A new WhatsApp worm is sweeping Brazil, stealing ordinary users’ banking credentials and cryptographic keys, security companies warn.
Victims receive a message that looks familiar (a delivery note, a government alert, or a group invitation) and a single click can allow the threat to spread through their contacts while a hidden Trojan deletes data from their machines.
How the worm spreads
According to security reports, attackers send ZIP files containing a malicious .LNK shortcut via WhatsApp. Once opened, this shortcut executes deceptive commands that load more code into memory so little is written to the hard drive.
This “fileless” step helps the malware avoid certain antivirus tools. According to reports, the infection also hijacks WhatsApp web sessions to send the same bait to the victim’s friends, making the attack behave like a worm.
Figure 2. Eternidade Stealer’s attack chain. Source: SpiderLabs
One analyst group said more than 400 “client environments” and more than 1,000 endpoints showed signs of compromise, while another company blocked about 62,000 infection attempts in the first 10 days of October.
Targets and techniques
Reports have revealed two main strains active in Brazil. One of them is a banking Trojan called Eternidade Stealer that uses a Gmail account as a hidden command channel.
Figure 7. The malware’s JavaScript code that steals victims’ WhatsApp contact lists. Source: SpiderLabs
The other, known as Maverick, relies on automation tools such as WPPConnect to operate WhatsApp Web and deliver malicious messages from infected accounts.
The threats look for local settings before fully activating, checking the time zone and language so that the code runs primarily on machines configured in Brazil.
Security researchers say the malware can capture screens, record keystrokes and overlay fake login pages on banking or exchange websites.
The list of targets is broad: it includes 26 Brazilian banks, six crypto exchanges and a payment platform.
Bitcoin is priced at $92,191 in the last 24 hours. Chart: TradingView
Smart filtering makes the situation worse
Attackers appear to avoid professional or group contact. This choice seems intended to limit messages to restricted personal circles and reduce early detection.
Once a family member or friend contact opens the link, the same cycle can repeat itself. Since the worm spreads using trusted accounts, people are more likely to fall for it.
Using widely available services like Gmail for control instructions makes it more difficult for defenders to block a single control server.
What to do if you are exposed
According to security experts, if funds are in danger, act quickly. Freeze or lock accounts where possible, alert your exchange or bank and report the incident to local authorities.
Enable strong multi-factor authentication on every financial account and use opt-out whitelists when offered. According to experts, don’t open WhatsApp ZIP or .LNK files, even those from known contacts, without verification through a separate message or phone call.
Source: Chainalysis
Source: ChainalysisBrazil in 5th place
Figures from Chainalysis show that Brazil sits at the top of Latin America in crypto usage, and the country ranks fifth in the Top 20 of the platform’s 2025 Global Crypto Adoption Index.
Featured image of Gemini, chart by TradingView
Editorial process as Bitcoinist focuses on providing thoroughly researched, accurate and unbiased content. We follow strict sourcing standards and every page undergoes careful review by our team of top technology experts and seasoned editors. This process ensures the integrity, relevance and value of our content to our readers.
