Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Astaroth adds WhatsApp worm module to spread in Brazil

Malware Activity
First reported
Last updated
Happening score
H score 34
1 unique sources, 1 articles

Summary

Hide ▲

The Astaroth/Guildma banking trojan now uses WhatsApp to spread in Brazil, auto-sending malicious files to victims' contacts and expanding the risk of credential theft. Its new Python worm module harvests contacts, while the banking payload watches for banking-related URLs and steals logins. The infection chain starts with ZIP archives delivered through chat messages and a Visual Basic Script downloader that launches next-stage components.

Related Happenings

TCLBANKER banking trojan activity targeting 59 financial platforms

Malware Activity
First: 08.05.2026 21:12 Last: 08.05.2026 21:12 Sources 1

About this happening: **TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...

Open Happening

Augmented Marauder / Water Saci multi-pronged phishing campaign targeting Latin America and Europe

Campaign
First: 01.04.2026 15:36 Last: 01.04.2026 15:36 Sources 1

About this happening: **Water Saci** is actively evolving a **WhatsApp Web worm** in **Brazil** that uses **HTA** and **PDF** lures to deliver a **banking trojan**. The latest wave shifts from **PowerS...

Open Happening

WhatsApp-delivered VBS Windows infection campaign

Campaign
First: 01.04.2026 14:49 Last: 01.04.2026 14:49 Sources 1

About this happening: A **new WhatsApp-delivered campaign** is spreading malicious **VBS files** that launch a **multi-stage Windows infection chain**, raising the risk of persistence and remote access...

Open Happening

SORVEPOTEL WhatsApp malware campaign spreads across Brazil

Campaign
First: 12.03.2026 19:31 Last: 12.03.2026 19:31 Sources 1

About this happening: A **WhatsApp** malware campaign in **Brazil** is spreading **SORVEPOTEL**, a **self-propagating Windows malware** that uses **phishing ZIP attachments** and a desktop-only lure to...

Open Happening

VENON Rust-based banking malware targeting Brazilian Windows users

Malware Activity
First: 12.03.2026 19:31 Last: 12.03.2026 19:31 Sources 1

About this happening: Researchers disclosed **VENON**, a new **Rust-based banking malware** aimed at **Brazilian Windows users**, raising the risk of **credential theft** through fake banking overlays....

Open Happening

Timeline

  1. 08.01.2026 19:10 1 articles · 4mo ago

    Astaroth WhatsApp propagation active in Brazil since September 24, 2025

    Campaign Scope Update

    Astaroth/Guildma activity targeting WhatsApp users in Brazil uses ZIP archives delivered through WhatsApp messages, a downloader script, and an MSI installer to collect WhatsApp user data and spread the trojan in a worm-like manner. The propagation chain includes a Python-based module that harvests contacts and automatically forwards malicious ZIP files, while the banking payload monitors browser activity to steal credentials when banking-related URLs are visited.

    Show sources
    Open in new tab
  2. 08.01.2026 19:10 2 articles · 4mo ago

    Acronis discloses Boto Cor-de-Rosa on January 8, 2026

    Initial Disclosure

    Acronis Threat Research Unit discloses the Boto Cor-de-Rosa campaign, describing a WhatsApp-based delivery vector for the Astaroth/Guildma Windows banking trojan in attacks targeting Brazil. The disclosure says the malware retrieves the victim's WhatsApp contact list, automatically sends malicious messages to each contact, and uses a built-in mechanism to track propagation metrics in real time.

    Show sources
    Open in new tab