next Post

Trend Micro Apex Central Vulnerabilities Enables Remote Code Execution Attacks

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Claude Cowork Sandbox Vulnerability Lets Attackers Run Commands as Root
July 2, 2026
Ousaban Malware Targets Iberian Banks with Phishing PDFs and VBS Downloader
July 2, 2026
Citrix Bleed (CVE-2023-4966) Critical Vulnerability Actively Exploited
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us