Eternidade Stealer
Eternidade Stealer is a Delphi-based banking trojan and credential stealer targeting users in Brazil, particularly Brazilian Portuguese-language systems. It has been reported by Trustwave SpiderLabs and later observed by Microsoft in a November 2025 WhatsApp abuse campaign using a multi-stage, worm-like infection chain. Distribution relies on WhatsApp hijacking and Portuguese-language social engineering lures. Reported infection chains use an obfuscated VBScript that drops a batch file, installs Python dependencies, launches a Python-based WhatsApp worm, and downloads a malicious MSI installer that deploys the stealer via AutoIt/Delphi components.
The WhatsApp propagation component harvests victims’ contact lists from WhatsApp Web, exfiltrates contact data, and sends personalized malicious attachments or messages to contacts using hijacked accounts. Eternidade Stealer itself performs host profiling, including collection of computer name, OS version/build, username, local and public IP, date/time, and installed security software. It checks OS language and aborts unless the system is configured for Brazilian Portuguese. It also enumerates running processes, registry uninstall keys, and WMI security-product data to identify antivirus, firewall, and antispyware products, and has antivirus detection capabilities.
The malware continuously monitors active windows and running processes for strings associated with banking portals, payment services, and cryptocurrency platforms. Reported targets include Santander, Itaú, Caixa, Bradesco, BTG Pactual, MercadoPago, Stripe, Binance, Coinbase, MetaMask, and Trust Wallet. Reported capabilities include credential theft, banking overlays or fake login overlays, active-window monitoring, WhatsApp contact theft, dynamic command-and-control discovery, process hollowing, keylogging-related functions, screenshot capture, file transfer or theft, chat/backdoor functionality, and hidden banking overlays targeting Caixa Econômica Federal and Banco do Brasil. Trustwave reported that a Delphi injector performs process hollowing into svchost.exe.
A notable feature is dynamic C2 retrieval via IMAP over SSL using hardcoded email credentials to parse recent email content for updated C2 information; if retrieval fails, the malware falls back to a hardcoded domain. Reported campaign infrastructure and IOCs include hxxps://itrexmssl[.]com/jasmin/altor/receptor[.]php, domimoveis1[.]com.br, serverseistemasatu[.]com, varegjopeaks[.]com, centrogauchodabahia123[.]com, alentodolcevitad[.]com, miportuarios[.]com, mazdafinancialsevrices[.]com, adilsonralfadvocaciad[.]com, and IPs 103.84.176[.]107, 104.21.48[.]41, 162.120.71[.]56, 185.169.234[.]139, 83.229.17[.]71, 140.99.164[.]172, and 174.138.187[.]2. Trustwave also reported the WhatsApp worm sample SHA-256 as 6168d63fad22a4e5e45547ca6116ef68bb5173e17e25fd1714f7cc1e4f7b41e1 and noted an infection marker at HKEY_CURRENT_USER\Software\MeuApp with value Inicio.
The campaign is described as Brazil-focused but with broader global exposure attempts, and primarily targets desktop systems. Reporting attributes the activity to Brazilian threat actors, but no specific named threat group is provided in the content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"...a Delphi-based banking trojan named Eternidade Stealer..."; "A Delphi-based credential stealer, Eternidade continuously scans active windows and running processes for strings related to banking portals, payment services, and cryptocurrency exchanges and wallets..."
Techniques & procedures
34 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniques
Initial Access
"New Eternidade Stealer Uses WhatsApp to Steal Banking Data" / "spreading via personalised WhatsApp messages"
Mac users are encountering deceptive websites—often through Google Ads or malicious advertisements... During November 2025, Microsoft Defender Experts identified a WhatsApp platform abuse campaign... sends malicious attachments to all contacts using predefined messaging templates.
Execution
6 techniques
Execution
These campaigns leverage fileless execution, native macOS utilities, and AppleScript automation... Execution of various commands and scripts via osascript and sh.
The activity begins with an obfuscated Visual Basic script that drops a malicious batch file launching PowerShell instances to download payloads.
When executed, the script drops a batch file that downloads and executes payloads: a WhatsApp-propagating worm and an MSI installer that deploys a Delphi-based banking trojan.
The campaign begins via an obfuscated VBScript, with most of its comments written in Portuguese.
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
3 techniques
Stealth
Attacks involved the use of an obfuscated VBScript loading a Python-based WhatsApp worm
Defense Impairment
1 technique
Defense Impairment
Credential Access
3 techniques
Credential Access
Other commands observed are: activating keylogging features, sending captures or files, and other capabilities: ... <|REQUESTKEYBOARD|>
Discovery
6 techniques
Discovery
It then enumerates all windows via the “EnumWindows” API, collects the following attributes... Window Title, Class Name, Executable Path.
The sample demonstrates a clear and highly localized targeting logic. It continuously scans active windows and running processes for strings associated with Brazilian banking portals, fintech services, and cryptocurrency platforms.
It contains functions that gather system telemetry, the external IP via an api.ipify.org call, and local IP collection... Gathered information: Computer name, OS version and build, Username, Local and public IP address, Current date and time, Installed antivirus, firewall and anti-spyware software...
The malware searches for .tda or .dmp files in the installation folder... If found, it first loads the .tda file...
Lateral Movement
1 technique
Lateral Movement
Collection
5 techniques
Collection
data from banking apps by Santander, Itau, Caixa, and Bradesco, as well as Binance and MercadoPago, are then exfiltrated by Eternidade Stealer
Other commands observed are: activating keylogging features, sending captures or files, and other capabilities: ... <|REQUESTKEYBOARD|>
Eternidade Stealer: New Python WhatsApp Worm Uses IMAP Email for Covert C2 and Brazilian Bank Overlays
Command and Control
6 techniques
Command and Control
One of the payloads is a Python script that establishes communication with a remote server... Communication to command and control server.
Eternidade Stealer: New Python WhatsApp Worm Uses IMAP Email for Covert C2 and Brazilian Bank Overlays
Decrypting the strings, we found that the malware uses multiple commands to communicate with the C2 server. The malware waits for incoming messages from the C2 and parses them to determine which function to run. It implements multiple sockets, each dedicated to a specific function.
The malware downloads this library from GitHub to gain programmatic access to WhatsApp.
One notable feature of this malware is that it uses hardcoded credentials to log into its email account, from which it retrieves its C2 server. It is a very clever way to update its C2... If the malware cannot connect to the email account, it uses a hardcoded fallback C2 address.
Exfiltration
1 technique
Exfiltration
IOCs tracked for this family
39 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Delphi-based banking trojan/stealer distributed via WhatsApp hijacking/social engineering; uses IMAP to retrieve C2 addresses dynamically; targets Brazil.
Infostealer delivered via a multi-stage chain abusing WhatsApp; uses scripts (VBScript/PowerShell) and a Python component to propagate via hijacked WhatsApp accounts, then installs via MSI to steal banking, payment, and cryptocurrency credentials.
Information stealer distributed via WhatsApp-based social engineering to compromise financial and cryptocurrency accounts.
A Delphi-based credential stealer delivered in a WhatsApp abuse campaign via a malicious MSI installer. It monitors active windows and running processes for banking, payment, and cryptocurrency-related strings to steal credentials and access to financial and crypto accounts.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.