A new WhatsApp malware targets Brazilian users, stealing banking and crypto data while spreading through hijacked contacts.
A fast-moving malware campaign is targeting WhatsApp users across Brazil.
This “WhatsApp Worm” has been discovered spreading through hijacked accounts and tricking people into opening harmful files. Once inside a device, it steals banking and crypto information, copies contacts and continues its spread through new victims.
Researchers warn that the malware uses updated methods that make it harder to detect or block.
How the WhatsApp Malware Campaign Starts
Attackers typically start their campaign through simple messages where they send fake alerts about government aid, package deliveries or investment groups.
Some messages look like they came from friends or family, and victims are tricked into tapping a link and setting off a chain reaction.
The attack starts with a small script that silently downloads two main files. One controls the spread of the worm, while the other installs the banking trojan known as Eternidade Stealer.
The script includes Portuguese comments and checks for a Brazilian Portuguese system. If it does not find one, it shuts down. This shows the attackers aim at local victims, not global ones.
Attackers also switched from older PowerShell methods to a Python script. This script works through WhatsApp Web and uses WPPConnect to automate sending messages.
It copies the victim’s full contact list. It also skips business accounts and groups to focus on people who are more likely to trust the sender.
How the Worm Hijacks WhatsApp Accounts
Once active, the worm takes over the victim’s WhatsApp session. It collects phone numbers, names and details that show whether someone is a saved contact.
It then sends this information to a server controlled by the attackers.
After doing this, the worm sends out a malicious file to all contacts. It uses a short template message, often with a greeting that matches the time of day.
Many people trust these messages because they appear to come from someone they know and this helps the malware spread through families, friends and coworkers.
The campaign resembles another recent attack on Brazilian users known as Water Saci.
That attack also spread through WhatsApp Web and delivered a similar banking trojan. The pattern of these hack attempts indicates that they are coming from active groups working in Brazil, and this group is refining the same methods across many campaigns.
Related Read: Federal Police Seize Cryptos from WhatsApp Hackers in Argentina
What the Eternidade Stealer Does After Infection
The Trojan that comes with the worm is the main threat. It runs in the background and scans the computer for open windows, processes and browser tabs. When it notices a banking or crypto service, it activates.
Eternidade Stealer searches for login screens from banks like Bradesco and BTG Pactual. It also checks for fintech services like MercadoPago and Stripe.
It looks for crypto services too, including Binance, Coinbase, MetaMask and Trust Wallet. When it spots a match, it begins recording keystrokes, taking screenshots or stealing saved files.
The malware even uses a unique method to avoid shutdowns and does not rely on a fixed server. Instead, it logs into a pre-set email inbox using hardcoded credentials.
It reads the inbox for new commands from the attackers. If the inbox fails, it returns to a backup server address. This setup helps the malware survive changes or takedowns.
Researchers found that the attackers run panels to manage infected devices. They monitor where victims are located and block almost all traffic that does not come from Brazil or Argentina.
This is what keeps their servers from attracting attention.