Eternidade Stealer Banking Trojan Spreads via WhatsApp Worm
Category:Threat Alerts
The Eternidade Stealer banking malware identified by Trustwave SpiderLabs represents an advanced credential-harvesting threat leveraging WhatsApp-based worm propagation and Delphi-compiled payloads. The malware’s infection chain begins with a malicious VBScript loader and progresses to a Python-based messaging worm that steals WhatsApp contact lists using wppconnect APIs. Its functionality maps to MITRE ATT&CK techniques T1566 (Phishing), T1105 (Ingress Tool Transfer), and T1059 (Command and Scripting Interpreter). The campaign’s localization logic, activation triggers, and IMAP-based dynamic C2 retrieval indicate a professionalized Brazilian cybercrime ecosystem. Keywords such as "banking trojan", "WhatsApp malware", and "credential theft campaign" naturally align with this threat. The malware employs multiple layers: a dropper, a WhatsApp worm, an MSI installer, and a Delphi-based stealer with process-hollowing capabilities. As documented :contentReference[oaicite:1]{index=1}, it selectively activates when users open Brazilian banking portals or cryptocurrency wallets, enabling targeted credential overlays and real-time data interception. Its IMAP-controlled C2 architecture provides operational resilience, while geofencing restricts payload activation to Latin American victims. The stealer exfiltrates system metadata, IP addresses, financial application activity, and credential submissions through encrypted channels. From a business perspective, Eternidade Stealer poses significant financial risk to organizations operating in LATAM markets, particularly fintech entities and payment platforms. Its selective banking-target activation and automated propagation increase the probability of credential theft, fraudulent transactions, and downstream account-takeover attacks. Because the malware interacts with WhatsApp messaging infrastructure, enterprises with BYOD and unmanaged mobile device exposure face additional compliance challenges under financial regulations and regional privacy laws. Mitigation requires deploying endpoint protection against Delphi-based payloads, blocking known C2 infrastructure, and monitoring for Python-based automation scripts interacting with messaging APIs. Organizations should educate users about malicious WhatsApp attachments and enforce mobile device management (MDM) telemetry controls for employees accessing financial systems.
CORTEX Protocol Intelligence Assessment
Business Impact: This threat enables banking credential theft at scale with automated WhatsApp-based propagation, creating direct financial fraud exposure for fintechs, banks, and cryptocurrency platforms. Organizations operating in Latin America face heightened regulatory and reputational risk. Technical Context: Eternidade Stealer uses a multi-stage infection chain leveraging VBScript, Python worms, IMAP-based C2 configuration, and Delphi-compiled modules. Its TTPs map to MITRE techniques T1059, T1105, T1566, and T1055 (Process Injection), representing a sophisticated regional crimeware ecosystem.
Strategic Intelligence Guidance
- Deploy EDR signatures for Delphi-based loaders and Python messaging automation.
- Block listed domains and disable unauthorized WhatsApp automation on enterprise endpoints.
- Implement MDM restrictions for devices accessing financial or payment applications.
- Provide regionalized phishing and mobile-malware awareness training for users.
Vendors
Threats
Targets
Intelligence Source: Eternidade Stealer Banking Trojan Spreads via WhatsApp Worm | Nov 20, 2025