Warning: WhatsApp worm targeting Brazilian crypto wallets and bank accounts
Brazilian crypto users are being warned about a new and sophisticated cyberattack spreading through WhatsApp. The campaign uses a combination of a self-spreading worm and a banking trojan to hijack accounts, steal financial logins, and drain funds from both traditional bank accounts and crypto wallets.
A recent report from Trustwave’s SpiderLabs reveals that the trojan—called “Eternidade Stealer”—is being distributed through social-engineering tricks on WhatsApp. Attackers send messages posing as government benefits, delivery updates, notes from friends, or “investment groups,” tricking people into clicking malicious links.
“WhatsApp continues to be one of the most exploited communication channels in Brazil’s cybercrime ecosystem,” SpiderLabs researchers Nathaniel Morales, John Basmayor, and Nikita Kazymirskyi wrote. “Over the past two years, hackers have refined their tactics, using the platform’s immense popularity to distribute banker trojans and information-stealing malware.”
How the attack works
In simple terms, clicking the infected WhatsApp link triggers a chain reaction: the worm installs itself, takes over the victim’s account, and simultaneously deploys the banking trojan.
The worm’s job is to hijack the user’s WhatsApp and harvest their contact list. Using “smart filtering,” it avoids business contacts and group chats, targeting only individual contacts so the infection spreads more efficiently.
At the same time, the banking trojan automatically downloads onto the device and quietly launches the Eternidade Stealer. This malware scans the device for financial data, login credentials, and wallet information tied to major Brazilian banks, fintech apps, crypto exchanges, and digital wallets.
A clever evasion technique
One of the most notable features of this malware is how it avoids being taken down. Instead of relying on a fixed server, it connects to a Gmail account using built-in credentials and checks for commands sent by the hackers through email messages. This setup allows attackers to update instructions whenever they want and makes the malware harder to block at the network level. If the Gmail account becomes unreachable, the malware will fall back to a secondary command-and-control (C2) address.
Why Brazil is being targeted
Brazil is currently Latin America’s largest crypto market and ranks fifth in Chainalysis’ 2025 Global Crypto Adoption Index. The index considers how heavily populations use various crypto services—along with their size and economic factors—making Brazil a prime target for financially motivated cybercriminals.
How to protect yourself
If you use WhatsApp or similar messaging apps, consider the following precautions:
- Be cautious with links, even if they come from someone you trust. Their account may have been compromised.
- Verify suspicious messages by contacting the sender through a different app before clicking anything.
- Keep your device and apps updated, as outdated software is more vulnerable to exploits.
- Use reputable antivirus software, which may detect or block harmful downloads.
If you believe your device has been compromised:
- Immediately freeze access to all banking and crypto accounts to prevent further theft.
- Contact your bank or exchange right away.
- Report the incident to relevant authorities and platforms.
- Track any outgoing transactions, as this may help investigators or exchanges identify and freeze hacker wallets.
