Overview
- Acronis identifies the active Boto Cor-de-Rosa operation, which harvests WhatsApp contacts and auto-sends malicious ZIP files to propagate like a worm.
- The infection begins with a WhatsApp message carrying a ZIP archive that launches a disguised VBScript to fetch next‑stage components.
- The malware splits into a propagation module that messages contacts and a banking module that activates on financial sites to steal credentials.
- The toolkit mixes languages and installers, pairing a Delphi Astaroth payload with VBScript and MSI/AutoIt delivery and a Python spreader (zapbiu.py) that installs its own runtime.
- The spreader uses localized Portuguese lures, abuses WhatsApp Web, and reports real‑time metrics on deliveries and failures to monitor its reach.