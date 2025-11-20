Brazilian cybersecurity researchers from SpiderLabs have reported that a banking trojan, known as “Eternidade Stealer”, is being pushed, leveraging a combination of social engineering and WhatsApp hijacking to target financial data. The malware is geo-targeted; it checks if the device uses, Brazilian Portuguese language in the OS if not, it self-destructs.

WhatsApp worm + Eternidade Stealer

The attacker sends a file/links via WhatsApp, mostly via WhatsApp web, such as “fake government programs, delivery notifications,” messages from friends and fraudulent investment groups containing the python-based worm. Once someone opens the file/link, the worm infiltrates the device and delivers a Delphi-based banking trojan Eternidade Stealer. It runs in the background and scans for financial data and logins for a range of Brazilian banks and fintech or crypto exchanges and wallets. On the other hand, the worm continues to browse the active session and self-propagates to personal contacts and groups, thus rapidly duplicating. Another specific tactic of the malware is that it does not have a fixed server. It has a pre-set Gmail account to check the subject or body of the most recent email in that inbox, to retrieve command-and-control addresses.

Add WION as a Preferred Source

“One notable feature of this malware is that it uses hardcoded credentials to log into its email account, from which it retrieves its C2 server. It is a very clever way to update its C2, maintain persistence, and evade detections or takedowns on a network level. If the malware cannot connect to the email account, it uses a hardcoded fallback C2 address,” read the report. Once installed, it can record keystrokes, take screenshots, and steal files.

Trend of cyber attacks in Brazil