Eternidade Stealer WhatsApp propagation campaign
Campaign
Summary
Hide ▲
Show ▼
Eternidade Stealer is a WhatsApp-propagating banking Trojan targeting users in Brazil. The campaign combines social engineering with a WhatsApp hijacking worm and an MSI/AutoIt delivery chain to spread a Delphi-based stealer that injects into svchost.exe. It uses IMAP and a terra.com[.]br mailbox to refresh C2 details, and it focuses on banking, fintech, and crypto apps such as Bradesco, BTG Pactual, MercadoPago, Stripe, Binance, Coinbase, MetaMask, and Trust Wallet.
Related Happenings
Grandoreiro DLL side-loading campaign targeting banks in Portugal
Campaign
First: 27.05.2026 19:10
Last: 27.05.2026 19:10
Sources 1
About this happening:
**Grandoreiro** is running a new **DLL side-loading** campaign against **banks in Portugal**, extending a long-lived banking-malware operation into **2026**. The latest wave uses...
Grandoreiro DLL side-loading campaign targeting banks in Portugal
CampaignAbout this happening: **Grandoreiro** is running a new **DLL side-loading** campaign against **banks in Portugal**, extending a long-lived banking-malware operation into **2026**. The latest wave uses...
TCLBANKER banking trojan activity targeting 59 financial platforms
Malware Activity
First: 08.05.2026 21:12
Last: 08.05.2026 21:12
Sources 1
About this happening:
**TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...
TCLBANKER banking trojan activity targeting 59 financial platforms
Malware ActivityAbout this happening: **TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...
TCLBanker self-spreading banking trojan
Malware Activity
First: 08.05.2026 01:06
Last: 08.05.2026 01:06
Sources 1
About this happening:
The **TCLBanker** trojan now combines **trojanized installer** delivery with **self-spreading worm modules**, widening access to **59 banking, fintech, and cryptocurrency platform...
TCLBanker self-spreading banking trojan
Malware ActivityAbout this happening: The **TCLBanker** trojan now combines **trojanized installer** delivery with **self-spreading worm modules**, widening access to **59 banking, fintech, and cryptocurrency platform...
ATHR productized automated vishing platform for credential theft
Threat Actor Meta
First: 16.04.2026 17:09
Last: 16.04.2026 17:09
Sources 1
About this happening:
ATHR is turning **automated vishing** into a **productized underground service**, lowering the barrier for credential theft across **Google**, **Microsoft**, **Coinbase**, and oth...
ATHR productized automated vishing platform for credential theft
Threat Actor MetaAbout this happening: ATHR is turning **automated vishing** into a **productized underground service**, lowering the barrier for credential theft across **Google**, **Microsoft**, **Coinbase**, and oth...
Mirax Android banking trojan with residential proxy nodes
Malware Activity
First: 13.04.2026 17:30
Last: 13.04.2026 17:30
Sources 1
About this happening:
Mirax is spreading across **Europe** with **remote access** and **residential proxy** features, increasing the risk of device compromise, data theft, and traffic abuse. The Androi...
Mirax Android banking trojan with residential proxy nodes
Malware ActivityAbout this happening: Mirax is spreading across **Europe** with **remote access** and **residential proxy** features, increasing the risk of device compromise, data theft, and traffic abuse. The Androi...
Timeline
-
19.11.2025 17:00 3 articles · 6mo ago
Eternidade Stealer disclosure and technical overview
Initial DisclosureEternidade Stealer is a newly identified banking Trojan affecting Brazil’s cybercrime ecosystem and using WhatsApp as both an entry point and a propagation channel. The campaign combines an obfuscated VBScript, a Python-written WhatsApp worm, an MSI dropper, and a Delphi-built stealer to automate messaging, steal contacts with wppconnect libraries, harvest financial data, and retrieve fresh command-and-control details from IMAP for resilience against takedowns; it also targets Brazilian Portuguese systems and banking, fintech, and cryptocurrency applications.
Show sources
- Eternidade Stealer Trojan Fuels Aggressive Brazil Cybercrime — www.infosecurity-magazine.com — 19.11.2025 17:00
- WhatsApp 'Eternidade' Trojan Self-Propagates Through Brazil — www.darkreading.com — 20.11.2025 16:00
- Python-Based WhatsApp Worm Spreads Eternidade Stealer Across Brazilian Devices — thehackernews.com — 19.11.2025 17:35