Acronis Flags WhatsApp-Based Banking Malware Attack In Brazil

Acronis, a global leader in cybersecurity and data protection, has uncovered a new and highly concerning campaign of the Astaroth banking malware that marks a major shift in how financial cybercrime spreads. Identified by the Acronis Threat Research Unit (TRU) as “Boto Cor-de-Rosa,” the campaign uses WhatsApp Web as a built-in propagation channel, allowing the malware to automatically send infected files to a victim’s personal contacts. By exploiting everyday messaging habits and trusted relationships, the attackers can rapidly scale infections while simultaneously stealing sensitive banking credentials, primarily targeting users in Brazil.

The campaign begins when users receive a ZIP file on WhatsApp that appears to be a routine document shared by a known contact. Once the file is opened, a hidden script installs the malware without the user’s awareness. This initial compromise enables the malware to operate quietly in the background while establishing persistence on the infected system.

After installation, the malware runs two coordinated operations in parallel. One component focuses on rapid spread by accessing the victim’s WhatsApp contacts and automatically sending new malicious files using natural, friendly language designed to appear legitimate. The second component functions as a banking trojan, monitoring online activity and activating when the victim accesses banking or financial websites, where it can steal login credentials and support fraudulent transactions.

What makes this campaign particularly effective is its strong use of social engineering. The malware dynamically selects greetings such as “Good morning,” “Good afternoon,” or “Good evening” based on the local time, making messages feel personal and routine rather than suspicious. This attention to behavioural detail significantly increases the likelihood that recipients will open the malicious attachment, unknowingly continuing the infection chain.

The attackers have also built in mechanisms to track how successfully the malware spreads. The campaign collects and exfiltrates victims’ contact lists and records delivery statistics, allowing threat actors to monitor reach and optimise the pace of propagation in real time. These capabilities highlight the growing professionalism and operational maturity behind modern cybercrime campaigns.

Although this specific campaign focuses on Brazilian users and uses Portuguese-language messaging, Acronis warns that the underlying technique is easily adaptable to other geographies and messaging platforms. As instant messaging becomes central to both personal and professional communication, such platforms are increasingly being targeted as high-trust, low-friction channels for cyberattacks.

Acronis confirms that this threat is successfully detected and blocked by Acronis EDR and XDR solutions, which identify both the malicious components and the abnormal behaviours associated with WhatsApp-based propagation and banking fraud. The findings underscore the importance of layered security approaches that go beyond traditional email-focused threat models.