news

WhatsApp Malware Campaign Targets Brazilian Crypto Users With Banking Trojan and Worm Attack

Nahid
Published: November 20, 2025
4 min read
WhatsApp Malware Campaign Targets Brazilian Crypto Users With Banking Trojan and Worm Attack

STAY UPDATED WITH COTI

Follow COTI across social media platforms to get the latest news, updates and community discussions.

X IconFollow on XTelegram IconJoin Telegram
Facebook
Instagram
LinkedIn
YouTube

TL;DR

  • Brazilian crypto holders are being targeted by a sophisticated WhatsApp-based worm + banking trojan called Eternidade Stealer.
  • The malware spreads via links disguised as government programs, delivery notifications, or investment groups.
  • The worm hijacks the victim's contact list and spreads further, while the trojan installs in the background to steal credentials from banks and crypto wallets.
  • The trojan retrieves command updates from a hardcoded Gmail address to evade detection.
  • Users are advised to verify unexpected links, update software, and immediately lock down financial access if compromised.

Brazil's booming crypto ecosystem has found itself under digital siege. Cybersecurity researchers at Trustwave's SpiderLabs have identified a highly malicious campaign that combines a WhatsApp worm and a banking trojan to exploit crypto users and financial customers across the country.

Dubbed "Eternidade Stealer," this malware bundles social engineering with advanced persistence techniques that allow it to lurk on infected devices, siphoning financial data and sending malicious links to a victim's contacts.

How the Malware Works

According to the SpiderLabs report, the attack begins with a seemingly innocuous WhatsApp message. Recipients are lured with familiar prompts: fake government programs, "urgent" delivery notifications, or even "friends" recommending investment groups. Once clicked, a chain reaction unfolds.

First, the worm component is installed. It quietly hijacks the user's WhatsApp account, harvesting their contact list. Cleverly, it uses "smart filtering" to ignore business or group contacts, focusing instead on personal contacts, which increases its odds of successful propagation.

Next, the banking trojan gets deployed. A file automatically downloads, installing itself in the background. This payload deploys the Eternidade Stealer, which scans for sensitive financial data-targeting logins for Brazilian banks, fintech platforms, crypto exchanges, and wallets.

Stealth and Persistence

What makes this malware especially dangerous is how it hides its command-and-control mechanism. Instead of a static server, the trojan checks a preconfigured Gmail account to fetch instructions from the attackers.

SpiderLabs researchers describe the approach as "very clever":

"One notable feature of this malware is that it uses hardcoded credentials to log into its email account, from which it retrieves its C2 server. It is a very clever way to update its C2, maintain persistence, and evade detections or takedowns on a network level. If the malware cannot connect to the email account, it uses a hardcoded fallback C2 address."

This dual-path communication strategy gives attackers flexibility and resilience, making take-downs far more difficult.

Why Crypto Users Are at Risk

Brazil ranks among the top countries for crypto adoption, according to Chainalysis, which placed it 5th in its 2025 Global Crypto Adoption Index. This makes Brazilian crypto holders a lucrative target for malware designed to steal credentials and siphon digital funds.

Once the trojan captures login details, attackers can potentially access centralized exchange accounts, drain wallets, or abuse bank connections-all while remaining hidden on the victim's phone.

Protecting Yourself: Best Practices

Given the sophistication of this campaign, experts are urging crypto holders and general users in Brazil to adopt extra caution:

  • Do not click links in WhatsApp unless you are absolutely sure of their origin-even if they appear to come from trusted contacts. Confirm via a separate app.
  • Keep your smartphone and apps up to date; malware often exploits known vulnerabilities in outdated software.
  • Use antivirus or mobile security tools that can detect suspicious downloads or behavior.
  • If you suspect you've been infected, act fast: freeze access to financial accounts, alert your bank or exchange, and track your funds.
  • Consider using hardware wallets for crypto savings to reduce exposure risk.

Final Thought

This campaign is a sharp reminder that crypto adoption carries inherent security risks-especially when attackers combine human trickery with evolving malware tactics. Brazilian crypto users now face a double threat: not just from volatile markets but from malicious actors exploiting their financial and social connections.

In the world of Web 3, security isn't just about private keys-it's about vigilance, awareness, and layered defenses. As this attack shows, even a simple WhatsApp message can be the first step in a high-stakes digital heist. Stay alert, stay updated, and don't let convenience compromise your safety.

 

Related Topics

#WhatsApp Malware#Worm Attack#Trojan Attack#Brazilian Crypto

About the Project

Altcoins

About the Author

Nahid

Nahid

Based in Bangladesh but far from boxed in, Nahid has been deep in the crypto trenches for over four years. While most around him were still figuring out Web2, he was already writing about Web3, decentralized protocols, and Layer 2s. At CotiNews, Nahid translates bleeding-edge blockchain innovation into stories anyone can understand — proving every day that geography doesn’t define genius.

View all articles

Disclaimer

The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official stance of CotiNews or the COTI ecosystem. All content published on CotiNews is for informational and educational purposes only and should not be construed as financial, investment, legal, or technological advice. CotiNews is an independent publication and is not affiliated with coti.io, coti.foundation or its team. While we strive for accuracy, we do not guarantee the completeness or reliability of the information presented. Readers are strongly encouraged to do their own research (DYOR) before making any decisions based on the content provided. For corrections, feedback, or content takedown requests, please reach out to us at

contact@coti.news

Stay Ahead of the Chain

Subscribe to the CotiNews newsletter for weekly updates on COTI V2, ecosystem developments, builder insights, and deep dives into privacy tech and industry.
No spam. Just the alpha straight to your inbox.

We care about the protection of your data. Read our Privacy Policy.