Eternidade Stealer: New Python WhatsApp Worm Uses IMAP Email for Covert C2 and Brazilian Bank Overlays

Trustwave SpiderLabs researchers have identified a new and rapidly evolving banking Trojan—dubbed Eternidade Stealer—that hijacks WhatsApp, steals contact lists, and deploys banking overlays through a complex multi-stage infection chain. Distributed via a WhatsApp worm written in Python, the malware showcases an unusual blend of Delphi, AutoIt, VBScript, and IMAP-based C2 retrieval, highlighting Brazil’s increasingly sophisticated cybercrime ecosystem.

WhatsApp continues to be a prime delivery mechanism for Latin American cybercriminals. The report explains that: “WhatsApp continues to be one of the most exploited communication channels in Brazil’s cybercrime ecosystem.” Threat groups now rely on evolved schemes ranging from fake government programs to fraudulent investment groups.

The Eternidade campaign begins with an obfuscated VBScript, which drops a batch file that downloads:

• A WhatsApp-propagating worm (Python)
• A malicious MSI installer (Delphi Trojan)

This marks a strategic shift: “The WhatsApp worm used in the campaign is written in Python, in contrast to the PowerShell variants reported recently.”

The worm script itself is massive—over 1,300 lines of code—and is designed to automate messaging, steal contacts and session data, and mass-distribute malware.

A key part of the campaign is WhatsApp contact exfiltration. The malware abuses wppconnect JavaScript APIs, injected directly into WhatsApp Web.

Trustwave highlights: “The campaign’s critical function is ‘obter_contatos()’, which allows the malware to steal victims’ entire WhatsApp contact lists.” The script filters out groups and business accounts to maximize phishing success.

Immediately after collecting contacts, the worm sends them to the C2: “There is no delay, and no user interaction is needed.”

The malware automatically sends targeted WhatsApp messages crafted to appear legitimate.

The greeting adjusts based on time:

• bom dia (good morning)
• boa tarde (good afternoon)
• boa noite (good evening)

The report notes, “The message template can be changed remotely by attackers via the C2 server.”

The campaign then pushes a malicious attachment to all contacts, allowing the worm to spread quickly across WhatsApp networks.

Eternidade Stealer uses strong regional filtering: “The malware only targets Brazilian victims by checking the OS language… If not detected as Brazilian Portuguese, it displays an error message and aborts execution.”

Once running, it performs:

• Security product enumeration
• Network reconnaissance
• System profiling via OBTERINFOADICIONAL()

Collected data includes: “Computer name, OS version, username, IP addresses, installed antivirus… and more.”

Eternidade Stealer remains quiet until it detects a banking app or crypto wallet.

It monitors active windows for strings associated with:

• Major Brazilian banks (Bradesco, Itaú, Santander)
• Payment apps (MercadoPago, Stripe)
• Crypto platforms (Binance, Coinbase, Trust Wallet)

The report shows: “When it detects a match… the malware immediately decrypts and activates its next-stage payload.”

One of Eternidade’s most advanced features is its ability to retrieve new C2 addresses from an attacker-controlled email inbox using IMAP.

Trustwave writes, “The malware uses hardcoded credentials to log into its email account, from which it retrieves its C2 server… a very clever way to update its C2 and evade network-level detections.” If inbox parsing fails, it falls back to a hardcoded domain.

SpiderLabs even accessed the threat actor’s email, revealing the attacker left two-factor authentication disabled.

The malware supports a wide list of backdoor commands, including full-screen overlays for banking credential theft.

Examples include:

• <|PedidoSenhas|> for password overlays
• <|CE_ASSI|> and <|CE_TRANS|> for CAIXA credential theft
• <|CB_SEN|> for Banco do Brasil overlays

Further analysis shows that the Eternidade campaign also deploys:

• A Delphi injector using process hollowing
• A custom stream cipher similar to Casbaneiro and Amavaldo
• AutoIt loaders with AV evasion
• MSI-based deployment with encrypted payloads

This is a modular, actively developed malware family.

Trustwave traced the initial domain (serverseistemasatu[.]com) to a cluster of IPs hosting additional threat-actor panels.

The investigation uncovered:

• An operator login panel
• A Redirector System with geofencing
• Logs showing 453 blocked connections, mostly non-Brazilian
• Victim communications from 38 countries, with the US leading

Despite Brazilian targeting logic, the global footprint is unmistakable.

Related Posts:

• Water Saci Evolves: Multi-Layered WhatsApp Worm Uses IMAP Email for Covert C2 and Session Hijacking
• Hook v3: The Banking Trojan That’s Evolving into a Hybrid Ransomware-Spyware Threat
• Critical (CVSS 9.8): Cyrus IMAP Flaw Risks Full System Compromise on openSUSE
• Android Malware Strikes: Fake Facebook & TikTok Apps Impersonate Brands for Traffic Monetization