BLUF

 A banking Trojan (linked to Astaroth) is spreading automatically via WhatsApp Web, targeting Windows users in a "worm-like" fashion to steal credentials.

Executive Cost Summary

This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.

For organizations affected by WhatsApp Web–propagated banking trojans leveraging trusted contact networks:

·       Low-end total cost: $900K – $1.6M

o   (Limited infections, rapid containment, minimal confirmed financial misuse)

·       Typical expected range: $1.8M – $4.5M

o   (Multiple endpoints impacted, credential exposure, operational disruption)

·       Upper-bound realistic scenarios: $4.5M – $7.5M

o   (Broader propagation, fraud losses, regulatory notification required)

Key Cost Drivers

·       Number of endpoints with active WhatsApp Web sessions

·       Speed of detection before credential harvesting and propagation

·       Exposure of financial or regulated accounts

·       Workforce size affected by forced credential resets

·       Insurance policy treatment of social engineering–driven malware

Targeted Sectors

·       General consumers

·       Financial services

Countries

·       Global

Date of First Activity

·       Jan 15, 2026

Date of Last Update

·       Jan 17, 2026

APT names

Not applicable at this time.

Criminal organization

·       Linked to Astaroth threat actor infrastructure.

IOCs

Malicious File Patterns

Infection Vector

·       Malicious ZIP archives sent via WhatsApp.

Filename Convention

·       Consistently uses a pattern of digits and hexadecimal characters separated by underscores and dashes (e.g., 552_516107-a9af16a8-552.zip).

Initial Loader

·       A heavily obfuscated Visual Basic Script (VBScript) hidden within the ZIP archive.

Payload Components

Propagation Module

·       A Python-based worm that automates WhatsApp Web to harvest contacts and send messages.

Banking Module

·       A Delphi-based executable that monitors financial activity and steals credentials.

Social Engineering Lures

The malware uses Portuguese-language messages tailored to the time of day:

Message Template

·       "Aqui está o arquivo solicitado. Se você tiver alguma dúvida, estou à disposição!" (English: "Here is the requested file. If you have any questions, I'm available!").

Variable Greetings

·       Automatically prepends "Bom dia", "Boa tarde", or "Boa noite" based on the local system time.

Network & Behavior

·       Distribution Channel: Exploits WhatsApp Web automation to spread through trusted personal relationships.

·       Monitoring Activity: The malware silently monitors browser foreground windows for strings related to Brazilian banks and cryptocurrency platforms like Mercado Bitcoin.

Tools Used

·       Astaroth banking Trojan variant

·       WhatsApp Web abuse.

TTPs

Initial Access (TA0001)

·       T1566.001 Phishing Spearphishing Attachment

o   The infection begins when a user receives a WhatsApp message containing a malicious ZIP archive, often disguised with a name containing digits and hexadecimal characters (e.g., 552_516107-a9af16a8-552.zip).

·       T1204.002 User Execution Malicious File

o   The user is tricked into extracting and executing a heavily obfuscated Visual Basic Script (VBScript) disguised as a legitimate document.

Execution (TA0002)

·       T1059.005 Command and Scripting Interpreter Visual Basic

o   VBScript is used as the initial downloader for the subsequent malware stages.

·       T1059.006 Command and Scripting Interpreter Python

o   A new WhatsApp-based worm module is implemented entirely in Python to facilitate automatic spreading via WhatsApp Web.

Persistence & Defense Evasion (TA0003 & TA0005)

·       T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

o   The malware installs itself to maintain presence on the Windows system.

·       T1218 System Binary Proxy Execution

o   The malware abuses legitimate Windows binaries to download and execute malicious payloads, evading security software.

·       T1027 Obfuscated Files or Information

o   The Visual Basic scripts and core Delphi components are heavily obfuscated to prevent detection.

Discovery & Collection (TA0007 & TA0009)

·       T1083 File and Directory Discovery

o   The malware searches the system for active WhatsApp Web sessions.

