Imagine waking up to find your WhatsApp account hijacked, your contacts bombarded with malicious messages, and your sensitive financial data stolen—all because of a sneaky Python-based worm spreading like wildfire across Brazilian devices. This isn’t a dystopian sci-fi plot; it’s happening right now. Cybersecurity researchers have uncovered a chilling campaign that combines social engineering and WhatsApp hijacking to distribute Eternidade Stealer, a Delphi-based banking trojan targeting users in Brazil. But here’s where it gets even more alarming: the attackers are now using Python scripts instead of PowerShell, marking a dangerous evolution in their tactics.
According to Trustwave SpiderLabs researchers Nathaniel Morales, John Basmayor, and Nikita Kazymirskyi, the malware leverages the Internet Message Access Protocol (IMAP) to dynamically fetch command-and-control (C2) server addresses. And this is the part most people miss: this allows the threat actors to update their C2 infrastructure on the fly, making it harder for defenders to shut them down. The campaign spreads through a WhatsApp worm, hijacking accounts and sending malicious attachments to unsuspecting victims.
This isn’t an isolated incident. It follows closely on the heels of another campaign, Water Saci, which targeted Brazilian users with a WhatsApp-based worm called SORVEPOTEL. This worm acted as a delivery mechanism for Maverick, a .NET banking trojan believed to be an evolution of the Coyote malware. Together, these attacks highlight a broader trend: threat actors are exploiting WhatsApp’s ubiquity in Brazil to launch large-scale attacks against institutions and individuals alike.
But here’s the controversial part: Why are Delphi-based trojans so popular among Latin American threat actors? While their technical efficiency plays a role, it’s also because Delphi was widely taught and used in the region’s software development scene. This local familiarity gives attackers a leg up, but it also raises questions: Are we underestimating the role of regional programming trends in shaping cybercrime?
The attack begins with an obfuscated Visual Basic Script, complete with Portuguese comments, which drops a batch script. This script forks the infection into two paths: a Python script that automates WhatsApp Web-based malware dissemination, and an MSI installer that deploys Eternidade Stealer using an AutoIt script. The Python script, similar to SORVEPOTEL, uses the open-source WPPConnect project to automate message sending, harvesting victims’ contact lists and filtering out groups, business contacts, and broadcast lists.
Here’s where it gets truly insidious: the malware captures each contact’s WhatsApp number, name, and saved status, sending this data to an attacker-controlled server. It then sends malicious attachments to all contacts, using time-based greetings and personalized messages to increase credibility. The second phase involves the MSI installer, which checks if the system’s language is Brazilian Portuguese. If not, the malware self-terminates—a clear sign of hyper-localized targeting.
The installer also scans for security products, profiles the machine, and sends the data to a C2 server. The attack culminates in Eternidade Stealer being injected into svchost.exe using process hollowing. This Delphi-based stealer scans for banking portals, payment services, and cryptocurrency wallets like Bradesco, MercadoPago, Binance, and MetaMask, lying dormant until the victim accesses a targeted application. This stealthy approach ensures the malware remains undetected by casual users and sandbox environments.
Once activated, the malware contacts a C2 server—details for which are fetched from a terra.com[.]br email inbox, a tactic borrowed from Water Saci. If the email connection fails, it falls back to a hard-coded C2 address. Upon successful connection, the malware awaits commands, enabling attackers to log keystrokes, capture screenshots, and steal files. Notable commands include <|OK|> for system info, <|PING|> for monitoring user activity, and <|PedidoSenhas|> for credential theft overlays.
Trustwave’s analysis of the threat infrastructure revealed two panels: one for managing the Redirector System and another for monitoring infected hosts. The Redirector System logs show that 452 out of 454 connection attempts were blocked due to geofencing restrictions, with only two redirected to the campaign’s targeted domain. Interestingly, while the malware targets Brazil, connection attempts originated from the U.S., Netherlands, Germany, and other countries, suggesting a broader operational footprint.
Here’s the burning question: If this campaign is primarily Brazilian, why are we seeing global connection attempts? Could this be a sign of the malware’s unintended spread, or are threat actors testing the waters for a wider attack? Cybersecurity defenders must stay vigilant, watching for suspicious WhatsApp activity, unexpected script executions, and indicators tied to this campaign.
What do you think? Is this a localized threat or a preview of a global cybercrime trend? Share your thoughts in the comments below, and don’t forget to follow us on Google News, Twitter, and LinkedIn for more exclusive insights!