Brazil confronts rapid WhatsApp malware surge

Friday 21 November 2025 - 15:20

By: Dakir Madiha

Brazil confronts rapid WhatsApp malware surge

Brazil is facing a fast moving malware campaign that uses WhatsApp to infiltrate devices and spread through trusted contacts. Security analysts report a coordinated operation that blends social engineering, automated propagation, and a sophisticated trojan capable of stealing banking and cryptocurrency data. The audience includes cybersecurity professionals, policy analysts, and readers who follow digital threat trends in Latin America.

Researchers say the campaign exploits routine communication. Victims receive a WhatsApp message containing a ZIP file or a shortcut disguised as an everyday document such as a receipt, medical note, or administrative form. When opened, a hidden script activates and seizes control of the user’s WhatsApp Web session. The same malicious file is then sent automatically to everyone in the contact list. The process transforms each infected user into a new distribution point, creating a chain reaction that spreads through private and professional networks.

Investigators describe a two layer system. A Python module manages the automated spread through WhatsApp Web. A separate MSI installer deploys the second stage known as the Eternidade Stealer. This component gathers personal data and grants remote operators extensive control over the device. The attackers adjust commands, update templates, and download contact lists through a command and control server.

The campaign mirrors a broader trend observed across Brazil. Similar malware families including Maverick, Coyote, and Sorvepotel have recently targeted local users through WhatsApp Web manipulation and browser based techniques.

A trojan designed for financial theft

The second payload activates banking and cryptocurrency theft capabilities. It extracts passwords, cookies, authentication codes, and sensitive browsing data. It can perform web injections to interfere with online banking portals and searches for recovery phrases linked to cryptocurrency wallets or browser extensions. Attackers aim to empty bank accounts during login attempts and seize crypto assets when a signing request appears.

Investigators note that many victims only realize the attack after financial losses. The scheme leverages common digital habits as users switch between desktop browsers, mobile devices, and extensions without recognizing the increased exposure. Attackers reinforce the deception with convincing templates that resemble delivery updates or official notices.

Warning signs include unexpected file transfers from WhatsApp, slow browser performance, unfamiliar pop ups, alerts from antivirus tools about PowerShell or VBS scripts, and unknown browser extensions. Specialists urge users to disconnect WhatsApp Web at the first sign of suspicious behavior, change banking and crypto passwords from a secure device, revoke active wallet sessions, and restore systems from clean backups if required.

Researchers stress that the campaign progresses quickly. Early action can determine whether a user faces minor disruption or significant financial damage.