·       T1119 Automated Collection

o   The Python-based worm module automatically retrieves the victim's WhatsApp contact list.

Lateral Movement & Exfiltration (TA0008 & TA0010)

·       T1534 Internal Spearphishing

o   The malware automatically sends the malicious ZIP archive to the victim's contacts via WhatsApp, creating a worm-like propagation loop.

·       T1041 Exfiltration Over C2 Channel

o   The malware steals credentials, session tokens, and financial data and sends them to a Command and Control (C2) server.

Command and Control (TA0011)

·       T1071.001 Application Layer Protocol Web Protocols

o   The malware communicates with its infrastructure using standard HTTP/HTTPS, often masquerading as legitimate traffic.

Malware Names

Boto Cor-de-Rosa (Banking Trojan)

Malware Sample

sha256

6168d63fad22a4e5e45547ca6116ef68bb5173e17e25fd1714f7cc1e4f7b41e1

Malware Family

·       Astaroth/Boto Cor-de-Rosa.

Verdict

·       Malicious/Banking Trojan

Primary Objectives

·       Exfiltrate banking credentials

·       Session cookies

·       Personal data.

Threat Actor Context

·       Likely targeting users with active financial sessions on Windows.

Behavior Analysis

·       Self-replicates via WhatsApp Web to contacts

o   Downloads secondary malicious payloads

CVEs

·       Not applicable.

o   Exploits human interaction rather than specific software flaws in this phase.

Suggested rules / potential hunts

Suricata

Detects the download of the propagation module from common hosting or C2 sites.

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE Boto Cor-de-Rosa Python Worm Download"; flow:established,to_client; content:".py"; http_uri; content:"wppconnect-w.js"; http_uri; sid:2026001; rev:1;)

Detects downloads of ZIP files matching the hexadecimal/underscore pattern (e.g., 552_516107-a9af16a8-552.zip).

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE Boto Cor-de-Rosa Malicious ZIP Download Pattern"; flow:established,to_client; file_data; content:".zip"; pcre:"/[0-9]{3}_[0-9a-fA-F-]+.zip/i"; sid:2026002; rev:1;)

SentinelOne

VBS Script Execution from ZIP

ProcessName matches "wscript.exe" OR ProcessName matches "cscript.exe" AND CommandLine contains ".vbs" AND ParentProcessName matches "Explorer.exe"

Python Worm Module Activity

ProcessName matches "python.exe" AND CommandLine contains "wppconnect" OR CommandLine contains "contact.list"

Process Hollowing (Common in Astaroth/Boto):

IndicatorType matches "ProcessHollowing" AND ProcessName in ("aspnet_regsql.exe", "RegAsm.exe", "InstallUtil.exe")

Splunk

Identify Malicious ZIP File Activity:

index=windows sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=11

| eval zip_match=if(match(TargetFilename, "\\d{3}_[0-9a-fA-F-]+\\.zip$"), "Yes", "No")

| where zip_match="Yes"

| table _time, host, TargetFilename, Image

Detect WhatsApp Web to Script Execution:

index=endpoint sourcetype="SentinelOne"

| where ParentProcessName="chrome.exe" OR ParentProcessName="msedge.exe"

| where ProcessName IN ("powershell.exe", "cmd.exe", "python.exe")

| where match(CommandLine, "(?i)http")

| stats count by host, CommandLine

Monitor for WhatsApp-specific API Library Downloads:

index=network sourcetype=suricata

| where url LIKE "%wppconnect-w.js%" OR url LIKE "%://github.com%"

| stats count by src_ip, dest_ip, url

```

Delivery Method

WhatsApp Web messages containing malicious ZIP files.

References

WFIN

·       hxxps://wfin.com/fox-technology-news/whatsapp-web-malware-spreads-banking-trojan-automatically/

Fox News

·       hxxps://www.foxnews.com/tech/whatsapp-web-malware-spreads-banking-trojan-automatically