WhatsApp Worm Spreads Banking Trojan Across Brazil, Targets Crypto Wallets

The campaign uses a banking trojan called Eternidade Stealer that specifically targets crypto wallets and financial logins across Latin America’s largest digital asset market.

How the Attack Works

The malware spreads through WhatsApp using two main components: a self-replicating worm and a banking trojan. When victims click a malicious link sent via WhatsApp, they trigger an automated sequence that hijacks their account and downloads harmful software in the background.

Trustwave SpiderLabs researchers identified this campaign in November 2025. The researchers noted that threat actors use fake government programs, delivery notifications, and fraudulent investment groups to trick people into clicking malicious links.

The worm component hijacks WhatsApp accounts and accesses contact lists. It uses smart filtering to ignore business contacts and groups, focusing instead on individual people who are more likely to fall for the scam. The malware then automatically sends personalized messages to each contact, using their real names and time-appropriate greetings in Portuguese.

Source: trustwave.com

Meanwhile, the banking trojan quietly installs itself on the victim’s device. This Eternidade Stealer scans for financial applications and crypto wallets running on the computer. When it detects banking apps or crypto exchanges, the malware immediately activates and begins stealing login credentials.

Targeted Financial Services and Crypto Platforms

The malware targets a wide range of Brazilian financial institutions including major banks like Bradesco, BTG Pactual, Itaú, Santander, and Caixa Econômica Federal. Payment services such as MercadoPago and Stripe are also on the target list.

For cryptocurrency users, the threat is particularly severe. The malware hunts for credentials from exchanges including Binance, Coinbase, Kraken, and numerous others. It also targets popular crypto wallets like MetaMask, Trust Wallet, Exodus, Ledger Live, and Phantom Wallet among many others.

Brazil represents an attractive target for cybercriminals because of its significant crypto adoption. The country ranks fifth globally on the Chainalysis crypto adoption index and processed approximately $319 billion in crypto transactions between mid-2024 and mid-2025.

Advanced Evasion Techniques

What makes Eternidade Stealer particularly dangerous is its clever approach to avoiding detection. Unlike typical malware that connects to fixed server addresses, this trojan uses email accounts to receive instructions from hackers.

The malware contains hardcoded login credentials for Gmail accounts. It connects to these accounts using standard email protocols (IMAP) to check for new commands. This method blends in with normal email traffic, making it harder for security systems to detect and block.

If authorities shut down one command server, the attackers simply send a new email with updated server addresses. The malware checks the email, extracts the new server location, and continues operating. This email-based system helps the malware maintain persistence and evade network-level shutdowns.

The trojan also only activates on computers using Brazilian Portuguese as the system language. If it detects any other language, the malware immediately terminates itself. This hyper-focused targeting helps the attackers avoid security researchers and focus resources on their intended victims.

Related Campaigns and Broader Threats

Security researchers have tracked multiple related campaigns targeting Brazilian users through WhatsApp. In September 2025, Trend Micro identified a campaign called Water Saci that spread malware named SORVEPOTEL. This campaign infected government organizations, manufacturing companies, and educational institutions across Brazil.

Another banking trojan called Maverick has also been spreading through WhatsApp since early 2025. These campaigns share similar techniques, including WhatsApp hijacking and targeting Brazilian financial institutions.

The Eternidade Stealer campaign represents an evolution of these earlier threats. The attackers shifted from PowerShell scripts to Python programming, making their worm more efficient at spreading through WhatsApp contacts. They also added the innovative email-based command system that makes the malware harder to shut down.

Security logs from the threat actors’ own infrastructure revealed surprising global reach. While the malware targets Brazil specifically, connection attempts came from 38 different countries. The United States showed the highest number of connections with 196 attempts, followed by the Netherlands, Germany, and the United Kingdom.

Protection Steps for Users and Organizations

WhatsApp users should exercise extreme caution with any links received through the app, even from trusted contacts. If someone sends an unexpected link with limited context, verify it through a different communication channel before clicking.

Security experts recommend several protective measures. Keep all software and operating systems updated to patch vulnerabilities that malware might exploit. Install reputable antivirus software that can detect and block malicious files. Be especially suspicious of messages about government programs, delivery notifications, or investment opportunities that arrive unexpectedly.

If someone suspects their account has been compromised, immediate action is critical. Freeze access to all banking and cryptocurrency accounts right away. Contact financial institutions and exchanges to report the breach. Monitor all transactions closely, as this can help authorities track stolen funds and potentially freeze hacker wallets.

Organizations face additional responsibilities in protecting their networks. IT administrators should configure corporate devices to disable automatic downloads of media and documents on WhatsApp. Use endpoint security and firewall policies to restrict file transfers through personal messaging apps on work computers.

The growing threat of crypto wallet attacks extends beyond Brazil. Similar malware campaigns have targeted users worldwide, with attackers constantly developing new techniques to steal digital assets. Hardware wallets that require physical confirmation of transactions remain the most secure option for storing cryptocurrency.

Brazil’s evolving crypto landscape makes it an increasingly attractive target. The country is considering adding Bitcoin to national reserves and implementing comprehensive stablecoin regulations, developments that signal growing mainstream adoption. This increased activity naturally draws more attention from cybercriminals seeking to exploit users.

The Digital Arms Race Continues

The Eternidade Stealer campaign demonstrates how cybercriminals rapidly adapt their tactics to exploit popular platforms like WhatsApp. Their use of email-based command systems and hyper-targeted geographic filtering shows sophisticated operational security. As Brazil’s crypto market continues growing, users must remain vigilant against evolving social engineering attacks that leverage trust in everyday communication tools. The best defense combines healthy skepticism toward unexpected messages, robust security software, and immediate response protocols when compromise occurs.