Self‑Spreading Banking Trojan Exploits WhatsApp Web on Windows

Security researchers have uncovered a new malware campaign, dubbed Boto Cor‑de‑Rosa, that hijacks WhatsApp Web sessions on Windows PCs to auto‑distribute the Astaroth banking trojan through victims’ chat contacts. The attack begins when a user opens a seemingly routine ZIP file sent over WhatsApp that actually contains an obfuscated Visual Basic script, which then pulls additional components, including the Astaroth payload and a Python module that programmatically controls WhatsApp Web in the browser. Once installed, the malware quietly sends the same malicious ZIP to every contact with a friendly‑sounding text like, “Here is the requested file. If you have any questions, I’m available!”, making it far more likely recipients will open it because it appears to come from someone they know. Researchers at Acronis say the propagation tool tracks delivery metrics every 50 messages so attackers can tune the campaign, while the trojan itself hides in a directory mimicking a Microsoft Edge cache and is designed to steal credentials and potentially access financial accounts. For U.S. users, the story underscores that even trusted, end‑to‑end encrypted apps can become delivery vehicles when their web clients are compromised, and that routine‑looking ZIPs from real contacts are now a serious infection vector.