Brazilian crypto users hit by WhatsApp malware campaign targeting crypto wallets

In Brazil, malicious actors are exploiting WhatsApp to distribute a sophisticated banking trojan and hijacking worm, specifically targeting cryptocurrency wallets.

Trustwave’s cybersecurity division, SpiderLabs, has recently revealed a substantial campaign employing the Eternidade Stealer—a form of malware that stealthily gathers personal financial data, login credentials, and other sensitive information linked to banking applications, fintech services, and cryptocurrency exchanges.

The attackers engage in complex social engineering tactics, masquerading as “government aid programs, delivery notifications, and fake investment groups” to spread their malicious software throughout WhatsApp channels and groups, according to their report.

The attack delivers its payload through a two-step mechanism, featuring both a WhatsApp worm and a banking trojan based on Delphi. When victims click on a link associated with the worm, it initiates a sequence that hijacks their WhatsApp session, downloading an MSI installer in the background. This ultimately deploys the stealer which scans for financial applications and crypto wallets on the device.

“Upon detecting any recognizable interface, such as Bradesco, BTG Pactual, Binance, Coinbase, MetaMask, Trust Wallet, or similar financial entities, the malware decrypts and activates a secondary payload,” the researchers from SpiderLabs elaborated.

Another alarming aspect of this campaign is the worm’s ability to access the victim’s contact list, enabling it to spread to other potential targets.

To evade detection, the malware utilizes “hardcoded credentials to access its email account,” which draws commands from a Gmail inbox managed by the operator. By employing IMAP over SSL for command retrieval, it camouflages its activities within normal email traffic, thus bypassing many network filters and making it difficult to trace.

“This approach cleverly ensures its command and control (C2) updates continue, maintains persistence, and evades detection or intervention on a network level. If the malware fails to connect to the email account, it resorts to a hardcoded backup C2 address,” the researchers noted.

SpiderLabs has advised Brazilian cryptocurrency users to exercise heightened caution, particularly on WhatsApp, which has become a predominant channel for social engineering malware campaigns.

“WhatsApp remains one of the most exploited platforms within Brazil’s cybercrime landscape. In recent years, malicious actors have refined their tactics using the widespread nature of the app to disseminate banking trojans and information-stealing malware,” the findings underline.

In recent years, Brazil’s cryptocurrency adoption has skyrocketed. Recent initiatives, such as potential plans for a national Bitcoin reserve and a structured regulatory environment, have captured the interest of both local users and global investors. According to the Chainalysis Global Crypto Adoption Index, Brazil ranks fifth globally, operating as the largest crypto market by trading volume in Latin America.

Consequently, it remains a favorable target for scams and cybercriminals aiming to exploit naïve users or poorly secured systems.

The Eternidade Stealer functions as an infostealer, capable of monitoring activity across various applications, extracting sensitive credentials, and deploying deceptive overlays to gather user data.

Back in September, security platform Mosyle detected a cross-platform threat named ModStealer, which remained hidden for several weeks while targeting crypto wallets across macOS, Windows, and Linux systems. Utilizing obfuscated JavaScript in a Node.js environment, it infiltrated developer systems and extracted private keys and clipboard data from an array of browser wallet extensions.

Moreover, recent reports from the Google Threat Intelligence Group have indicated that malicious actors are increasingly employing artificial intelligence to develop adaptable malware that can rewrite its own code on-the-fly, thereby complicating detection or neutralization efforts.