Executive Summary
In early 2024, a sophisticated infostealer campaign dubbed 'Eternidade' began targeting Brazilian Portuguese–speaking WhatsApp users. The attackers distributed a trojan combining phishing, credential theft, and worm-like self-propagation via compromised WhatsApp messages. Victims were lured with messages containing malicious links; once infected, devices exposed sensitive banking credentials and personal data to attackers. The malware leveraged localized tactics and social engineering to increase infection rates and circumvent traditional perimeter defenses, leading to widespread compromise across individual users and organizations reliant on WhatsApp for communication. The rapid spread, data loss, and potential for further extortion amplified business and consumer risks.
This breach signals the growing sophistication of infostealer operations, especially their ability to exploit trusted communication apps in regionally tailored attacks. The incident raises alarm over encrypted-messaging-based malware and highlights gaps in endpoint and messaging security as threat actors increasingly weaponize social communication platforms.
Why This Matters Now
With messaging platforms now critical to business and social operations, the ability of infostealer trojans to self-propagate and steal credentials via WhatsApp marks a significant escalation. The incident underscores urgent zero trust and segmentation needs as attackers bypass legacy email and web channels, targeting trust relationships and internal traffic through widely adopted apps.
Attack Path Analysis
The attacker initiated the campaign by delivering a malicious payload—disguised as a WhatsApp-themed infostealer—in phishing messages targeting Brazilian users. Upon execution, the malware leveraged user permissions to gain unauthorized access, and may have attempted privilege escalation on the host. The worm’s self-propagating nature enabled lateral movement between systems by exploiting user contacts and networks. Once established, the infostealer established command and control via outbound connections to attacker infrastructure. Sensitive banking credentials and stolen data were exfiltrated over unmonitored or insufficiently encrypted channels. Ultimately, the breach could result in compromise of financial accounts, further propagation, and reputational or operational impact.
Kill Chain Progression
Initial Compromise
Description
Users were tricked into installing the WhatsApp 'Eternidade' Trojan through phishing messages or malicious links, enabling initial access.
Related CVEs
CVE-2021-24027
CVSS 9.8A buffer overflow vulnerability in WhatsApp allows remote attackers to execute arbitrary code via a specially crafted image.
Affected Products:
WhatsApp WhatsApp Messenger – < 2.21.1.13
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Spearphishing Attachment
Command and Scripting Interpreter
Exploitation of Remote Services
Ingress Tool Transfer
Credential Dumping: Password Dumping
Input Capture: Keylogging
Exfiltration Over Web Service
User Execution: Malicious File
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication for User Access
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management: Safeguards and Controls
Control ID: Art. 9(2)
CISA ZTMM 2.0 – Strong Identity and Least Privilege
Control ID: Identity Pillar: Authentication/Access Control
NIS2 Directive – Incident Handling Procedures
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Banking/Mortgage
Primary target for Brazilian Portuguese infostealer combining banking credential phishing with data theft capabilities, requiring enhanced egress security and threat detection measures.
Financial Services
High-risk sector facing targeted credential theft attacks through self-propagating WhatsApp trojan, necessitating zero trust segmentation and anomaly detection implementations.
Telecommunications
Critical infrastructure vulnerability through WhatsApp platform exploitation enabling malware propagation, requiring encrypted traffic monitoring and east-west traffic security controls.
Information Technology/IT
Essential sector for implementing threat detection capabilities and multicloud visibility controls to prevent lateral movement of self-propagating infostealer malware.
Sources
- WhatsApp 'Eternidade' Trojan Self-Propagates Through Brazilhttps://www.darkreading.com/threat-intelligence/whatsapp-eternidade-trojan-self-propagates-brazilVerified
- Python-Based WhatsApp Worm Spreads Eternidade Stealer Across Brazilian Deviceshttps://thehackernews.com/2025/11/python-based-whatsapp-worm-spreads.htmlVerified
- SpiderLabs IDs New Banking Trojan Distributed Through WhatsApphttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/spiderlabs-ids-new-banking-trojan-distributed-through-whatsapp/Verified
- WhatsApp-Based Malware Exfiltrates Contacts to Attack Server and Installs Additional Payloadshttps://cyberpress.org/whatsapp-based-malware/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, robust egress controls, encrypted traffic inspection, and threat detection would have restricted malware propagation and prevented or alerted on command-and-control, lateral movement, and data exfiltration. CNSF-aligned controls like granular east-west segmentation, inline anomaly detection, and egress filtering would have contained the Eternidade Trojan and minimized business impact.
Control: Threat Detection & Anomaly Response
Mitigation: Rapid detection and alerting on suspicious application or user behavior.
Control: Multicloud Visibility & Control
Mitigation: Visibility into permission changes and suspicious access escalations.
Control: Zero Trust Segmentation
Mitigation: Prevents east-west propagation between workloads and segments.
Control: Egress Security & Policy Enforcement
Mitigation: Blocks unauthorized outbound connections to external attacker infrastructure.
Control: Encrypted Traffic (HPE) & Inline IPS (Suricata)
Mitigation: Detects and prevents data exfiltration over unencrypted or suspicious encrypted channels.
Minimized business impact through autonomous inline policy enforcement and detection.
Impact at a Glance
Affected Business Functions
- Online Banking
- Payment Processing
- Customer Support
Estimated downtime: 5 days
Estimated loss: $5,000,000
The malware exfiltrated sensitive customer data, including banking credentials and personal information, leading to potential identity theft and financial fraud.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust segmentation to block unauthorized east-west lateral movement and containment of worm activity.
- • Enforce robust egress filtering and outbound policy to prevent malware C2 and data exfiltration.
- • Deploy inline encryption and intrusion prevention to detect and block malicious payloads in transit.
- • Centralize visibility and anomaly detection across all workloads and cloud regions for early-stage threat identification.
- • Automate incident response using distributed policy enforcement and real-time network isolation to limit operational impact.
