WhatsApp Worm Sparks Brazil’s Eternidade Stealer Banking Trojan Outbreak

Brazilian cryptocurrency investors are facing an increasingly sophisticated phishing scheme that leverages social engineering to deliver malware via WhatsApp. A new cybersecurity report details a recent campaign involving a malicious worm and banking trojan designed to steal sensitive financial data and disrupt user accounts, highlighting mounting risks in crypto markets and the importance of heightened vigilance in the digital asset space.

Brazilian cryptocurrency owners are currently under threat from a sophisticated hacking campaign that employs both a hijacking worm and a financial malware known as Eternidade Stealer. These cyberattacks are being executed through WhatsApp messages that entice users into clicking malicious links, risking their crypto holdings and financial data.

According to a report from Trustwave’s cybersecurity research team SpiderLabs, the malicious campaign involves social engineering tactics, including messages about “fake government programs,” delivery notifications, or even correspondence from friends and fraudulent investment groups. The goal: to trick users into clicking links that trigger malware downloads.

“WhatsApp remains one of the most exploited communication channels in Brazil’s cybercrime ecosystem,” said SpiderLabs researchers Nathaniel Morales, John Basmayor, and Nikita Kazymirskyi. “Threat actors have honed their tactics over the past two years, leveraging the platform’s widespread use to distribute banking trojans and data-stealing malware.”

Once the victim clicks on the malicious link, a chain reaction ensues. The worm infects the device, hijacks the user’s WhatsApp account, and accesses their contact list. It employs “smart filtering” to target specific contacts, avoiding groups and business contacts for discreet operations.

Meanwhile, the Eternidade Stealer banking trojan is silently downloaded onto the victim’s device. It quickly scans for banking and cryptocurrency login credentials related to Brazilian banks, fintech apps, and crypto exchanges. This theft poses a serious threat to digital asset security, especially given the recent surge in crypto adoption across Brazil, which remains Latin America’s leading market for cryptocurrency activity and ranks fifth globally for crypto adoption according to Chainalysis’s 2025 index.

The malware’s design incorporates a cunning method to evade detection. Instead of connecting to a fixed command-and-control server, it uses a pre-set Gmail account to receive instructions via email. This approach allows hackers to dynamically update commands and maintain control over infected devices, complicating efforts to counteract the malware’s spread.

“The malware uses hardcoded credentials to log into its email account, which it then uses to retrieve commands, making it resilient against takedowns,” the report explains. “If email communication fails, it defaults to a hardcoded fallback server.”

How to Stay Safe in Crypto and Messaging Apps

Crypto users should remain cautious when receiving links, even from trusted contacts. Verifying suspicious messages via a different communication channel is a good practice. Regularly updating software and employing robust anti-virus protections can also reduce the risk of infection.

If users suspect they have fallen prey to this malware, it is critical to immediately freeze access to all related crypto and banking accounts. Monitoring transactions enables authorities or exchanges to track and potentially freeze hacker assets, helping to prevent further losses.

As crypto markets grow, so does the need for comprehensive security awareness and proactive measures to protect digital assets from evolving cyber threats.