A newly identified banking Trojan known as Eternidade Stealer has been observed pushing Brazil’s cybercrime ecosystem into a more aggressive phase, with attackers using WhatsApp as both an entry point and a propagation tool.
According to new research from Trustwave SpiderLabs, the malware combines a WhatsApp-propagating worm, a Delphi-based stealer and an MSI dropper to harvest financial data, system details and contact lists used for rapid lateral spread.
The researchers noted that a shift to Python for WhatsApp hijacking, along with dynamic command-and-control (C2) retrieval through IMAP, marks a notable evolution in the threat actor’s toolkit.
A Two-Payload Campaign
The campaign relies on an obfuscated VBScript that downloads two payloads: a Python-written WhatsApp worm and an installer that deploys a Delphi-built banking Trojan.
Shorter, more agile scripting enables attackers to automate WhatsApp messaging, extract contact lists using wppconnect libraries and push malicious files to victims. Messages adapt their greeting based on the time of day and insert the recipient’s name.
The Eternidade Stealer component activates only on systems using Brazilian Portuguese and scans for banking, fintech and cryptocurrency applications before triggering credential-harvesting overlays. The malware also stores hard-coded email credentials that allow it to pull fresh C2 details from an IMAP mailbox for extra resilience against takedowns.
Read more on WhatsApp-based malware campaigns: NSO Group Hit with $168m Fine for WhatsApp Pegasus Spyware Abuse
How the Malware Operates
The dropper installs several components, including AutoIt-based scripts that perform reconnaissance, detect antivirus tools, gather system telemetry and decrypt embedded payloads.
Once active, the stealer checks for prior infection, collects host information and browser window details and targets applications from banks such as Itaú, Santander, Bradesco and Caixa, along with services like MercadoPago and Binance, among others.
Key capabilities include:
-
Dynamic C2 discovery using IMAP
-
WhatsApp contact theft and automated message distribution
-
Banking overlays for credential interception
-
Process hollowing via Delphi injectors
-
System profiling and AV detection
Broader Infrastructure Findings
The Trustwave SpiderLabs team traced the campaign’s backend to several related domains and panels used for redirect management and victim tracking.
Logs showed 454 connection attempts from 38 countries, with only a handful originating in Brazil, despite the malware’s regional focus.
Most visitors used desktop systems, suggesting that the campaign was designed for workstation environments rather than mobile endpoints.
“Cybersecurity defenders should remain vigilant for suspicious WhatsApp activity, unexpected MSI or script executions and indicators linked to this ongoing campaign,” the researchers concluded.