الجمعة 26 يونيو 2026 17:57:06 GMT+02:00

Netcrook

الرئيسيةالبيان
الأخبار
Corporate Security IncidentsCloud, SaaS & Identity SecurityIndustrial Cybersecurity & Critical InfrastructureCyber Intelligence, TrendsAI Security & Agentic SystemsCyber Intelligence & Threat TrendsCyber WarfareCyber Warfare & Nation-State OperationsCyber CriminalityBreaches & Data LeaksCybercrimeMalware & BotnetsRansomware & ExtortionSecurity Awareness & Social EngineeringLegal PolicyLegal, Policy & Government CybersecurityPrivacy, Regulation & ComplianceTechnology, InnovationTechnology, Innovation & Digital InfrastructureVulnerabilities Patch ManagementResearch, Exploits & Offensive SecurityVulnerabilities & Patch Management
Techcrook
Tutte le tecnologieIdentita e accessoFirewall e reteBackup e archiviazioneEnergia e continuitaPrivacy e sicurezza fisicaLaboratorio e prototipazioneStampa e tracciabilitaTecnologia quotidiana
Geocrook
AfricaAsiaEuropeMiddle EastNorth AmericaOceaniaSouth America
WikicrookالفريقAppاتصال
ArabicEnglishItaliano
Cyber Intelligence & Threat Trends

Brazil’s WhatsApp Plague: The Python Worm Hijacking Phones and Stealing Bank Accounts

A new WhatsApp worm, powered by Python, is sweeping through Brazil, spreading bank-stealing malware and exploiting the country’s love of chat apps for a cybercrime gold rush.

Fast Facts

  • A Python-based worm spreads banking malware via WhatsApp in Brazil.
  • The campaign uses social engineering and hijacked accounts to distribute “Eternidade Stealer.”
  • Malware targets only Brazilian users by checking system language.
  • Attackers use clever tricks to update their control servers and evade detection.
  • Similar WhatsApp-based malware campaigns have hit Brazil in recent months.

A Digital Wildfire in Brazil’s Chatrooms

Picture a digital wildfire racing through millions of smartphones, fueled not by dry leaves but by WhatsApp messages. In Brazil, where WhatsApp is as common as coffee, a new cybercrime campaign is using the chat app as both a match and kindling-spreading a banking trojan called Eternidade Stealer at unprecedented speed. The operation blends old-school tricks with modern code, and the result is a banking malware outbreak that’s both highly targeted and frighteningly effective.

How the Scam Works: From Script to Stealer

The attack begins innocuously, with an email or message containing an obfuscated script-comments in Portuguese hint at its local flavor. When run, this script drops two digital payloads: a Python program that hijacks WhatsApp Web and an installer that launches the actual banking trojan. The Python worm uses open-source tools to automatically message all of a victim’s WhatsApp contacts (excluding businesses and groups), attaching a malicious file and personalizing each message with names and greetings. Like a gossip chain gone rogue, each compromised phone becomes a new node, spreading the infection to more users.

The second payload, delivered quietly in the background, checks if the system is set to Brazilian Portuguese. If not, it gives up-proof that the attackers want only Brazilian targets. If the check passes, it scans for security software, gathers system details, and injects the banking stealer into a system process. The malware then lies in wait, invisible, until the victim opens a banking or crypto app. Only then does it strike, stealing credentials, recording keystrokes, and sending everything to the criminals’ remote server.

Why Brazil? A Hotspot for Banking Malware

Banks in Brazil have long been a favorite target for cybercriminals, thanks to a large online banking population and a history of using the Delphi programming language-still taught in the region. Eternidade Stealer, like many Latin American malware families, is written in Delphi, making it both technically efficient and locally familiar. Similar WhatsApp worm campaigns, like Water Saci and SORVEPOTEL, have recently hit Brazil, showing a trend: cybercriminals are exploiting the country’s reliance on WhatsApp as a trusted communication tool.

Trustwave’s analysis reveals that while the campaign is laser-focused on Brazil, its infrastructure logs connections from around the globe-proof that even localized attacks can have global echoes. The malware’s command-and-control servers are cleverly hidden, with fallback addresses and dynamic updates fetched from email inboxes, making takedowns difficult and persistence easier.

What’s Next? Lessons Beyond Brazil

This campaign is a warning shot for the world. As messaging apps become central to daily life, they also become highways for cybercrime. The clever use of automation, localization, and social engineering in this WhatsApp worm shows how quickly trust can be weaponized. Security experts urge everyone-especially in regions where WhatsApp dominates-to watch for suspicious messages, unexpected file downloads, and odd account activity. The digital wildfire may be burning brightest in Brazil, but the sparks can travel far.

As cybercriminals innovate, so must defenders. In a world of instant messages and global connections, our best defense may be a healthy dose of skepticism-especially when a “friend” sends an unexpected file.

WIKICROOK

  • WhatsApp Worm: A WhatsApp Worm is malware that spreads by sending itself to a victim’s contacts, using each infected account to reach more users automatically.
  • Banking Trojan: A Banking Trojan is malware that targets financial data by stealing banking credentials and personal information, often by mimicking trusted apps.
  • Process Hollowing: Process hollowing is a technique where malware hides in a legitimate program’s memory, allowing it to evade detection and execute malicious actions.
  • Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.
  • Social Engineering: Social engineering is the use of deception by hackers to trick people into revealing confidential information or providing unauthorized system access.
HEXSENTINEL
الكاتبHEXSENTINEL

Cyber Intelligence & Threat Trends