In recent weeks, a sophisticated cyber threat targeting WhatsApp users has emerged in Brazil, alarming cybersecurity experts. This new malware is designed to steal sensitive information, including banking credentials and cryptocurrency access keys, putting countless individuals at risk.

The lure of this malware often comes disguised as familiar notifications — from delivery confirmations to government alerts. Just one click on these deceptive messages can grant the malware access to the user’s contacts, allowing it to proliferate further while a hidden trojan surreptitiously extracts data.

Mechanisms of Infection

Recent findings from cybersecurity researchers indicate that attackers distribute malicious ZIP files through WhatsApp. These files contain misleading .LNK shortcuts that activate when opened, executing harmful commands that load additional malicious code directly into the device’s memory.

This “fileless” approach enables the malware to evade many traditional antivirus solutions. As per cybersecurity statistics, the infection process also compromises WhatsApp Web sessions, spreading the threat to the victims’ contacts, thereby mimicking worm-like behavior.

One cybersecurity firm reported that there were indications of over 400 affected user environments, with more than 62,000 infection attempts blocked in early October alone.

Identifying the Threats

Reports indicate that two main variants are currently circulating in Brazil. One variant, identified as a banking trojan called Eternidade Stealer, uses a hidden Gmail account to receive commands stealthily.

The second variant, dubbed Maverick, leverages automation techniques that enable it to control WhatsApp Web efficiently. This allows the malware to disseminate harmful messages from compromised accounts.

These malicious programs take extra precautions by assessing local device settings prior to full activation, targeting users primarily in Brazil. Findings reveal that this malware can capture screenshots, monitor keystrokes, and display counterfeit login pages on financial websites.

The scope of the threat is substantial, as it actively targets numerous Brazilian banks, multiple cryptocurrency exchanges, and various payment services.

Social Engineering and Spread

A critical tactic that these attackers employ is to avoid messaging within business or group contexts. This strategy seems tailored to ensure that the messages remain within close personal networks, which limits early detection and increases the likelihood of users falling victim.

Once a family member or friend clicks on a malicious link, the cycle continues with new victims as the worm propagates, leveraging the trust implicit in personal relationships.

The utilization of ubiquitous platforms like Gmail for command and control operations makes it particularly challenging for security teams to isolate and neutralize these threats effectively.

Prevention and Response

Security experts advise immediate action for those potentially compromised. It is crucial to secure financial accounts promptly; freezing accounts or alerting local authorities can mitigate losses significantly.

Implementing robust multi-factor authentication across all financial platforms is essential. Additionally, using withdrawal whitelists can offer extra layers of security. Experts recommend exercising caution and refraining from opening ZIP or .LNK files received via WhatsApp, even from known contacts, unless their authenticity is confirmed through another communication method.

Brazil’s Prominent Crypto Landscape

Recent studies, notably by Chainalysis, highlight Brazil’s significant standing in Latin America concerning cryptocurrency usage. The country ranks fifth in the Global Crypto Adoption Index for 2025, showing a vibrant interest and engagement in digital currencies.

Image credits to respective sources and charts from TradingView.