EXECUTIVE SUMMARY:
A new banking Trojan known as Eternidade Stealer is being distributed through WhatsApp using social engineering messages and automated spreading. Instead of relying on simple phishing links, the attackers use a VBScript that delivers multiple components, including a WhatsApp worm and a credential-stealing payload. The operation is mainly focused on Brazilian users, following earlier patterns where WhatsApp served as a primary infection route. The attackers use Delphi for the final payload, a common choice in Brazil’s cybercrime landscape due to familiarity and available shared tools. Overall, the introduction outlines a financially motivated campaign that targets Brazilian systems, abuses WhatsApp for rapid infection, and uses multi-stage malware delivery techniques.
The infection begins with an obfuscated VBScript containing Portuguese-language comments. Once executed, it deploys two main components: a Python-based WhatsApp worm and an MSI installer for Eternidade Stealer. The worm uses WhatsApp Web automation to pull the victim’s contact list, send malicious files to those contacts, and exfiltrate contact data to a remote server, while intentionally avoiding group chats and business accounts. The MSI installer checks the system’s language and continues only on Brazilian Portuguese environments. It profiles the system, looks for banking or cryptocurrency applications, and loads the Delphi-based stealer using process hollowing. The malware retrieves command-and-control information through an IMAP mailbox, which allows the operators to update infrastructure dynamically. When financial applications are detected, the malware triggers credential-capture mechanisms, overlays, keylogging, and file operations.
Eternidade Stealer reflects an ongoing trend in Brazil-targeted financial malware: spreading through WhatsApp, collecting contacts automatically, and focusing on credential theft for banks and payment platforms. Its use of Python for propagation and Delphi for the main payload enables efficient distribution and targeted attacks. The IMAP-based communication method also gives the operators flexibility to adjust their infrastructure without redistributing the malware. Defenders should look for signs such as unexpected VBScript execution, WhatsApp Web automation processes, or IMAP traffic from unknown binaries. Users and organizations are advised to avoid opening unsolicited WhatsApp files, monitor endpoints for suspicious process injection, and apply security measures capable of detecting overlay-based credential theft. This campaign reinforces the need to secure social-messaging channels and improve detection of malware that spreads through automated contact distribution.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-Technique |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Execution | T1059.005 | Command and Scripting Interpreter | Visual Basic |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defence Evasion | T1027 | Obfuscated Files or Information | — |
| Credential Access | T1056.001 | Input Capture | Keylogging |
| Discovery | T1082 | System Information Discovery | — |
| Collection | T1114 | Email Collection | — |
| Command and Control | T1102 | Web Service | — |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
REFERENCES:
The following reports contain further technical details: