A new WhatsApp worm is sweeping through Brazil, stealing bank logins and crypto keys from ordinary users, security firms warn.
Victims get a message that looks familiar — a delivery note, a government alert, or an invite to a group — and one click can let the threat spread through their contacts while a hidden trojan strips data from their machines.
How The Worm Spreads
According to security reports, attackers send ZIP files over WhatsApp that contain a malicious .LNK shortcut. When opened, that shortcut runs deceptive commands which load more code into memory so little is written to the hard drive.
This “fileless” step helps the malware avoid some antivirus tools. Based on reports, the infection also hijacks WhatsApp Web sessions to send the same bait to the victim’s friends, making the attack behave like a worm.
Figure 2. Eternidade Stealer’s attack chain. Source: SpiderLabs
One analyst group said more than 400 “customer environments” and over 1,000 endpoints showed signs of compromise, while another firm blocked roughly 62,000 infection attempts in the first 10 days of October.
Targets And Techniques
Reports have disclosed two main strains that are active in Brazil. One is a banking trojan called Eternidade Stealer that uses a Gmail account as a hidden command channel.
Figure 7. The malware’s JavaScript code that steals victims’ WhatsApp contact lists. Source: SpiderLabs
The other, known as Maverick, relies on automation tools such as WPPConnect to operate WhatsApp Web and to push malicious messages from infected accounts.
The threats look for local settings before fully activating, checking timezone and language so the code runs mainly on machines set to Brazil.
Security researchers say the malware can snapshot screens, log keystrokes, and overlay fake login pages on banking or exchange websites.
The list of targets is wide: it includes 26 Brazilian banks, six crypto exchanges, and one payment platform.
Bitcoin is priced at $92,191 in the last 24 hours. Chart: TradingView
Smart Filtering Makes It Worse
The attackers appear to avoid business or group contacts. That choice seems designed to keep messages within small personal circles and to reduce early detection.
Once a contact family or friend opens the link, the same cycle can repeat. Because the worm spreads by using trusted accounts, people are more likely to fall for the bait.
The use of widely available services like Gmail for control instructions makes it harder for defenders to block a single command server.
What To Do If You’re Exposed
According to security experts, if funds are at risk, act fast. Freeze or lock accounts when possible, alert your exchange or bank, and report the incident to local authorities.
Enable strong multi-factor authentication on every financial account and use withdrawal whitelists where offered. According to experts, do not open ZIP or .LNK files from WhatsApp, even from known contacts, without verifying by a separate message or a phone call.
Source: Chainalysis
Source: ChainalysisBrazil At No. 5
Chainalysis figures show Brazil sits at the top of Latin America in crypto use, and the country holds the fifth spot in the platform’s 2025 Global Crypto Adoption Index Top 20.
Featured image from Gemini, chart from TradingView
Editorial Process for bitcoinist is centered on delivering thoroughly researched, accurate, and unbiased content. We uphold strict sourcing standards, and each page undergoes diligent review by our team of top technology experts and seasoned editors. This process ensures the integrity, relevance, and value of our content for our readers.