Millions of WhatsApp users are now under attack as fraudsters find evolving ways to circumvent digital safeguards. This time, attackers are weaponizing the messaging app to infiltrate PC users, allowing them to spy on victims and steal sensitive information and money.

Security researchers at Acronis have uncovered a new campaign targeting WhatsApp Web users. The campaign, known as Boto Cor de Rosa, originating from Brazil, deploys malware linked to the well-known banking trojan Astaroth.

A Trojan That Convers Like a Human

The attack begins with a friendly or familiar message that appears to come from one of your existing contacts. These messages often include common greetings such as, “Here is the requested file. If you have any questions, I am available!” Accompanying the message is a ZIP file that looks like a standard document when opened.

Unbeknownst to the user, attempting to open the PDF or document within the ZIP file triggers an initial script. This script uses advanced obfuscation techniques, making it extremely difficult for the Windows operating system to detect. This script is then used to download and install a pair of malware components that prepare the system for the final delivery of the nefarious Astaroth malware.

WhatsApp Web banking malware chat
The banking malware uses natural-sounding conversations to trick users. It also includes a ZIP file attachment that contains the virus-ridden PDF document. Image source: Acronis

Astaroth is the final stage of the attack, executing the theft of credentials and sensitive information. It is specifically designed to gain access to financial data, which attackers then use to siphon funds from your accounts.

Why This Malware Is More Dangerous

What makes this campaign particularly concerning is the connection between WhatsApp Web and the mobile app. Because these accounts are synced, bad actors can use the web version to access messages, files, and contact lists.

In addition to installing the banking trojan, the script runs a tracking and monitoring module specifically for WhatsApp. This module is used to extract contacts and personal information, enabling an automated system to spread the dangerous file to other users. The tracking feature even allows the malware to see how many messages were successfully delivered, giving the attackers real-time insights into how the infection is spreading.

As described by the security team, this design allows the malware to manage itself without revealing its presence or being detected by the user. When combined with its viral spreading method, this makes the Boto Cor de Rosa campaign an alarming threat.

How to Keep Safe Online

While there are currently no reports of successful mass exploitation using these specific vulnerabilities, users are advised to be cautious and proactive.

One of the most effective steps is to avoid opening or interacting with files, even if they appear to come from a known contact. It is also advisable to enable stronger authentication tools when logging into WhatsApp Web. You should also consider disconnecting the web session from your mobile app when it is not in use.

On the PC side, always ensure that your Windows operating system and security software are updated to the latest versions. If necessary, you can also install a dedicated antivirus application for an extra layer of protection.

What other ways can you think of to protect your information and financials online? Share your suggestions in the comments below.

We mark partner links with this symbol. If you click on one of these links or buttons–or make a purchase through them–we may receive a small commission from the retailer. This doesn’t affect the price you pay, but it helps us keep nextpit free for everyone. Thanks for your support! Prices are based on the date of publication of this article and may be subject to change.