WhatsApp 'Eternidade' Trojan Worms Through Brazil TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsThreat IntelligenceWhatsApp 'Eternidade' Trojan Self-Propagates Through BrazilWhatsApp 'Eternidade' Trojan Self-Propagates Through BrazilbyNate Nelson, Contributing WriterNov 20, 20254 Min ReadApplication SecurityThe AI Attack Surface: How Agents Raise the Cyber StakesThe AI Attack Surface: How Agents Raise the Cyber StakesbyAlexander CulafiNov 19, 20254 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllCyberattacks & Data BreachesCoyote, Maverick Banking Trojans Run Rampant in BrazilCoyote, Maverick Banking Trojans Run Rampant in BrazilbyAlexander CulafiNov 13, 20254 Min ReadThreat IntelligenceSilver Fox APT Blurs the Line Between Espionage & CybercrimeSilver Fox APT Blurs the Line Between Espionage & CybercrimebyNate Nelson, Contributing WriterAug 8, 20253 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryThreat IntelligenceCyberattacks & Data BreachesCyber RiskApplication SecurityNewsBreaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia PacificWhatsApp 'Eternidade' Trojan Self-Propagates Through BrazilThe infostealer specifically targets Brazilian Portuguese speakers and combines malware designed to phish banking credentials and steal data, a worm, and some uniquely Brazilian quirks.Nate Nelson, Contributing WriterNovember 20, 20254 Min ReadSource: jozef sedmak via Alamy Stock PhotoA new Trojan is making the rounds in Brazil, spreading as a worm through WhatsApp, and then duping people into giving up their banking credentials.Senior security research manager Karl Sigler and his colleagues at LevelBlue were able to penetrate the command-and-control (C2) infrastructure supporting the "Eternidade" stealer. There, he reports, they discovered somewhere in the neighborhood of 10,000 infected systems — a testament to just how doggedly the program is spreading to specific demographics of victims, through their trusted social media.Eternidade Half 1: The WormEternidade comes in two halves. The first is a worm, designed to automatically grab a victim's full list of WhatsApp contacts and send them all a copy of itself.Instead of crudely spreading as far and wide as it possibly can, though, the program filters out all of a victim's labeled business contacts, and any group chats. The idea, the researchers think, is that the infections most likely to succeed are those that arrive in the form of personalized, direct messages from friends and family.The malware also has a couple of little tricks to enhance the credibility of that message. The malware autofills a recipient's name in the phishing message they receive, and it includes a "Good morning," "Good afternoon," or "Good evening" (in Portuguese), depending on the actual time of day the message is sent. Message templates can also be further configured by the attackers through their C2 infrastructure.Related:Data Leak Outs Hacker Students of Iran's MOIS Training AcademyThe other element of note is that the malware's dropper file initially was written in PowerShell, but newer variants are Python. "Most droppers, especially with what we're seeing in Brazil, typically are written in PowerShell," Sigler says. "[Malware authors] are expecting Windows on the end machine, so they execute with PowerShell. Using Python could be indicative of what the skill set was for the authors of the malware.Or more intriguingly, it could be an indication of the threat actors' intentions: "That they're looking to expand [Eternidade] into something that's multiplatform, which they could run on Linux, or on Mac," Sigler says.Eternidade Half 2: The TrojanThe Trojan half of Eternidade is more multifunctional. It checks that a victim's operating system (OS) language is set to Brazilian Portuguese, and whether the host machine is part of a corporate network or sandbox environment. It identifies security programs running on the system, and gathers a variety of other system data, all to make sure that victims are ordinary Brazilian individuals before proceeding with malicious activity.Related:China Hackers Test AI-Optimized Attack Chains in TaiwanIf all of those checks pass, the final stealer payload will be loaded and executed. This component is written in Delphi, a formerly quite popular programming language that has since fallen out of fashion in most parts of the world, but remains a "cornerstone" of Brazil's cybercrime scene, according to LevelBlue. As Sigler explains it, "Brazil to a certain extent is isolated, being the only country in Latin America with Portuguese. A lot of the education programs in Brazil are targeted specifically for Brazil. So that also provides a not completely isolated environment, but one that's more focused. And Delphi is one of the things they focused on." The result has been "one of those odd evolutions. While other programming languages and scripting languages caught on a lot more in other places, I think probably the computer science and IT programs [in Brazil] really sort of folded in Delphi because it was already popular, and that made it more popular."Delphi does possess some advantages, when building something like a stealer. "It's easy to learn, and it's very straightforward. It can't do a lot of really complex things, but for things like this — downloading, gathering system information, sending system information off to another domain, Delphi works great," he says.Related:'Confucius' Cyberspy Evolves From Stealers to Backdoors in PakistanThe stealer begins its job by scanning for active running windows and processes that indicate that the victim is using a banking, cryptocurrency, or fintech website. Targeted services include the Bank of Brazil, Santander, Stripe, Coinbase, Binance, Metamask, Ledger Live, and dozens more. Should a victim visit any one of these platforms, the malware will serve them a typical overlay designed to solicit their login credentials for the attacker.The malware can also run a variety of remote commands for downloading, uploading, and exfiltrating files, capturing screenshots, logging keystrokes, etc. More interesting, though, is how it can avoid the complications of C2 takedowns.In addition to all the effort they put into making sure that the malware will only ever render for intended victims, the attackers also built Eternidade to automatically adjust its C2 domain simply using an email. They did it by hardcoding credentials into the malware, which the malware uses to connect to and read from an attacker-controlled email domain. If cybersecurity defenders ever manage to take down Eternidade's C2, the attackers can simply craft an email with the location of a new C2 address, and the malware will immediately know where to take its new orders from."It's pretty interesting," Sigler says. "We really haven't run across that much."Read more about:DR Global Latin AmericaAbout the AuthorNate Nelson, Contributing WriterNate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."See more from Nate Nelson, Contributing WriterMore InsightsIndustry Reports2025 State of Threat Intelligence: What it means for your cybersecurity strategyGartner Innovation Insight: AI SOC AgentsState of AI and Automation in Threat IntelligenceGuide to Network Analysis Visibility SolutionsOrganizations Require a New Approach to Handle Investigation and Response in the CloudAccess More ResearchWebinarsIdentity Security in the Agentic AI EraHow AI & Autonomous Patching Eliminate Exposure RisksSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMore WebinarsYou May Also LikeEditor's ChoiceVulnerabilities & Threats'CitrixBleed 2' Wreaks Havoc as Zero-Day Bug'CitrixBleed 2' Wreaks Havoc as Zero-Day BugbyJai Vijayan, Contributing WriterNov 12, 20255 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsIdentity Security in the Agentic AI EraTues, Dec 9, 2025 at 1pm ESTHow AI & Autonomous Patching Eliminate Exposure RisksOn-DemandSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETThreat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesTuesday, Oct 21, 2025 at 1pm ESTMore WebinarsWhite PapersMissing 88% of Exploits: Rethinking KEV in the AI EraThe Straightforward Buyer's Guide to EDRThe True Cost of a Cyberattack - 2025 EditionHow to be a Better Threat HunterFrom the C-Suite to the SOC: Consolidating the Network Security SolutionsExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

