A cybersecurity campaign has been identified targeting users in Brazil with a Python-based worm that spreads the Eternidade information stealer. The malware propagates through the popular messaging application WhatsApp, leveraging victims’ own accounts to reach new targets. The operation is linked to a threat actor known as the “Enigma Team,” which sells the Eternidade malware as a service on a subscription basis.

Infection and Propagation Mechanism

The attack chain begins when a user receives a malicious message on WhatsApp from an already compromised contact. This message contains a link that, when clicked, downloads a VBScript file. Execution of this script initiates the download of a .NET loader, which is the primary component responsible for installing the malware payloads. This loader deploys two main components onto the victim’s system: the Eternidade information stealer and the Python-based worm. The worm component then gains access to the victim’s active WhatsApp for Web session. It uses this access to automatically send the same malicious message to the victim’s contact list, thereby continuing the infection cycle.

Capabilities of the Eternidade Stealer

Once active on a system, the Eternidade stealer is designed to exfiltrate a wide range of sensitive data. Its documented capabilities include stealing saved credentials, cookies, and credit card information from popular web browsers such as Google Chrome, Mozilla Firefox, and Microsoft Edge. The malware also targets cryptocurrency wallets, including Exodus, Atomic, and MetaMask, to steal wallet data. Additional functions include stealing files from the user’s desktop, capturing screenshots of the active screen, and logging keystrokes. The stealer has also been observed exfiltrating credentials from FTP clients like FileZilla and email clients like Thunderbird.