Python Worm Spreads Through WhatsApp- Here’s What’s Happening
A Python driven WhatsApp worm is spreading the Eternidade Stealer trojan across Brazil, hijacking WhatsApp Web sessions and targeting financial platforms. The campaign uses advanced evasion tactics and open source tools, reflecting a rise in software sophistication among South American cybercriminals. Despite regional targeting, attempts to access the threat infrastructure were observed worldwide, reinforcing the need for close monitoring of WhatsApp activity and unexpected script executions.
Python Malware Campaign Hits WhatsApp Users in Brazil A new cybercrime campaign is exploiting WhatsApp to distribute the Eternidade Stealer trojan across Brazil. The operation uses aggressive social engineering and automated message forwarding to capture financial and personal information from unsuspecting users.
Why WhatsApp Is a Major Target in Brazil Brazil is one of WhatsApp’s largest markets, making it fertile ground for large scale attacks. The reliance on the platform for daily communication gives attackers access to extensive networks, enabling fast propagation of malicious files.
How the Infection Starts Researchers at Trustwave SpiderLabs discovered that the operation begins with an obfuscated Visual Basic Script. This script deploys two separate components. One is a Python written WhatsApp worm. The other is an MSI installer that delivers the Delphi based Eternidade Stealer payload.
Python Worm Hijacks WhatsApp Web Sessions The Python module abuses the open source WPPConnect tool to take control of WhatsApp Web sessions. Once active, it extracts the victim’s contact list and filters out business accounts and large groups to avoid raising suspicion.
Auto Messaging Tactics Increase Reach The malware automatically pushes malicious attachments to every contact. To appear genuine, it uses personalised greetings and time dependent messages, making recipients more likely to open the infected file.
Evasion Tactics Used by Attackers Trustwave researchers found that the stealer relies on IMAP to pull updated command and control server details from a terra.com.br inbox. By doing this, the operators can change their infrastructure on the fly and avoid takedowns, similar to techniques seen in the Water Saci campaign.
Designed to Target Only Local Users The malware checks the operating system language before running. If the system is not set to Brazilian Portuguese, the stealer exits. This confirms that the threat actors designed the malware to attack Brazilian users while staying under the radar internationally.
Financial Platforms in the Crosshairs Once the payload is active, it watches for access to banking and payment platforms such as Bradesco, BTG Pactual, MercadoPago, Binance and MetaMask. When it detects a target platform, it overlays fake windows to harvest usernames, passwords and sensitive financial data.
Regional Focus With Global Touchpoints Despite the strict regional targeting, Trustwave identified more than four hundred and fifty connection attempts from nearly forty countries. The United States alone accounted for one hundred and ninety six attempts to interact with the threat actor’s servers.
Geofencing as a Control Strategy The infrastructure uses geofencing to permit only Brazilian and Argentine traffic. Any blocked request is rerouted to a generic Google error page. This suggests the attackers want to maintain a controlled operational environment while avoiding unwanted scrutiny.
