Eternidade Stealer WhatsApp-propagating banking Trojan
Malware Activity
Summary
Hide ▲
Show ▼
Eternidade Stealer is a WhatsApp-propagating banking trojan targeting users in Brazil. The campaign combines an obfuscated Visual Basic Script, a Python WhatsApp worm, and an MSI/AutoIt dropper that injects the stealer into svchost.exe using process hollowing. The malware uses IMAP and a terra.com[.]br mailbox to refresh C2 details, and it can steal keystrokes, capture screenshots, and exfiltrate files.
Related Happenings
QuimaRAT cross-platform Java MaaS remote access trojan
Malware Activity
H score29
First: 06.07.2026 11:13
Last: 06.07.2026 11:13
Sources 1
About this happening:
A new **QuimaRAT** **MaaS** offering expands cross-platform malware risk by packaging a modular **Java-based RAT** for **Windows, Linux, and macOS**. The activity matters because...
QuimaRAT cross-platform Java MaaS remote access trojan
Malware ActivityAbout this happening: A new **QuimaRAT** **MaaS** offering expands cross-platform malware risk by packaging a modular **Java-based RAT** for **Windows, Linux, and macOS**. The activity matters because...
MacOS.Gaslight prompt-injection technique aimed at AI-assisted triage
Technical Analysis
H score23
First: 24.06.2026 17:00
Last: 24.06.2026 17:00
Sources 1
About this happening:
**macOS.Gaslight** is a **Rust-based macOS implant and information stealer** assessed with high confidence as the work of **North Korea-aligned threat actors**. The sample uses **...
MacOS.Gaslight prompt-injection technique aimed at AI-assisted triage
Technical AnalysisAbout this happening: **macOS.Gaslight** is a **Rust-based macOS implant and information stealer** assessed with high confidence as the work of **North Korea-aligned threat actors**. The sample uses **...
WhatsApp VBScript infection chain installing ManageEngine RMM Central
Malware Activity
H score20
First: 23.06.2026 08:38
Last: 23.06.2026 08:38
Sources 1
About this happening:
**VBScript attachments** spread through **WhatsApp direct messages** are now driving a **multi-stage Windows infection chain** that can end in remote access to victim systems. The...
WhatsApp VBScript infection chain installing ManageEngine RMM Central
Malware ActivityAbout this happening: **VBScript attachments** spread through **WhatsApp direct messages** are now driving a **multi-stage Windows infection chain** that can end in remote access to victim systems. The...
WhatsApp VBScript phishing campaign targeting users in multiple countries
Campaign
H score43
First: 23.06.2026 01:42
Last: 23.06.2026 01:42
Sources 1
About this happening:
An **ongoing phishing campaign** is using **compromised WhatsApp accounts** to send **obfuscated VBScript files** to users in **multiple countries**, creating a path to **remote s...
WhatsApp VBScript phishing campaign targeting users in multiple countries
CampaignAbout this happening: An **ongoing phishing campaign** is using **compromised WhatsApp accounts** to send **obfuscated VBScript files** to users in **multiple countries**, creating a path to **remote s...
NSO Group WhatsApp spear-phishing campaign
Campaign
H score37
First: 08.06.2026 20:08
Last: 08.06.2026 20:08
Sources 1
About this happening:
**NSO Group** remains tied to a **WhatsApp** spear-phishing **campaign** that used **malicious links** to push targets to external websites outside the app. On **June 8**, WhatsAp...
NSO Group WhatsApp spear-phishing campaign
CampaignAbout this happening: **NSO Group** remains tied to a **WhatsApp** spear-phishing **campaign** that used **malicious links** to push targets to external websites outside the app. On **June 8**, WhatsAp...
Timeline
-
19.11.2025 17:00 3 articles · 7mo ago
Trustwave SpiderLabs identifies Eternidade Stealer WhatsApp-propagating banking Trojan
Initial DisclosureTrustwave SpiderLabs identifies Eternidade Stealer as a newly observed banking Trojan affecting Brazil’s cybercrime ecosystem, using WhatsApp as both an entry point and a propagation channel. The malware combines a Python-written WhatsApp worm, a Delphi-based stealer and an MSI dropper to harvest financial data, system details and contact lists, while also using hard-coded email credentials to retrieve fresh C2 details from an IMAP mailbox. It targets Brazilian Portuguese systems, checks for banking, fintech and cryptocurrency applications, and focuses on desktop environments, with backend logs showing 454 connection attempts from 38 countries.
Show sources
- Eternidade Stealer Trojan Fuels Aggressive Brazil Cybercrime — www.infosecurity-magazine.com — 19.11.2025 17:00
- Eternidade Stealer Trojan Fuels Aggressive Brazil Cybercrime — www.infosecurity-magazine.com — 19.11.2025 17:00
- Python-Based WhatsApp Worm Spreads Eternidade Stealer Across Brazilian Devices — thehackernews.com — 19.11.2025 17:35