Banking Trojan Spreads via WhatsApp, Hitting Brazilian Users Hard

Brazil has recently experienced a major surge in banking‑trojan attacks that are spreading through WhatsApp. The attackers, identified as the Water Saci group, are distributing malicious files such as HTML applications or PDFs. When opened, these files trigger the download and installation of a trojan on the victim’s device. Unlike earlier versions that relied on PowerShell scripts, the latest variant uses a Python‑based worm that automatically spreads to the victim’s WhatsApp contacts, making the malware self-propagating.

Once installed, the malware runs silently in the background, monitoring active windows for banking websites, payment platforms, or cryptocurrency wallets. If the victim opens one of these, the trojan activates, logging keystrokes, taking screenshots, displaying fake login pages, and even intercepting credentials. It can also remotely control the system, manipulate mouse clicks, and execute unauthorized actions without the user noticing.

The trojan ensures persistence by re-launching automatically whenever the user opens a browser or restarts the system. Its WhatsApp-based propagation method turns each infected device into a hub, sending malicious files to all contacts and dramatically increasing the malware’s reach. Security experts consider this campaign particularly dangerous due to the combination of automated spreading, advanced evasion, and financial-targeted attacks. Authorities are warning users to be extremely cautious with attachments, even from trusted contacts, and to verify files before opening them to prevent infections