⚠️ Trustwave SpiderLabs experts have identified a new scam targeting users via WhatsApp. The trojan is called Eternidade Stealer (Portuguese for “Eternity”) and spreads through social engineering: attackers disguise messages as coming from “friends,” acquaintances, or fake investment chats. A single click is enough for the malware to gain access to the entire app, contacts, and the device as a whole.
The main feature of the trojan is that it is specifically designed for cryptocurrencies. Once installed, the trojan scans apps and wallets, including Binance, OKX, Coinbase, MetaMask, Trust Wallet, Ledger Live, Phantom, and others. As soon as the user opens any crypto application, the data theft module is activated, sending all information about transactions, private keys, and account details to the attackers.
The highest activity has been recorded in Brazil, where WhatsApp is the main communication channel and one of the most popular tools in the country’s cybercrime ecosystem. Over the past two years, attackers have significantly improved their methods, turning simple phishing links into complex social engineering schemes. They use fake delivery notifications, bogus government programs, and fraudulent investment groups sent via WhatsApp messages and groups.
Message received via WhatsApp during the preparation of this report.
Technical details
Eternidade is written in Delphi, providing high efficiency and easy integration with Windows. The trojan uses the IMAP protocol to dynamically retrieve command-and-control (C2) addresses, allowing attackers to update control of the trojan in real time. Previously, PowerShell scripts were used for similar attacks, but now Python scripts are used, making the attack more flexible and harder to detect.
Delphi has long been a foundation for software development in Latin America, allowing many developers to easily move into the underground scene. Free access to source codes, cracked IDEs, and Portuguese-language tutorials made Delphi a convenient tool for creating banking trojans. Early successful projects created a feedback loop: new trojans were built on the experience of previous ones, maintaining high Delphi usage among Brazilian cybercriminals even today.
Attack chain of the malicious program Eternidade Stealer.
Why this matters
The threat is far from theoretical. It is active now and can affect any WhatsApp user worldwide. During the research of the trojan, real cases of receiving malicious VBScript files were recorded, confirming the campaign’s activity.
For the cryptocurrency market, this is especially dangerous: attacks on wallets and exchanges through the trojan can potentially lead to significant financial losses, leaks of private keys, and compromise of transaction data. It is a signal to all users: no device is safe, and attention to crypto asset security must be maximal.
What to do:
- Do not open links or attachments from unknown or suspicious contacts.
- Verify official sources of any investment groups or news.
- Use antivirus software and keep systems updated.
- Store cryptocurrency in “cold” wallets, offline if possible.
- Enable two-factor authentication and backup keys.
💡 Conclusion: WhatsApp has once again shown itself as a channel used by attackers for mass distribution of trojans. The threats are now directed directly at crypto systems, and this is no longer just a potential risk — it is a real, active attack requiring users’ utmost caution.
By the way, here you can buy legendary hardware wallets for beginners with all basic features!
All content provided on this website (https://wildinwest.com/) -including attachments, links, or referenced materials — is for informative and entertainment purposes only and should not be considered as financial advice. Third-party materials remain the property of their respective owners.