A sophisticated cybercrime campaign is exploiting hijacked WhatsApp accounts to disseminate a banking trojan named Eternidade Stealer in Brazil. According to cybersecurity researchers, the attackers leverage social engineering to compromise user devices and siphon sensitive financial data. The campaign’s hybrid method of messaging app abuse and modular malware payloads signals how threat actors are evolving their tactics in Latin America.
A Hybrid Attack Using Social Engineering and Messaging Platforms
Attackers Are Abusing WhatsApp Trust to Deliver Malware Payloads
The campaign initiates with threat actors compromising WhatsApp accounts through credential theft or session hijacking. Once an account is under their control, attackers send malware-laced messages to the victim’s contacts, exploiting the inherent trust users have in known senders. This use of an infected account to propagate malware ensures a higher success rate for infection and reduces suspicion.
Victims receive messages, often pretending to be urgent requests or enticing financial opportunities, which lead them to download and execute a malicious file. That file acts as the initial dropper for the Eternidade Stealer banking trojan. The malware is written in Delphi, a rarity in contemporary malware development that may help it evade certain detection mechanisms.
Eternidade Stealer: A Modular Trojan Built for Data Theft
Capabilities Include Bank Credential Theft, Data Exfiltration, and Remote Access
Once delivered, Eternidade Stealer activates its data-harvesting routines. It is specifically designed to:
- Capture login credentials for banking and financial services
- Steal browser-stored passwords and session cookies
- Monitor clipboard data for cryptocurrency wallet addresses
- Record keystrokes and capture screenshots
- Enable file exfiltration and remote access for post-infection activity
This comprehensive feature set aligns with the behaviors of other banking trojans targeting Latin America in recent years, particularly those that focus on credential theft and manipulation of banking sessions.
Command-and-Control Communications via IMAP
C2 Infrastructure Uses Email Protocol to Avoid Detection
A notable technical characteristic of this campaign is the use of Internet Message Access Protocol (IMAP) for command-and-control (C2) communications. Instead of relying on hardcoded server addresses or typical HTTP tunnels, Eternidade Stealer dynamically retrieves its C2 endpoints from email inboxes.
This unusual technique complicates detection and takedown efforts. Since email activity over IMAP is common and often encrypted, it blends into legitimate traffic and makes monitoring more difficult for defenders. It also allows operators to remotely update C2 instructions without needing to push out new malware builds.
Targeting Brazilian Victims Using Regional Tactics
Geographically Specific Campaign Uses Language and Messaging Cues Familiar to Victims
Security analysts say the campaign is geographically focused on Brazil. Indicators include the use of localized Portuguese-language lures and messages typical of regional scams. The attackers appear to have selected their tactics to maximize engagement with Brazilian users who rely heavily on WhatsApp for daily communication.
This campaign reflects a continued trend of regionally targeted malware—optimized for local languages, banking platforms, and user behaviors. These tactics enhance the efficacy of both the social engineering and the technical components of the attack.
Implications for Cyber Defense
Companies Should Prepare for Messaging Platform Abuse and IMAP Tunnels
The Eternidade Stealer campaign underscores several emerging trends:
- Messaging platforms like WhatsApp are increasingly becoming distribution vectors for malware.
- Social engineering continues to be a powerful mechanism, especially when combined with compromised trusted accounts.
- Threat actors are adopting less conventional protocols like IMAP to evade traditional network security tools.
Organizations operating in affected regions should strengthen their user education around messaging app scams, emphasize multi-factor authentication (MFA) for account protection, and monitor email protocol usage for anomalies. Detection mechanisms that flag unusual behavior involving IMAP or Delphi-executables may help mitigate risk.
Conclusion
As regional cybercrime campaigns grow more sophisticated, the use of WhatsApp hijacking combined with versatile banking trojans like Eternidade Stealer represents a serious threat to both individual users and financial institutions. Cyber defenders must adapt quickly—improving both behavioral threat detection and user awareness—if they are to stay ahead of attackers leveraging social trust as their primary weapon.
