Comprehensive Threat Exposure Management Platform
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
Eternidade Stealer represents a significant evolution in Brazil’s WhatsApp-focused cybercrime landscape, discovered in 2025. This sophisticated Delphi-based information stealer malware specifically targets Brazilian users through WhatsApp conversations, affecting multiple platforms including Windows, Linux, MacOS, and Android. The Eternidade Stealer campaign primarily impacts the banking, fintech, and cryptocurrency industries, leveraging advanced social engineering techniques combined with a Python-based WhatsApp worm for rapid propagation.
The Eternidade Stealer malware operates by hijacking WhatsApp Web sessions to distribute malicious files through compromised accounts. This WhatsApp stealer quietly harvests contact lists, performs detailed device reconnaissance, and waits for strategic moments when banking applications or cryptocurrency wallets are active before executing its theft operations. What distinguishes Eternidade Stealer from previous Brazilian malware campaigns is its use of IMAP protocols to dynamically update command-and-control (C2) infrastructure, enabling operators to maintain resilience through server rotation while evading traditional antivirus detection methods.
The Eternidade Stealer threat specifically targets Brazilian Portuguese-speaking users with precision, utilizing geofencing controls that restrict infections to Brazil and Argentina. The malware’s sophisticated architecture includes process hollowing techniques, encrypted communication channels using rotating XOR-based algorithms, and comprehensive data collection capabilities targeting dozens of Brazilian financial institutions, payment services, cryptocurrency exchanges, and digital wallet applications. This WhatsApp-driven malware campaign poses a substantial risk to millions of users who rely on WhatsApp for daily communications and financial transactions.
WhatsApp has increasingly become one of the most exploited platforms for cybercrime operations targeting Brazilian users, with threat actors continuously refining their attack methodologies over the past two years. The evolution from campaigns like Water Saci in 2024 and 2025 demonstrates how cybercriminals have progressed from basic phishing links to sophisticated social engineering schemes. This transformation has enabled the widespread distribution of banker trojans and powerful information stealers like Eternidade directly through WhatsApp conversations, making the messaging platform a primary infection vector for financial malware in Brazil.
Eternidade Stealer stands out as a particularly noteworthy threat due to its innovative use of IMAP email protocols to dynamically update its command-and-control infrastructure. This IMAP-based C2 update mechanism allows malware operators to rotate compromised servers and maintain operational resilience against takedown efforts. The Eternidade malware spreads through a newly developed WhatsApp worm built entirely in Python, representing an evolutionary advancement from earlier PowerShell-based worm variants. This Python WhatsApp worm hijacks active WhatsApp Web sessions to automatically forward malicious attachments to the victim’s entire contact list.
The Eternidade Stealer infection chain initiates with an obfuscated VBScript that serves as the primary dropper, downloading both the Python-based WhatsApp worm component and a malicious MSI installer package that hosts the main stealer payload. Once the malware executes on the compromised system, it immediately harvests the victim’s complete WhatsApp contact list using specialized library functions. The Eternidade Stealer then filters out group accounts and business accounts from the contact list, exfiltrating the remaining personal contacts in plaintext format directly to the attacker’s command-and-control server.
The MSI installer component impersonates legitimate business communications by sending contextually appropriate, time-based greetings and personalized messages to all extracted contacts. This social engineering tactic increases the likelihood of victim engagement. While distributing these convincing messages, the Eternidade malware simultaneously transmits malicious attachments designed to infect additional victims, creating a self-propagating worm effect through WhatsApp networks.
The Eternidade Stealer performs comprehensive reconnaissance operations on infected systems, including detailed operating system language checks, antivirus software enumeration through Windows Management Instrumentation (WMI) queries, and extensive system telemetry collection. Critically, the malware includes geolocation restrictions that ensure activation only on systems configured with Brazilian Portuguese language settings. This precise targeting mechanism prevents accidental infections outside the intended victim demographic and reduces the malware’s exposure to security researchers operating in other regions.
The Eternidade Stealer demonstrates a mature and modular architecture designed for stealth and persistence. A Delphi-compiled injector component performs advanced process hollowing operations by decrypting an embedded .dmp file and injecting the complete stealer payload into the legitimate Windows svchost.exe process. This process injection technique allows Eternidade to execute malicious operations while appearing as a trusted system process to security software. After successful injection, the Eternidade malware checks Windows registry keys to establish persistence mechanisms and begins comprehensive data harvesting operations by enumerating all open application windows on the compromised system.
The Eternidade Stealer specifically targets dozens of Brazilian banks, payment processing services, cryptocurrency exchanges, and digital wallet applications. The malware maintains an extensive database of financial application signatures that it continuously monitors for active sessions. The stealer retrieves its primary command-and-control server address using hardcoded IMAP email account credentials, providing a resilient fallback mechanism. If the IMAP-based C2 retrieval fails, Eternidade automatically falls back to a preset list of backup domains to maintain operational continuity.
Once connected to its command-and-control infrastructure, the Eternidade Stealer communicates through heavily encrypted channels utilizing a sophisticated rotating XOR-based decryption algorithm that changes dynamically to evade network signature detection. The malware supports numerous attacker commands for comprehensive data collection operations, including overlay injection capabilities for capturing banking credentials, keystroke logging functionality for password theft, and hidden chat interaction features that allow operators to conduct financial transactions invisibly from the victim’s perspective.
Analysis of the Eternidade Stealer backend infrastructure reveals a sophisticated traffic management system using redirector dashboards to manage infections and enforce strict geofencing rules. The redirector infrastructure implements granular access filtering that permits connections only from devices located in Brazil and Argentina while blocking all other geographic locations. Security telemetry from the operator panel shows that 451 out of 453 connection attempts were blocked and redirected to a benign Google error page, demonstrating the effectiveness of these geographic restrictions.
