Eternidade Stealer WhatsApp propagation campaign
Campaign
Summary
Hide ▲
Show ▼
Eternidade Stealer is a WhatsApp-propagating banking Trojan targeting users in Brazil. The campaign combines social engineering with a WhatsApp hijacking worm and an MSI/AutoIt delivery chain to spread a Delphi-based stealer that injects into svchost.exe. It uses IMAP and a terra.com[.]br mailbox to refresh C2 details, and it focuses on banking, fintech, and crypto apps such as Bradesco, BTG Pactual, MercadoPago, Stripe, Binance, Coinbase, MetaMask, and Trust Wallet.
Related Happenings
WhatsApp VBScript infection chain installing ManageEngine RMM Central
Malware Activity
H score20
First: 23.06.2026 08:38
Last: 23.06.2026 08:38
Sources 1
About this happening:
**VBScript attachments** spread through **WhatsApp direct messages** are now driving a **multi-stage Windows infection chain** that can end in remote access to victim systems. The...
WhatsApp VBScript infection chain installing ManageEngine RMM Central
Malware ActivityAbout this happening: **VBScript attachments** spread through **WhatsApp direct messages** are now driving a **multi-stage Windows infection chain** that can end in remote access to victim systems. The...
WhatsApp VBScript phishing campaign targeting users in multiple countries
Campaign
H score43
First: 23.06.2026 01:42
Last: 23.06.2026 01:42
Sources 1
About this happening:
An **ongoing phishing campaign** is using **compromised WhatsApp accounts** to send **obfuscated VBScript files** to users in **multiple countries**, creating a path to **remote s...
WhatsApp VBScript phishing campaign targeting users in multiple countries
CampaignAbout this happening: An **ongoing phishing campaign** is using **compromised WhatsApp accounts** to send **obfuscated VBScript files** to users in **multiple countries**, creating a path to **remote s...
NSO Group WhatsApp spear-phishing campaign
Campaign
H score37
First: 08.06.2026 20:08
Last: 08.06.2026 20:08
Sources 1
About this happening:
**NSO Group** remains tied to a **WhatsApp** spear-phishing **campaign** that used **malicious links** to push targets to external websites outside the app. On **June 8**, WhatsAp...
NSO Group WhatsApp spear-phishing campaign
CampaignAbout this happening: **NSO Group** remains tied to a **WhatsApp** spear-phishing **campaign** that used **malicious links** to push targets to external websites outside the app. On **June 8**, WhatsAp...
TA4922 expanded European phishing-and-malware campaign
Campaign
H score40
First: 04.06.2026 00:45
Last: 04.06.2026 00:45
Sources 1
About this happening:
**TA4922** is a **China-linked** cybercrime campaign that has expanded from **East Asia** into **Europe and Africa**, including **the U.K., Germany, Italy, and South Africa**. The...
TA4922 expanded European phishing-and-malware campaign
CampaignAbout this happening: **TA4922** is a **China-linked** cybercrime campaign that has expanded from **East Asia** into **Europe and Africa**, including **the U.K., Germany, Italy, and South Africa**. The...
Grandoreiro DLL side-loading campaign targeting banks in Portugal
Campaign
H score26
First: 27.05.2026 19:10
Last: 27.05.2026 19:10
Sources 1
About this happening:
**Grandoreiro** is running a new **DLL side-loading** campaign against **banks in Portugal**, extending a long-lived banking-malware operation into **2026**. The latest wave uses...
Grandoreiro DLL side-loading campaign targeting banks in Portugal
CampaignAbout this happening: **Grandoreiro** is running a new **DLL side-loading** campaign against **banks in Portugal**, extending a long-lived banking-malware operation into **2026**. The latest wave uses...
Timeline
-
19.11.2025 17:00 3 articles · 7mo ago
Eternidade Stealer disclosure and technical overview
Initial DisclosureEternidade Stealer is a newly identified banking Trojan affecting Brazil’s cybercrime ecosystem and using WhatsApp as both an entry point and a propagation channel. The campaign combines an obfuscated VBScript, a Python-written WhatsApp worm, an MSI dropper, and a Delphi-built stealer to automate messaging, steal contacts with wppconnect libraries, harvest financial data, and retrieve fresh command-and-control details from IMAP for resilience against takedowns; it also targets Brazilian Portuguese systems and banking, fintech, and cryptocurrency applications.
Show sources
- Eternidade Stealer Trojan Fuels Aggressive Brazil Cybercrime — www.infosecurity-magazine.com — 19.11.2025 17:00
- WhatsApp 'Eternidade' Trojan Self-Propagates Through Brazil — www.darkreading.com — 20.11.2025 16:00
- Python-Based WhatsApp Worm Spreads Eternidade Stealer Across Brazilian Devices — thehackernews.com — 19.11.2025 17:35