Cryptocurrency holders in Brazil are being urged to be wary of sophisticated hacking campaigns involving hijacking worms and banking Trojans shared via WhatsApp messages.
A banking Trojan known as ‘Eternidade Stealer’ is being pushed through social engineering on the messaging application WhatsApp, including ‘fake government programs, delivery notifications’ and messages from friends and fraudulent investment groups, according to a new report from SpiderLabs, Trustwave’s cybersecurity research team.
“WhatsApp continues to be one of the most abused communication channels in the Brazilian cybercrime ecosystem. Over the past two years, threat actors have refined their tactics, including leveraging the platform’s immense popularity to distribute bunker Trojans and information-stealing malware,” said Spiderlabs researchers Nathaniel Morales, John Basmayor, and Nikita Kazymirskyi.
To illustrate the process, clicking on a worm link on WhatsApp causes a chain reaction in which the victim is infected with both the worm and the banking Trojan.
The worm takes over accounts and obtains the victim’s contact list. Utilize “smart filtering” to ignore business contacts and groups and target individual contacts for a more efficient process.
The banking Trojan, on the other hand, is a file that is automatically downloaded to the victim’s device and can deploy Eternidade Stealer in the background, scan financial data and log into various Brazilian banks, fintechs, crypto exchanges and wallets.
Infographic explaining how malware attacks devices and how hacking progresses. sauce: spider lab
This malware also has clever ways to evade detection and shutdown. Check for new commands via email using a pre-configured Gmail account instead of a fixed server address. This allows hackers to send new emails and change commands.
“One notable feature of this malware is that it uses hard-coded credentials to log into the email account and retrieve the C2 server from there. This is a very clever way to update the C2, maintain persistence, and evade detection and removal at the network level. If the malware cannot connect to the email account, it uses a hard-coded fallback C2 address,” the report states.
According to data from Chainalysis, a cryptocurrency analysis platform, Brazil is the largest adopter of cryptocurrencies in Latin America, ranking fifth in the company’s 2025 Global Cryptocurrency Adoption Index Top 20.
The index is based on each country’s usage of different types of crypto services, and also takes into account other factors such as population size and purchasing power.
How to stay safe
Users of apps like WhatsApp are advised to treat links sent to them with caution, even if they come from trusted contacts.
A useful tactic is to send a message in another app to see if the link is ok, and be suspicious of links sent out of the blue in limited context.
Keeping software up to date also helps protect people from potential bugs that target older versions. Antivirus software may also be helpful in reporting issues.
If someone is hacked, it is important to immediately freeze all potential access points to banks and crypto services to stop the bleeding. Tracking funds can also help exchanges, researchers, and authorities track where assets go, which could help freeze hackers’ wallets.
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
