New Banking Trojan Identified, Distributed Through WhatsApp
Nov. 21, 2025, 1:29 a.m.
Description
A new banking Trojan dubbed Eternidade Stealer has been identified, distributed through WhatsApp hijacking and social engineering. The malware, written in Delphi, uses IMAP to retrieve C2 addresses dynamically. It's spread via a WhatsApp worm campaign using a Python script. The attack chain involves an obfuscated VBScript, a batch file, and an MSI installer deploying the Trojan. Eternidade Stealer targets Brazilian victims, checks for specific banking and cryptocurrency applications, and uses sophisticated techniques for credential harvesting and maintaining persistence. The malware communicates with its C2 server using encrypted commands and can deploy fake overlays to steal banking information.
Tags
Date
- Created: Nov. 20, 2025, 2:17 a.m.
- Published: Nov. 20, 2025, 2:17 a.m.
- Modified: Nov. 21, 2025, 1:29 a.m.
Indicators
- 6168d63fad22a4e5e45547ca6116ef68bb5173e17e25fd1714f7cc1e4f7b41e1
- 2c885d1709e2ebfcaa81e998d199b29e982a7559b9d72e5db0e70bf31b183a5f
- 74.138.187.2
- 62.120.71.56
- 4.21.48.41
- 140.99.164.172
- 103.84.176.107
- https://itrexmssl.com/jasmin/altor/receptor.php
- https://varegjopeaks.com/altor/teste_obscado.vbs
- http://varegjopeaks.com/altor/whats.py
- http://varegjopeaks.com/altor/installer.msi
- http://centrogauchodabahia123.com/altor/installer.msi
- http://serverseistemasatu.com/data.php?recebe
- http://alentodolcevitad.com/admin.php
- serverseistemasatu.com
- omimoveis1.com.br
- itrexmssl.com
- domimoveis1.com.br
- centrogauchodabahia123.com
- alentodolcevitad.com
- adilsonralfadvocaciad.com
- mazdafinancialsevrices.com
- miportuarios.com
Additional Informations
- Finance
- Argentina
- Brazil