WhatsApp Worm Spreads Banking Trojan Across Brazil, Targets Crypto Wallets

A sophisticated cyberattack campaign utilizing a self-replicating worm via WhatsApp is spreading the Eternidade Stealer banking trojan across Brazil, specifically targeting cryptocurrency wallets and financial accounts. Identified by Trustwave SpiderLabs in November 2025, the attack tricks victims into clicking malicious links, which hijacks their WhatsApp accounts to send personalized infection messages to their contacts. The installed trojan scans for and steals credentials from major Brazilian banks (like Bradesco and Itaú), payment services, and numerous crypto exchanges and wallets (including Binance, Coinbase, and MetaMask).

Eternidade Stealer employs advanced evasion techniques, notably using hardcoded Gmail accounts and IMAP protocols to receive command-and-control instructions, making network-level shutdowns difficult. Furthermore, the malware is hyper-localized, terminating execution if the system language is not Brazilian Portuguese. This campaign represents an evolution from previous WhatsApp threats, showing a shift to Python for efficiency and the innovative email-based command system. While targeting Brazil, connection attempts originated globally, with the US showing the highest volume. Users are advised to verify unexpected links, keep software updated, and immediately freeze accounts if compromised, while hardware wallets remain the most secure option for crypto storage.

(Source：Brave New Coin)