{"id":16291,"date":"2025-11-20T09:23:19","date_gmt":"2025-11-20T09:23:19","guid":{"rendered":"https:\/\/bitunikey.com\/news\/brazilian-crypto-users-hit-by-whatsapp-malware-campaign-targeting-crypto-wallets\/"},"modified":"2025-11-20T09:23:25","modified_gmt":"2025-11-20T09:23:25","slug":"brazilian-crypto-users-hit-by-whatsapp-malware-campaign-targeting-crypto-wallets","status":"publish","type":"post","link":"https:\/\/bitunikey.com\/news\/brazilian-crypto-users-hit-by-whatsapp-malware-campaign-targeting-crypto-wallets\/","title":{"rendered":"Brazilian crypto users hit by WhatsApp malware campaign targeting crypto wallets"},"content":{"rendered":"<p><\/p>\n<div class=\"post-detail__content blocks\">\n<p class=\"is-style-lead\">Bad actors are weaponizing WhatsApp to deliver a hijacking worm and banking trojan in Brazil that targets their crypto wallets.<\/p>\n<div id=\"cn-block-summary-block_0107cf2552c776e487ecd132f7954097\" class=\"cn-block-summary\">\n<div class=\"cn-block-summary__nav tabs\">\n        <span class=\"tabs__item is-selected\">Summary<\/span>\n    <\/div>\n<div class=\"cn-block-summary__content\">\n<ul class=\"wp-block-list\">\n<li>SpiderLabs has warned about a WhatsApp\u2011based malware campaign in Brazil that deploys a worm and banking trojan to target crypto users.<\/li>\n<li>The malware is able to harvest sensitive information related to the victim\u2019s crypto exchange account and wallets.<\/li>\n<\/ul><\/div>\n<\/div>\n<p><!-- .cn-block-summary --><\/p>\n<p>Trustwave\u2019s cybersecurity research team SpiderLabs has <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.trustwave.com\/en-us\/resources\/blogs\/spiderlabs-blog\/spiderlabs-ids-new-banking-trojan-distributed-through-whatsapp\/\" target=\"_blank\" rel=\"nofollow\">uncovered<\/a> a major campaign involving the Eternidade Stealer, which can quietly harvest financial information, login data, and other sensitive details associated with banking portals, fintech apps, and crypto exchanges on the victim\u2019s device.<\/p>\n<p>Threat actors were found to be using complex social engineering schemes involving \u201cfake government programs, delivery notifications, and even fraudulent investment groups shared through WhatsApp messages and groups,\u201d the report said.<\/p>\n<p>Attackers are using a two\u2011stage process to deliver the malicious payload that includes a WhatsApp\u2011propagating worm and a Delphi\u2011based banking trojan. When the victim clicks a worm link, it triggers an automated sequence that hijacks the WhatsApp session, downloads the MSI installer in the background, and deploys the stealer that scans for financial applications and crypto wallets.<\/p>\n<p>\u201cWhen it detects a match, for example, a window title or process name linked to Bradesco, BTG Pactual, Binance, Coinbase, MetaMask, Trust Wallet, or another financial brand, the malware immediately decrypts and activates its next-stage payload,\u201d Spiderlabs researchers explained.<\/p>\n<p>    <!-- .cn-block-related-link --><\/p>\n<p>Another concerning trait of the campaign, besides its stealthy nature, is that the worm is able to access the victim\u2019s contact list, which lets it target other potential victims.<\/p>\n<p>Meanwhile, it prevents detection by using \u201chardcoded credentials to log into its email account,\u201d which is retrieved from a Gmail inbox controlled by the operator. By using IMAP over SSL to fetch commands, a method that blends with ordinary user email traffic, the malware is able to bypass network filters and remain difficult to trace.<\/p>\n<p>\u201cIt is a very clever way to update its C2, maintain persistence, and evade detections or takedowns on a network level. If the malware cannot connect to the email account, it uses a hardcoded fallback C2 address,\u201d researchers added.<\/p>\n<p>SpiderLabs researchers have urged Brazilian crypto users to remain alert, especially on WhatsApp, which has become a favored tool for social engineering-based malware campaigns.<\/p>\n<p>\u201cWhatsApp continues to be one of the most exploited communication channels in Brazil\u2019s cybercrime ecosystem. Over the past two years, threat actors have refined their tactics, using the platform\u2019s immense popularity to distribute banker trojans and information-stealing malware,\u201d researchers warned.<\/p>\n<p>Crypto adoption in Brazil has soared over the past few years, and with recent developments like potential plans to establish a national Bitcoin reserve and enforce a proper regulatory framework, the country has drawn increased attention from global investors and local users alike. On the Chainalysis Global Crypto Adoption <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.chainalysis.com\/blog\/brazil-crypto-asset-regulatory-framework-2025\/#:~:text=In%20our%20latest%20Geography%20of,2025%20Global%20Crypto%20Adoption%20Index.\" target=\"_blank\" rel=\"nofollow\">Index<\/a>, Brazil ranks fifth, while it stands as Latin America\u2019s largest crypto market by volume.<\/p>\n<p>As such, it remains a prime target for scammers and other bad actors seeking to exploit inexperienced users or take advantage of poorly protected systems.<\/p>\n<h1 class=\"wp-block-heading\">Bad actors get creative with crypto targeting malware<\/h1>\n<p>Eternidade Stealer is a kind of infostealer, which, as mentioned above, can silently monitor applications, extract sensitive credentials, and activate fake overlays to harvest user data..<\/p>\n<p>Back in September, security platform Mosyle uncovered one such cross-platform threat called ModStealer that remained undetected for weeks and was found to be targeting crypto wallets across macOS, Windows, and Linux environments. By using obfuscated JavaScript code within a Node.js environment, the malware was able to infiltrate developer systems and exfiltrate private keys and clipboard data from over 50 browser wallet extensions.<\/p>\n<p>More recently, a Google Threat Intelligence Group report warned that bad actors have started using artificial intelligence to develop malware that can rewrite its own code in real time, making it a lot harder to detect or neutralize.<\/p>\n<p>    <!-- .cn-block-related-link --><\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Bad actors are weaponizing WhatsApp to deliver a hijacking worm and banking trojan in Brazil that targets their crypto wallets. Summary SpiderLabs has warned about a WhatsApp\u2011based malware campaign in&hellip;<\/p>\n","protected":false},"author":1,"featured_media":6910,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-16291","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cryptocurrency"],"_links":{"self":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/16291","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/comments?post=16291"}],"version-history":[{"count":1,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/16291\/revisions"}],"predecessor-version":[{"id":16292,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/16291\/revisions\/16292"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/media\/6910"}],"wp:attachment":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/media?parent=16291"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/categories?post=16291"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/tags?post=16291"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}