VERY IMPORTANT

The Boto Cor-de-Rosa campaign reveals Astaroth's new strategy of exploiting WhatsApp Web for propagation. This Brazilian banking malware now uses a Python-based worm module to retrieve victims' WhatsApp contact lists and automatically send malicious messages, expanding its infection reach. The attack begins with a malicious ZIP file sent via WhatsApp, containing a Visual Basic script that downloads additional components. The malware then operates two parallel modules: a propagation module for spreading through WhatsApp contacts, and a banking module for credential stealing. This campaign demonstrates Astaroth's evolution, combining traditional malware techniques with sophisticated social engineering and multi-platform propagation, primarily targeting Brazilian users.