The proliferation of the “Eternidade” Trojan worm within Brazil represents a significant and evolving cyber threat, meticulously engineered and deployed by sophisticated actors. As detailed by LevelBlue security research manager Karl Sigler, this malware’s multi-faceted approach—combining a worm, a phishing-based stealer, and a uniquely tailored Brazilian operational style—has facilitated widespread infection and data compromise. The initial propagation mechanism is a worm designed to automatically replicate itself across a victim’s WhatsApp contact list, a strategy that bypasses broader, less targeted attacks. Crucially, the worm filters out business contacts and group chats, indicating a deliberate focus on personal communications—likely to maximize the perceived trustworthiness of the malicious payload. The design incorporates subtle manipulations—automatic name completion and time-based greeting messages—to enhance the credibility of the messages and increase the likelihood of victims clicking through the phishing links.

The core functionality of "Eternidade" is a multi-component Trojan. Initially, the system checks the operating system language for Brazilian Portuguese, and assesses whether the host machine is part of a corporate network or a sandbox environment. This targeted approach enables the malware to specifically assess whether the target represents an ordinary Brazilian individual or a more controlled environment. The malware then gathers a range of system data in preparation for the final, malicious action. The malware is written in Delphi, a programming language that remains surprisingly prevalent in Brazil’s cybersecurity landscape, owing in part to the focused education programs available within the country.

The technical sophistication of “Eternidade” highlights several key elements. The malware’s ability to dynamically adapt its command-and-control (C2) infrastructure via email demonstrates a proactive defense against takedown attempts. This capability, detailed by Sigler, represents a highly unusual, and potentially significant, development in the malware’s evolution. The core of this redirection relies on hardcoding credentials within the malware itself, allowing it to automatically reconfigure its connections if the original C2 servers are identified and taken down.

Furthermore, the malware's targeting capabilities demonstrates a detailed understanding of Brazilian fintech and banking infrastructure. “Eternidade” scans for active running windows and processes that indicate the victim is using online banking, cryptocurrency, or fintech services—targets encompassing institutions like the Bank of Brazil, Santander, and popular platforms like Coinbase and Binance, along with commonly used tools such as Metamask and Ledger Live. The malware then employs a standard phishing overlay, designed to solicit login credentials, commonly found in compromised banking or financial applications.

The malware's ability to execute remote commands—downloading, uploading, and exfiltrating files, and capturing screenshots and keystrokes—extends its reach and the level of information it can extract from infected systems. The malware's use of Delphi, combined with its careful assessment of target environments and versatile command execution capabilities, suggests a sophisticated understanding of both the technological and operational landscape of Brazil's cybersecurity scene. The adaptability of the C2 infrastructure – automatically reconfiguring via an email – marks a notable evolution.

The ongoing threat posed by “Eternidade” emphasizes the need for robust security measures, including proactive monitoring, endpoint detection and response (EDR) solutions, and thorough user education, especially within Brazilian communities. As Nate Nelson highlights, this malware’s tailored approach—combining a worm, a tailored stealer, and a strategically focused C2 infrastructure—represents a refined and concerning tactic within the current global cyber threat landscape, requiring vigilant defense strategies.