New WhatsApp Worm Threatens Security in Brazil
In a concerning development, cybersecurity experts have identified a newly emerging WhatsApp worm in Brazil, which is targeting unsuspecting users to compromise their bank logins and cryptocurrency keys. This malicious activity has been highlighted by top security firms who are urging caution.
Understanding the Worm’s Propagation Mechanism
The worm’s method of spreading is both cunning and efficient. Cybercriminals send out messages that mimic common notifications like delivery alerts, government announcements, or group invitations. A single click on these seemingly innocent messages allows the worm to proliferate through the victim’s contact list while a concealed trojan extracts sensitive information from the user’s device.
Advertisement Banner
The Fileless Infection Strategy
Security assessments reveal that attackers distribute ZIP files via WhatsApp, embedding a harmful .LNK shortcut. When executed, this shortcut triggers deceptive commands to load malicious code into memory, leaving minimal traces on the hard disk. This “fileless” approach helps the malware bypass many antivirus defenses. Additionally, the worm exploits WhatsApp Web sessions to disseminate the same trap to the victim’s contacts, mimicking the behavior of a typical worm.
Identified Targets and Attack Techniques
Two predominant malware strains have been identified in Brazil. The first, known as Eternidade Stealer, utilizes a Gmail account to covertly command and control its operations. The second strain, called Maverick, employs automation tools like WPPConnect to manage WhatsApp Web, sending harmful messages from compromised accounts.
Localized Activation and Sophisticated Capabilities
The malware is designed to assess local machine settings, such as timezone and language, to ensure it predominantly activates on devices configured for Brazil. Its capabilities are extensive, including screen capturing, keystroke logging, and overlaying counterfeit login pages on banking and trading websites. The threat targets a range of entities, including 26 Brazilian banks, six cryptocurrency exchanges, and a payment platform.
Smart Filtering and Its Implications
Interestingly, the attackers seem to selectively bypass business and group contacts, presumably to maintain the spread within personal networks and minimize early detection. The cycle is perpetuated as soon as a personal contact opens the malicious link, leveraging the trust inherent in personal connections.
Utilization of Common Services
By employing widely available services such as Gmail for command and control instructions, the attackers make it more challenging for defenders to isolate and block a specific command server, thereby complicating defense efforts.
Actionable Steps for Affected Users
If you suspect your accounts are at risk, immediate action is crucial. Experts recommend freezing or locking affected accounts, notifying your bank or exchange, and reporting the incident to local authorities. Enhancing security measures, such as enabling multi-factor authentication and utilizing withdrawal whitelists, can provide additional protection.
It’s also advisable to verify the authenticity of ZIP or .LNK files received via WhatsApp, even from familiar contacts, through a separate communication method like a phone call or a different message.
Brazil’s Position in the Crypto Landscape
According to Chainalysis, Brazil ranks as the leading country in Latin America for cryptocurrency usage and holds the fifth spot globally in the 2025 Global Crypto Adoption Index Top 20. As the country advances in digital finance, robust cybersecurity measures are paramount to safeguarding users from emerging threats.
Our Editorial Commitment
At Bitcoinist, we are dedicated to providing meticulously researched, accurate, and impartial content. We adhere to rigorous sourcing standards, and each article undergoes thorough evaluation by our team of technology specialists and seasoned editors, ensuring content integrity, relevance, and value for our readers.
