Overview of the New Campaign
Python-Based WhatsApp Worm activity continues to grow across Brazil. Researchers recently uncovered a social-engineering campaign that uses WhatsApp hijacking to spread a Delphi-based banking stealer called Eternidade Stealer. The attackers rely on a Python script to automate the spread. Therefore, the threat now moves faster than earlier PowerShell-based versions.
The campaign abuses the popularity of WhatsApp in Brazil. However, it also uses email-based methods to keep its command servers updated. This flexibility helps the attackers avoid blocks and maintain control.
Shift to Python and WhatsApp-Based Propagation
The attack begins with an obfuscated script written in Portuguese. It drops a batch file that launches two separate payloads. One payload runs a Python script that spreads the malware through WhatsApp Web. The other payload installs the Eternidade Stealer through an MSI file.
The Python script contacts a remote server. It also uses an automated messaging tool from an open-source project to send malicious files to the victim’s contacts. Therefore, the worm spreads rapidly. It gathers contact data, filters groups and businesses, and sends infected attachments with personalized greetings.
Localized Targeting and System Profiling
The MSI installer checks if the device uses Brazilian Portuguese. If it does not, the malware stops running. This behavior shows a hyper-localized targeting strategy. The script then scans processes and registry keys for security tools. It profiles the machine and sends the results to a remote server.
After profiling, the malware injects Eternidade Stealer into a system process. This step ensures deep access. It also allows the malware to bypass casual inspection and remain active for long periods.
Eternidade Stealer’s Capabilities
Eternidade Stealer monitors active windows and running processes. It looks for keywords related to banking portals, payment services, and cryptocurrency platforms. For example, it scans for major banking and wallet services commonly used in Brazil. When it detects any of them, it quietly activates its attack routine.
The malware retrieves its command server details from an email inbox. Therefore, the attackers can change servers without updating the malware itself. If the inbox cannot be reached, the malware uses a fallback server hard-coded in the code.
Once connected, Eternidade Stealer waits for instructions. Commands allow attackers to capture keystrokes, take screenshots, and steal stored files. It can also monitor activity and send custom overlays to trick victims into sharing sensitive data.
Geofencing and Infrastructure Findings
Researchers discovered two control panels linked to the operation. One manages redirection traffic, and the other tracks infected hosts. The redirection system only allows access from Brazil and Argentina. However, most global connection attempts were blocked and redirected to an error page.
Records show hundreds of connection attempts from countries worldwide. This trend suggests that although the malware targets Brazil, its infrastructure reaches far beyond local borders. Therefore, defenders should treat this threat as globally relevant.
How to Prevent Similar Attacks
Users and organizations should avoid opening unknown WhatsApp files, verify all installers, and monitor script executions. They should also deploy advanced threat-monitoring tools and use managed detection services that provide continuous oversight of messaging-based attacks. These solutions can quickly identify abnormal WhatsApp behavior and block malicious scripts before they spreads.
Sleep well, we got you covered.