Despite these stringent geographic controls, the Eternidade infrastructure logged attempted traffic from 38 different countries, with the majority of connection attempts originating from desktop systems. This broad exposure highlights the widespread reach of the malware even beyond its intended target regions. The backend infrastructure incorporates advanced security features including anti-bot protections to prevent automated analysis, VPN and proxy blocking mechanisms to deter security researchers, IP allowlisting for authorized operators, and behavioral filtering systems that identify and block suspicious connection patterns. These sophisticated infrastructure controls demonstrate a well-organized and actively maintained cybercrime operation with professional-grade operational security measures.
Users must exercise extreme caution when receiving unexpected WhatsApp messages, particularly those containing file attachments, embedded links, or urgent requests labeled as “important updates.” Even when messages appear to originate from known contacts within your WhatsApp network, verification before opening any attachments is essential. The Eternidade Stealer malware possesses the capability to automatically forward itself from infected accounts without the legitimate account holder’s knowledge, making messages from trusted contacts potentially dangerous. Always independently verify suspicious messages through alternative communication channels before interacting with any content.
The Eternidade Stealer specifically targets systems configured with Brazilian Portuguese language settings as part of its geolocation filtering mechanisms. Users should regularly monitor their operating system language and regional configuration settings for any unexpected modifications. Unauthorized changes to language preferences or regional settings may indicate system tampering or malware infection attempts. If you notice unexplained alterations to these critical system settings, immediately investigate the changes and conduct comprehensive security scans to identify potential compromise.
Since Eternidade Stealer hijacks logged-in WhatsApp Web browser sessions to propagate malicious content, users must regularly audit all active WhatsApp Web devices linked to their accounts. Access your WhatsApp account settings and review the complete list of authorized devices with active WhatsApp Web sessions. Immediately log out of any unfamiliar devices, browsers, or sessions that you do not recognize or did not personally authorize. Implement a routine schedule for reviewing and pruning WhatsApp Web sessions to minimize exposure windows for session hijacking attacks.
Given that Eternidade Stealer specifically targets banking applications, fintech platforms, cryptocurrency exchanges, and digital wallet services, users must enable comprehensive account monitoring and alerting systems. Configure immediate notifications for all login attempts, fund transfers, withdrawal transactions, and account modifications across all financial services. Real-time alerts provide early warning indicators of unauthorized access attempts and enable rapid response to potential account compromise before significant financial losses occur.
Organizations and individual users should deploy next-generation antivirus (NGAV) solutions and endpoint detection and response (EDR) platforms capable of identifying and blocking sophisticated malware like Eternidade Stealer. Modern endpoint protection must leverage behavioral analysis engines and machine learning-based detection algorithms that can identify suspicious activity patterns indicative of information stealer infections. These advanced security solutions provide protection against emerging threats that evade traditional signature-based antivirus detection methods through obfuscation, encryption, and polymorphic techniques employed by malware like Eternidade.
Eternidade Stealer malware samples identified by SHA1 hash values:
Eternidade Stealer distribution URLs and command-and-control endpoints:
Eternidade Stealer command-and-control domains and infrastructure:
Eternidade Stealer command-and-control IP addresses:
TA0001 – Initial Access: Eternidade Stealer gains initial access through phishing operations, specifically utilizing T1566 Phishing techniques with T1566.003 Spearphishing via Service, leveraging WhatsApp as the primary delivery mechanism for malicious content distribution to targeted Brazilian users.
TA0002 – Execution: The Eternidade malware executes through multiple command and scripting interpreters (T1059), including T1059.005 Visual Basic Script for the initial dropper component and T1059.006 Python for the WhatsApp worm propagation module.
TA0003 – Persistence: Eternidade Stealer establishes persistence using T1547 Boot or Logon Autostart Execution techniques, specifically T1547.001 Registry Run Keys and Startup Folder modifications to ensure the malware survives system reboots.
TA0005 – Defense Evasion: The Eternidade Stealer employs multiple defense evasion techniques including T1036 Masquerading to appear as legitimate processes, T1140 Deobfuscate/Decode Files or Information for runtime unpacking, T1055 Process Injection with T1055.012 Process Hollowing into svchost.exe, and operates through encrypted channels protected by T1573 Encrypted Channel communications.
TA0006 – Credential Access: Eternidade captures sensitive authentication credentials through T1056 Input Capture techniques, specifically T1056.001 Keylogging functionality that records all keyboard inputs including passwords, PINs, and authentication codes entered by victims.
TA0007 – Discovery: The Eternidade Stealer performs comprehensive reconnaissance using multiple discovery techniques including T1082 System Information Discovery for OS fingerprinting, T1047 Windows Management Instrumentation for antivirus enumeration, T1518 Software Discovery for installed application detection, T1057 Process Discovery for monitoring running applications, and T1083 File and Directory Discovery for identifying valuable data locations.
TA0010 – Exfiltration: Stolen data from Eternidade Stealer infections is exfiltrated using T1041 Exfiltration Over C2 Channel, transmitting harvested credentials, financial data, and system information back to attacker-controlled command-and-control infrastructure through encrypted connections.
TA0011 – Command and Control: Eternidade Stealer maintains persistent command-and-control communications through T1071 Application Layer Protocol techniques, specifically T1071.001 Web Protocols for C2 communications, with innovative use of IMAP email protocols for dynamic C2 server updates and resilient infrastructure management.
Eternidade Stealer and WhatsApp-Based Banking Trojan Research:
Get through updates and upcoming events, and more directly in your inbox