Eternidade Stealer: WhatsApp Hijacking for Banking Fraud

Trustwave SpiderLabs researchers have identified a banking Trojan dubbed Eternidade Stealer, distributed through WhatsApp hijacking and social engineering lures. The campaign uses a WhatsApp worm written in Python to spread malicious attachments and an MSI installer that deploys a Delphi-based banking trojan. The malware uses Internet Message Access Protocol (IMAP) to dynamically retrieve command-and-control (C2) addresses and targets Brazilian victims by checking the OS language. It scans for strings associated with banking portals, payment services, and cryptocurrency platforms, and activates its next-stage payload when a match is found. The malware also uses hardcoded credentials to log into its email account and retrieve its C2 server, allowing it to update its C2, maintain persistence, and evade detections or takedowns.

Latest mentioned: 11-19

Earliest mentioned: 11-19

Sources

infosecurity-magazine.com trustwave.com thehackernews.com

Also Read

The Gentlemen Ransomware: Rapid Evolution and Dual-Extortion

Cybereason Threat Intelligence Team has analyzed the rapidly evolving ransomware group known as The Gentlemen, which surfaced in mid-2025. The group employs a dual-extortion strategy, encrypting sensitive files and exfiltrating critical business data, threatening to publish it unless a ransom is paid. The ransomware combines advanced encryption techniques with dynamic propagation options, including WMI, PowerShell remoting, and ESXi capabilities. It features enhanced automation, stealth, and performance improvements across Windows, Linux, and ESXi variants. The ransomware is promoted as a Ransomware-as-a-Service (RaaS) on cybercrime forums, offering configurable modes, dual-extortion tactics, and strong affiliate support. The group has published 48 victims on their dark web leak site within a short period, highlighting their aggressive pace and technical sophistication.

11-20Read more →