- WhatsApp worm and trojan combo targets Brazilian crypto users with stealthy account hijacks.
- Malware uses a Gmail-based command system to evade shutdowns and update its operations.
- Redirector panel logs show global exposure, with most connection attempts from desktop systems.
Brazilian authorities and cybersecurity analysts have raised an alarm over a fast-spreading malware campaign that is using WhatsApp messages to target crypto users through automated account hijacking and a sophisticated banking trojan.
The operation, identified by researchers at Trustwave SpiderLabs, links a WhatsApp-propagated worm to a threat tool known as Eternidade Stealer, allowing attackers to obtain banking credentials, crypto exchange logins, and other sensitive financial information from infected devices.
Researchers Trace Coordinated Activity Through WhatsApp-Based Lures
According to SpiderLabs researchers Nathaniel Morales, John Basmayor, and Nikita Kazymirskyi, the campaign relies on social-engineering messages that imitate government notices, delivery updates, fraudulent investment groups, or even contacts from friends.
Once a victim opens the malicious link, both the worm and the banking trojan install simultaneously. The worm immediately seizes the victim’s WhatsApp account, extracts the contact list, and filters out groups or business numbers to prioritize one-to-one targeting.
During this process, the companion trojan delivers the Eternidade Stealer payload. The malware then scans the system for credentials linked to Brazilian banking platforms, fintech accounts, and crypto-related services, including wallets and exchanges. Researchers argue that this dual-stage structure has become increasingly common in Brazil’s cybercrime ecosystem, which has utilized WhatsApp for past campaigns, such as Water Saci, spanning 2024 and 2025.
Malware Uses Gmail-Based Command Retrieval to Evade Takedowns
Investigators report that the malware avoids traditional network shutdowns by using a preset Gmail account to receive updated commands. Instead of depending on a fixed command-and-control (C2) server, it logs into the hardcoded email address, checks for the latest instructions, and only falls back to a static C2 domain if the email is unreachable. SpiderLabs referred to this method as a way to maintain persistence while reducing the likelihood of detection.
Related: New Malware Threat: Cthulhu Stealer Targets Mac and Crypto
During infrastructure mapping, analysts linked the initial domain, *serverseistemasatu[.]com,* to a server hosting multiple threat-actor panels, including a Redirector System used to track incoming connections. Of the 453 visits logged, 451 were blocked due to geographic restrictions, allowing only Brazil and Argentina.
However, log data showed 454 communication attempts across 38 countries, including the United States (196), the Netherlands (37), Germany (32), the United Kingdom (23), and France (19). Only three interactions originated from Brazil.
The panel also recorded OS statistics indicating 40% of connections came from unidentified systems, followed by Windows (25%), macOS (21%), Linux (10%), and Android (4%). Investigators stated that the data shows most interactions occurred from desktop environments.
Related: How Browser Wallet Permissions Were Exploited in the Latest LinkedIn Job Offer Scam
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.