Brazilian Crypto Holders Targeted via WhatsApp by Malware Worm

Cybercriminals are targeting crypto holders in Brazil using a malicious campaign on WhatsApp. They’re spreading a banking trojan called Eternidade Stealer through self-propagating worm messages. According to security researchers, attackers send deceptive messages that look like they come from friends, government programs, or investment groups to trick users into clicking links.

When people click these links, their WhatsApp accounts can be hijacked — the worm takes over the account and harvests its contact list, but filters out business contacts and groups so it targets personal contacts more efficiently.

The banking trojan then quietly installs itself on the victim’s device. Once active, it searches for credentials and financial data from Brazilian banks, crypto exchanges, and wallet apps — allowing attackers to siphon off crypto and sensitive financial information.

One clever trick: the malware doesn’t use a static command-and-control (C2) server. Instead, it retrieves its C2 address dynamically via a Gmail account using IMAP. If that fails, it falls back to a hardcoded backup server.

SpiderLabs, the security team behind the report, warns that this shows just how dangerous WhatsApp has become in Brazil’s cyber-criminal ecosystem — and that users should be extremely careful when clicking links, even from contacts