Brazilian crypto users hit by WhatsApp malware campaign targeting crypto wallets

Bad actors are weaponizing WhatsApp to deliver a hijacking worm and banking trojan in Brazil that targets their crypto wallets.

Trustwave’s cybersecurity research team SpiderLabs has uncovered a major campaign involving the Eternidade Stealer, which can quietly harvest financial information, login data, and other sensitive details associated with banking portals, fintech apps, and crypto exchanges on the victim’s device.

Threat actors were found to be using complex social engineering schemes involving “fake government programs, delivery notifications, and even fraudulent investment groups shared through WhatsApp messages and groups,” the report said.

Attackers are using a two‑stage process to deliver the malicious payload that includes a WhatsApp‑propagating worm and a Delphi‑based banking trojan. When the victim clicks a worm link, it triggers an automated sequence that hijacks the WhatsApp session, downloads the MSI installer in the background, and deploys the stealer that scans for financial applications and crypto wallets.

“When it detects a match, for example, a window title or process name linked to Bradesco, BTG Pactual, Binance, Coinbase, MetaMask, Trust Wallet, or another financial brand, the malware immediately decrypts and activates its next-stage payload,” Spiderlabs researchers explained.

Another concerning trait of the campaign, besides its stealthy nature, is that the worm is able to access the victim’s contact list, which lets it target other potential victims.

Meanwhile, it prevents detection by using “hardcoded credentials to log into its email account,” which is retrieved from a Gmail inbox controlled by the operator. By using IMAP over SSL to fetch commands, a method that blends with ordinary user email traffic, the malware is able to bypass network filters and remain difficult to trace.

“It is a very clever way to update its C2, maintain persistence, and evade detections or takedowns on a network level. If the malware cannot connect to the email account, it uses a hardcoded fallback C2 address,” researchers added.

SpiderLabs researchers have urged Brazilian crypto users to remain alert, especially on WhatsApp, which has become a favored tool for social engineering-based malware campaigns.

“WhatsApp continues to be one of the most exploited communication channels in Brazil’s cybercrime ecosystem. Over the past two years, threat actors have refined their tactics, using the platform’s immense popularity to distribute banker trojans and information-stealing malware,” researchers warned.

Crypto adoption in Brazil has soared over the past few years, and with recent developments like potential plans to establish a national Bitcoin reserve and enforce a proper regulatory framework, the country has drawn increased attention from global investors and local users alike. On the Chainalysis Global Crypto Adoption Index, Brazil ranks fifth, while it stands as Latin America’s largest crypto market by volume.

As such, it remains a prime target for scammers and other bad actors seeking to exploit inexperienced users or take advantage of poorly protected systems.

Eternidade Stealer is a kind of infostealer, which, as mentioned above, can silently monitor applications, extract sensitive credentials, and activate fake overlays to harvest user data..

Back in September, security platform Mosyle uncovered one such cross-platform threat called ModStealer that remained undetected for weeks and was found to be targeting crypto wallets across macOS, Windows, and Linux environments. By using obfuscated JavaScript code within a Node.js environment, the malware was able to infiltrate developer systems and exfiltrate private keys and clipboard data from over 50 browser wallet extensions.

More recently, a Google Threat Intelligence Group report warned that bad actors have started using artificial intelligence to develop malware that can rewrite its own code in real time, making it a lot harder to detect or neutralize.