Oh no! Not again! A new WhatsApp malware is targeting Brazilian users, stealing banking and crypto data while spreading like a digital plague. 🐍💸
A fast-moving malware campaign is targeting WhatsApp users across Brazil. And by “fast-moving,” we mean it’s faster than your grandma’s Wi-Fi. 🚀
This “WhatsApp Worm” has been discovered spreading through hijacked accounts and tricking people into opening harmful files. Because who doesn’t love a suspicious link from a friend? 📱😅
Researchers warn that the malware uses updated methods that make it harder to detect or block. Because nothing says “I’m a villain” like being tech-savvy. 🔍😈
How the WhatsApp Malware Campaign Starts (And Why You Should Care)
Attackers typically start their campaign through simple messages where they send fake alerts about government aid, package deliveries or investment groups. Because who doesn’t want to believe in a miracle? 📦✨
Some messages look like they came from friends or family, and victims are tricked into tapping a link and setting off a chain reaction. It’s like a digital version of “I’ve got a secret!” 🤫
The attack starts with a small script that silently downloads two main files. One controls the spread of the worm, while the other installs the banking trojan known as Eternidade Stealer. Because why have one villain when you can have two? 🦹♂️🦸♀️
The script includes Portuguese comments and checks for a Brazilian Portuguese system. If it does not find one, it shuts down. This shows the attackers aim at local victims, not global ones. Because Brazil is their favorite playground. 🇧🇷
Attackers also switched from older PowerShell methods to a Python script. This script works through WhatsApp Web and uses WPPConnect to automate sending messages. Because nothing says “I’m a hacker” like Python. 🐍
It copies the victim’s full contact list. It also skips business accounts and groups to focus on people who are more likely to trust the sender. Because why target strangers when you can target your bestie? 👯♀️
How the Worm Hijacks WhatsApp Accounts (And Why You’re Next)
Once active, the worm takes over the victim’s WhatsApp session. It collects phone numbers, names and details that show whether someone is a saved contact. Because nothing says “I’m a stalker” like knowing your contacts. 🕵️♂️
It then sends this information to a server controlled by the attackers. Because who needs privacy when you can have a digital spy? 📶
After doing this, the worm sends out a malicious file to all contacts. It uses a short template message, often with a greeting that matches the time of day. Because nothing says “I’m friendly” like a 3 AM spam message. 🕒
Many people trust these messages because they appear to come from someone they know and this helps the malware spread through families, friends and coworkers. Because trust is a weakness. 💔
The campaign resembles another recent attack on Brazilian users known as Water Saci. That attack also spread through WhatsApp Web and delivered a similar banking trojan. The pattern of these hack attempts indicates that they are coming from active groups working in Brazil, and this group is refining the same methods across many campaigns. Because nothing says “I’m a professional” like repeating the same tricks. 🎩
Related Read: Federal Police Seize Cryptos from WhatsApp Hackers in Argentina (But Why Wait for Brazil?)
What the Eternidade Stealer Does After Infection (Spoiler: Not Much Good)
The Trojan that comes with the worm is the main threat. It runs in the background and scans the computer for open windows, processes and browser tabs. Because nothing says “I’m a busybody” like a Trojan. 🕵️♀️
Eternidade Stealer searches for login screens from banks like Bradesco and BTG Pactual. It also checks for fintech services like MercadoPago and Stripe. Because who doesn’t want to know your financial secrets? 💸
It looks for crypto services too, including Binance, Coinbase, MetaMask and Trust Wallet. When it spots a match, it begins recording keystrokes, taking screenshots or stealing saved files. Because nothing says “I’m a thief” like stealing your crypto. 🛡️
The malware even uses a unique method to avoid shutdowns and does not rely on a fixed server. Instead, it logs into a pre-set email inbox using hardcoded credentials. Because nothing says “I’m secure” like a hardcoded email. 📧
It reads the inbox for new commands from the attackers. If the inbox fails, it returns to a backup server address. This setup helps the malware survive changes or takedowns. Because nothing says “I’m resilient” like a backup plan. 🛠️
Researchers found that the attackers run panels to manage infected devices. They monitor where victims are located and block almost all traffic that does not come from Brazil or Argentina. This is what keeps their servers from attracting attention. Because nothing says “I’m subtle” like blocking traffic. 🚫
This is what keeps their servers from attracting attention. Because nothing says “I’m invisible” like a well-protected server. 🕳️
Read More
- EUR CNY PREDICTION
- QNT PREDICTION. QNT cryptocurrency
- CNY RUB PREDICTION
- LTC PREDICTION. LTC cryptocurrency
- AAVE PREDICTION. AAVE cryptocurrency
- EUR RUB PREDICTION
- SUI PREDICTION. SUI cryptocurrency
- USD TRY PREDICTION
- GBP EUR PREDICTION
- ETC PREDICTION. ETC cryptocurrency
2025-11-20 18:17