Eternidade Stealer Malware Targets Brazil’s Mobile Crypto Users

• Eternidade malware spreads via hijacked WhatsApp sessions to infect mobile users at scale.
• The malware targets Brazilian banking, fintech, and crypto apps with credential-harvesting overlays.
• Attackers shift from exchange attacks toward exploiting personal devices and messaging apps.

Cybercriminals are shifting their tactics in Brazil as mobile-first crypto users become the primary targets. Attackers now see phones as the weakest point in the security chain, as most rely on WhatsApp as their main communication tool. A new malware campaign using a worm called Eternidade Stealer highlights this shift, as hackers target personal devices instead of directly attacking crypto exchanges.

Malware Moves Beyond Scams

The latest campaign uses a combination of hijacked WhatsApp sessions and social engineering to spread across wide networks. Researchers tracking the campaign say attackers now automate message delivery from infected devices. This gives the malware reach and speed that earlier scams did not achieve. The worm distributes malicious ZIP files that appear like normal messages from trusted contacts.

The attackers deploy a Python script that takes control of an active WhatsApp session. The script sends personalized messages that match the victim’s language and time of day. The malware also steals contact lists and immediately pushes new files to additional targets. This allows rapid infection without the user noticing anything unusual.

Researchers say the new campaign marks a change in strategy. Attackers no longer try to trick users through isolated scams. They instead automate continuous platform-based distribution using the communication channels people trust most.

Targeting Banks, Fintech Apps, and Crypto Wallets

Once the Eternidade Stealer worm infects a device, it downloads a Delphi-based banking trojan. The malware then searches the system for financial applications used widely in Brazil. Researchers confirm that the Trojan activates only on devices set to Brazilian Portuguese. It scans for banks, payment apps, crypto platforms, and logins linked to major exchanges.

It initiates a credential-harvesting overlay when it finds a financial app. This overlay imitates the login screen to steal usernames, passwords, and recovery codes. Additionally, the malware collects system data and looks for installed security tools. It collects browser data and sets up long-term surveillance of financial activity.

Investigators report that the attackers use IMAP email retrieval for command-and-control. This method gives criminals more resilience because they can rotate server locations without interrupting the campaign. The system connects to an email account for new instructions rather than depending on fixed domains.

This approach aligns with broader cybercrime trends in Brazil. Criminal groups are increasing their focus on malware that moves laterally through real user environments rather than attacking the exchange infrastructure directly. Analysts say the shift reflects the growing importance of personal devices in Brazil’s crypto transactions and digital payments.

Related: Brazil Central Bank Unveils Crypto Rules to Curb Illicit Use

Authorities warn that WhatsApp-based fraud is not limited to Brazil. Similar complaints emerged in India, Hong Kong, and the United Kingdom. Victims describe attackers stealing accounts through fake screen-sharing requests and then draining linked financial services. Losses can reach six figures for individuals who hold significant assets in mobile-linked wallets.

Brazilian users face greater exposure because mobile-first adoption is widespread. Researchers note that Brazil has more WhatsApp users per capita than almost any major market. Criminals now treat the app as the main distribution channel for malware campaigns. This trend pushes cyber threats closer to users’ devices and away from platforms with stronger security controls.

Security officials recommend careful protection. Experts advise users never to share screens with unknown callers. They urge them to avoid installing remote tools or opening ZIP files from unexpected messages. They also recommend enabling two-step verification to reduce takeover risks.

Brazil’s cybersecurity teams say the threat is likely to expand as advanced malware becomes easier to deploy. Attackers now use automation, natural-sounding messages, and rapid distribution techniques that amplify impact. As more citizens rely on digital payments and crypto wallets, the mobile device becomes the front line of security.