Find notable cyber news and cases, enriched with sources, timelines, and signals.

Astaroth adds WhatsApp worm module to spread in Brazil

Malware Activity
First reported
Last updated
Happening score
H score 34
1 unique sources, 1 articles

Summary

Hide ▲

The Astaroth/Guildma banking trojan now uses WhatsApp to spread in Brazil, auto-sending malicious files to victims' contacts and expanding the risk of credential theft. Its new Python worm module harvests contacts, while the banking payload watches for banking-related URLs and steals logins. The infection chain starts with ZIP archives delivered through chat messages and a Visual Basic Script downloader that launches next-stage components.

Related Happenings

WhatsApp VBScript phishing campaign targeting users in multiple countries

Campaign
H score43 First: 23.06.2026 01:42 Last: 23.06.2026 01:42 Sources 1

About this happening: An **ongoing phishing campaign** is using **compromised WhatsApp accounts** to send **obfuscated VBScript files** to users in **multiple countries**, creating a path to **remote s...

TCLBANKER banking trojan activity targeting 59 financial platforms

Malware Activity
H score20 First: 08.05.2026 21:12 Last: 08.05.2026 21:12 Sources 1

About this happening: **TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...

Augmented Marauder / Water Saci multi-pronged phishing campaign targeting Latin America and Europe

Campaign
H score38 First: 01.04.2026 15:36 Last: 01.04.2026 15:36 Sources 1

About this happening: **Water Saci** is actively evolving a **WhatsApp Web worm** in **Brazil** that uses **HTA** and **PDF** lures to deliver a **banking trojan**. The latest wave shifts from **PowerS...

WhatsApp-delivered VBS Windows infection campaign

Campaign
H score34 First: 01.04.2026 14:49 Last: 01.04.2026 14:49 Sources 1

About this happening: A **new WhatsApp-delivered campaign** is spreading malicious **VBS files** that launch a **multi-stage Windows infection chain**, raising the risk of persistence and remote access...

SORVEPOTEL WhatsApp malware campaign spreads across Brazil

Campaign
H score31 First: 12.03.2026 19:31 Last: 12.03.2026 19:31 Sources 1

About this happening: A **WhatsApp** malware campaign in **Brazil** is spreading **SORVEPOTEL**, a **self-propagating Windows malware** that uses **phishing ZIP attachments** and a desktop-only lure to...

Timeline

  1. 08.01.2026 19:10 1 articles · 6mo ago

    Astaroth WhatsApp propagation active in Brazil since September 24, 2025

    Campaign Scope Update

    Astaroth/Guildma activity targeting WhatsApp users in Brazil uses ZIP archives delivered through WhatsApp messages, a downloader script, and an MSI installer to collect WhatsApp user data and spread the trojan in a worm-like manner. The propagation chain includes a Python-based module that harvests contacts and automatically forwards malicious ZIP files, while the banking payload monitors browser activity to steal credentials when banking-related URLs are visited.

    Show sources
  2. 08.01.2026 19:10 2 articles · 6mo ago

    Acronis discloses Boto Cor-de-Rosa on January 8, 2026

    Initial Disclosure

    Acronis Threat Research Unit discloses the Boto Cor-de-Rosa campaign, describing a WhatsApp-based delivery vector for the Astaroth/Guildma Windows banking trojan in attacks targeting Brazil. The disclosure says the malware retrieves the victim's WhatsApp contact list, automatically sends malicious messages to each contact, and uses a built-in mechanism to track propagation metrics in real time.

    Show sources