WhatsApp Weaponized in Brazil as New Malware Campaign Targets Crypto Users

Quick Breakdown 

• Cybercriminals in Brazil are using WhatsApp to spread a worm and banking trojan that steals crypto and financial data.
• The malware hijacks WhatsApp sessions, scans devices for banking and wallet apps, and propagates through victim contact lists.
• Rising crypto adoption in Brazil is attracting sophisticated threats, including AI-powered malware and cross-platform stealers.

 

Cybercriminals in Brazil have launched a sophisticated malware operation that uses WhatsApp as the primary delivery channel to hijack devices and steal financial data, including access to crypto wallets. 

🚨 A new WhatsApp worm is spreading fast in Brazil.

It hijacks chats, sends fake messages to all your contacts, and installs a program that steals bank and crypto logins.

… and it updates itself through an email inbox to stay hidden.

Read here ↓

— The Hacker News (@TheHackersNews) November 19, 2025

The discovery was made by Trustwave’s SpiderLabs, which identified the campaign deploying the “Eternidade Stealer,” a tool designed to quietly extract sensitive information from banking apps, fintech platforms, and crypto exchanges.

Social engineering fuels the infection chain

According to researchers, the attackers rely heavily on WhatsApp-based social engineering, sending victims messages disguised as government benefits, delivery updates, or investment opportunities. Once a user taps the malicious link, an automated sequence takes over, hijacking the victim’s WhatsApp session and downloading an MSI installer in the background.

This installer deploys a Delphi-based banking trojan that scans the device for financial applications such as Bradesco, BTG Pactual, Binance, Coinbase, MetaMask, and Trust Wallet. The moment it detects one of these applications, the malware decrypts and launches its next-stage payload.

Self-spreading worm and stealthy C2 communication

One of the campaign’s more alarming traits is its ability to spread itself. The worm accesses the victim’s WhatsApp contact list and automatically sends the malicious link to new targets.

To stay hidden, the malware retrieves commands from a Gmail inbox using IMAP over SSL, a tactic that blends with normal user activity and bypasses many network defences. If that fails, it falls back to a hardcoded command-and-control address.

SpiderLabs described this approach as a “clever” method of maintaining persistence while evading detection or takedowns.

Brazil’s crypto boom draws cybercriminal attention

Brazil’s rapid surge in crypto adoption, ranking fifth on the Chainalysis Global Crypto Adoption Index and leading Latin America by trading volume, has made the nation an appealing target for financially motivated attackers. Interest has grown even further as the government explores plans for a national Bitcoin reserve and more robust regulatory frameworks.

This latest operation follows other recent threats. In September, Mosyle uncovered “ModStealer,” a cross-platform malware targeting browser wallet extensions on macOS, Windows, and Linux. Meanwhile, Google’s Threat Intelligence Group reported that malicious actors are now using AI to develop malware capable of rewriting its own code on the fly.

 

Take control of your crypto  portfolio with MARKETS PRO, DeFi Planet’s suite of analytics tools.”