Researchers uncover a new WhatsApp-driven malware campaign in Brazil that spreads the Eternidade Stealer trojan (Photo: File)
Brazil is facing a new, increasing cyber threat a malware campaign that silently spreads across WhatsApp and steals sensitive financial data. SpiderLabs researchers have spotted a variant of the Eternidade Stealer trojan with custom social engineering, WhatsApp hijacking and adaptive evasion techniques to target users across the country.
The attack starts with the victim receiving an innocent-looking file or link, which may come disguised as government updates, courier tracking alerts, or personal messages. The opening makes room for an infiltrating Python-based worm into the device, which then silently installs the Delphi-built Eternidade Stealer.
The worm hijacks active WhatsApp Web sessions instantly, scans contacts and sends malicious attachments with friendly greetings and personalized names. The rapid self-replication provides the malware with the ability to spread at high speed through trusted chats.
What makes this campaign especially serious is its dynamic command-and-control design: instead of connecting to a single server, the malware logs into a pre-set email account and checks the newest message for updated instructions. This allows attackers to rotate servers, evade takedowns, and remain persistent without leaving a predictable pattern.
ALSO READ: Australia Leads Global Shift as Meta Enforces Under-16 Ban on Instagram & Facebook
If the email login fails, a fallback server keeps the operation running. Once installed, the stealer can capture keystrokes, screenshots and files while monitoring logins for major Brazilian banks, fintech platforms and crypto wallets.
Brazil has become a frequent target for malware campaigns leveraging WhatsApp's huge reach. Similar techniques have been used in earlier campaigns, such as Water Saci and SORVEPOTEL, to deliver financial trojans across Brazil and parts of Argentina.
The most recent operation continues that trend, but with added automation and improved social engineering, which will make it harder for casual users to tell the difference between legitimate messages and malicious ones.
ALSO READ: NASA Finds Strange Mars Rock That Appears Not to Belong There: Aliens on Mars
Although it self-destructs in devices not set to Brazilian Portuguese, researchers detected hundreds of connection attempts coming from 38 countries, including the United States. This implies that the worm's spread can reach abroad by accident via WhatsApp contacts, though its payload activates only regionally.
Security teams now call on organizations and users to be on the lookout for suspicious WhatsApp activity, unexpected script files and unfamiliar MSI installers.
ALSO READ: India Plans 6,000-Meter Underwater Lab After Matsya-6000 Success
Disclaimer: This article is for informational purposes only and should not be taken as security advice. Users should consult cybersecurity professionals for guidance.
