A new WhatsApp worm is sweeping through Brazil, stealing bank logins and crypto keys from ordinary users, security firms warn. Victims get a message that looks familiar — a delivery note, a government alert, or an invite to a group — and one click can let the threat spread through their contacts while a hidden trojan strips data from their machines. How The Worm Spreads According to security reports , attackers send ZIP files over WhatsApp that contain a malicious .LNK shortcut. When opened, that shortcut runs deceptive commands which load more code into memory so little is written to the hard drive. This “fileless” step helps the malware avoid some antivirus tools. Based on reports, the infection also hijacks WhatsApp Web sessions to send the same bait to the victim’s friends, making the attack behave like a worm. One analyst group said more than 400 “customer environments” and over 1,000 endpoints showed signs of compromise, while another firm blocked roughly 62,000 infection attempts in the first 10 days of October. Targets And Techniques Reports have disclosed two main strains that are active in Brazil. One is a banking trojan called Eternidade Stealer that uses a Gmail account as a hidden command channel. The other, known as Maverick, relies on automation tools such as WPPConnect to operate WhatsApp Web and to push malicious messages from infected accounts. The threats look for local settings before fully activating, checking timezone and language so the code runs mainly on machines set to Brazil. Security researchers say the malware can snapshot screens, log keystrokes, and overlay fake login pages on banking or exchange websites. The list of targets is wide: it includes 26 Brazilian banks, six crypto exchanges, and one payment platform. Smart Filtering Makes It Worse The attackers appear to avoid business or group contacts. That choice seems designed to keep messages within small personal circles and to reduce early detection. Once a contact family or friend opens the link, the same cycle can repeat. Because the worm spreads by using trusted accounts, people are more likely to fall for the bait. The use of widely available services like Gmail for control instructions makes it harder for defenders to block a single command server. What To Do If You’re Exposed According to security experts, if funds are at risk, act fast. Freeze or lock accounts when possible, alert your exchange or bank, and report the incident to local authorities. Enable strong multi-factor authentication on every financial account and use withdrawal whitelists where offered. According to experts, do not open ZIP or .LNK files from WhatsApp , even from known contacts, without verifying by a separate message or a phone call. Brazil At No. 5 Chainalysis figures show Brazil sits at the top of Latin America in crypto use, and the country holds the fifth spot in the platform’s 2025 Global Crypto Adoption Index Top 20. Featured image from Gemini, chart from TradingView
