WhatsApp Worm Targets Users with Banking Malware, Steals Login Information

Cybersecurity researchers have uncovered a sophisticated new campaign targeting WhatsApp users in Brazil with self-propagating malware designed to steal banking credentials and cryptocurrency exchange login information.

The attack, first detected on September 29, 2025, represents a dangerous evolution in social engineering tactics that exploits users’ trust in familiar contacts to spread malicious payloads across messaging networks.

The campaign begins when victims receive seemingly legitimate messages from previously infected WhatsApp contacts through the web-based version of the messaging platform.

These messages contain ZIP archives with names like “NEW-20251001_150505-XXX_XXXXXXX.zip” or use Portuguese terms such as “ORCAMENTO” (Budget) and “COMPROVANTE” (Voucher) to appear authentic.

The messages specifically instruct recipients that the content can only be viewed on a computer, deliberately steering victims away from mobile devices where security protections might be more robust.

Once downloaded, the ZIP file contains a malicious Windows LNK file that triggers a complex multi-stage ...