Brazil Faces Surge in WhatsApp Worm Attacks Targeting Crypto and Banking Apps

A newly identified WhatsApp-based worm-and-trojan campaign in Brazil is compromising crypto wallets and bank accounts through a rapidly spreading malware cluster dubbed Eternidade.

Researchers Identify New Multi-Stage Threat

Brazilian crypto users are being warned about an emerging malware operation that leverages WhatsApp hijacking to spread a banking trojan designed to harvest financial credentials. Trustwave SpiderLabs researchers have disclosed that the campaign revolves around a newly identified stealer known as Eternidade, a Delphi-based malware capable of dynamically updating its command-and-control infrastructure and stealthily collecting data from victims.

Researchers Nathaniel Morales, John Basmayor, and Nikita Kazymirskyi noted that WhatsApp remains central to Brazil’s cybercriminal ecosystem, stating,

“WhatsApp continues to be one of the most exploited communication channels in Brazil’s cybercrime ecosystem. Over the past two years, threat actors have refined their tactics, using the platform’s immense popularity to distribute banker trojans and information-stealing malware.”

How the Infection Chain Works

According to the research team, the ongoing operation begins with social engineering messages delivered via WhatsApp. These lures mimic familiar formats, such as delivery notifications, fraudulent investment groups, and “fake government programs”, to trick recipients into clicking malicious links.

Once clicked, the link triggers the deployment of both a hijacking worm and the Eternidade banking trojan. The worm immediately takes control of the victim’s WhatsApp account, extracts the contact list, and selectively targets individual contacts using “smart filtering,” bypassing business groups to maximize the likelihood of personal engagement.

Simultaneously, a trojan file is silently downloaded on the device. This component installs the Eternidade Stealer in the background, enabling attackers to scan for credentials tied to major Brazilian banks, fintech platforms, and cryptocurrency exchanges and wallets.

Adaptive Command-and-Control via Gmail

One of the campaign’s most crucial traits is its unconventional method for receiving updated commands. Instead of relying on static server addresses, Eternidade uses hardcoded credentials to log into a Gmail account via IMAP. This allows the attackers to send updated instructions simply by emailing the controlled account.

The researchers highlighted this technique in their report:

“One notable feature of this malware is that it uses hardcoded credentials to log into its email account, from which it retrieves its C2 server. It is a very clever way to update its C2, maintain persistence, and evade detections or takedowns on a network level. If the malware cannot connect to the email account, it uses a hardcoded fallback C2 address.”

Related Malware Activity

The Eternidade operation follows closely behind another Brazil-focused malware wave known as Water Saci, which used a WhatsApp Web worm called SORVEPOTEL to distribute Maverick, a .NET-based banking trojan linked to earlier Coyote malware variants. These incidents underscore a persistent trend in the region: the use of WhatsApp as a primary vector and the enduring reliance on Delphi-based tools for malware development.

Safety Recommendations

Security experts are advising WhatsApp users to avoid clicking unfamiliar links, even when sent by trusted contacts. Confirming suspicious messages through alternate communication channels is recommended, particularly when little context accompanies the link.

Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice