A new and sophisticated malware attack is using WhatsApp as an entry point to infect devices with banking trojans, primarily in Brazil. The goal: to steal login credentials for bank accounts and cryptocurrency platforms.
This self-propagating worm, which began circulating on September 29, 2025, is not just any threat. It uses advanced techniques to evade antivirus software and other security measures, deploying its attack in multiple stages to remain undetected.
So far, the malware has already affected over 400 companies and compromised more than 1,000 devices, making it clear that this is a highly effective and well-orchestrated campaign.
Did You Receive a ZIP File via WhatsApp Web? It Could Be a Dangerous Virus
The attack begins when the victim receives a suspicious ZIP file through WhatsApp Web, sent by a contact who has already been infected.
What’s most concerning is the social engineering tactic used: the message claims the file can only be opened on a computer. This tricks the victim into downloading and running the malware directly on their PC or laptop, where it can cause far more damage than on a mobile device.
WhatsApp Message Sent from an Infected Contact (Source: Sophos)
This type of attack is clearly designed to operate in environments where the malware can install itself forcefully, remain active, and deploy its full arsenal without being detected.
During an investigation into several incidents in Brazil, Sophos experts uncovered how this infection mechanism works, combining persistence, automation, and advanced evasion techniques.
The attackers are far from amateurs—they demonstrate a deep understanding of how Windows works internally and how to use administrative tools like PowerShell. They employ highly sophisticated obfuscation techniques to keep the malware hidden for extended periods.
The complexity of the campaign suggests that experienced and well-resourced actors are behind the attack, possibly with ties to organized cybercrime and the Brazilian banking ecosystem.
PowerShell Infection Chain: A Multi-Stage Attack
It all starts with a malicious LNK file hidden inside the ZIP archive received via WhatsApp. This LNK file, which appears harmless, is actually a trap: double-clicking it executes a disguised Windows command that triggers the next step of the attack.
That command is designed to launch a PowerShell script encoded in Base64 to avoid easy detection. This initiates a multi-stage infection chain, crafted to evade antivirus software and gain full control over the infected system.
Infection Chain (Source: Sophos)
The attack continues with a PowerShell script running in the background, silently launching a Windows Explorer process. From there, the malware downloads the next stage of the attack from several command-and-control (C2) servers operated by the attackers.
In this second stage, the PowerShell code showcases the advanced evasion techniques used by the cybercriminals. During analysis, researchers found comments written in Portuguese within the code, where the author explicitly mentions plans to “add an exclusion in Microsoft Defender” and “disable User Account Control (UAC).”
These actions are designed to let the malware operate without restrictions or alerts, bypassing security systems and eliminating the need for user authorization.
The campaign also adapts to the victim’s environment by downloading one of two different payloads, depending on the system’s characteristics:
-
A legitimate browser automation tool (Selenium) along with its corresponding ChromeDriver, which allows attackers to take control of the browser and hijack active WhatsApp web sessions. This enables the worm to spread automatically to the infected user’s contacts.
-
A banking trojan named Maverick, designed to monitor browser traffic and detect connections to Brazilian banks or cryptocurrency platforms. When such activity is detected, it deploys additional .NET-based malware to steal credentials and financial information.
Taken together, these techniques make it clear that this is a highly sophisticated campaign, focused on stealing banking data and spreading malware massively via WhatsApp.
Read more: FileFix: The New Attack That Uses Cache Smuggling to Evade Antivirus
How to Protect Yourself from the WhatsApp Worm
At TecnetOne, we believe the best way to protect yourself from threats like this WhatsApp worm is to stay informed and take precautions before it’s too late. Here are some practical tips to keep your devices safe:
-
Be cautious with suspicious files and links: Even if a friend sends it, if you weren’t expecting that ZIP file or link, don’t open it. It’s better to double-check than to regret it later.
-
Keep everything up to date: An unpatched system is fertile ground for attacks. Regularly update your operating system, browser, and antivirus software.
-
Enable real-time protection: Features like Microsoft Defender or Google Play Protect can detect threats before they cause harm. Make sure they’re turned on.
-
Don’t run suspicious files on your PC: Files like .lnk, .exe, or .bat received via WhatsApp Web can be malicious. Don’t open them without verifying their source.
-
Share this information with others: Whether it’s with your family or at work, talking about these risks helps prevent more people from falling into the trap.
-
Use 2FA and monitor your banking activity: Enable two-factor authentication on your bank accounts and regularly check for any suspicious activity.
Already a Victim? Here’s What to Do:
-
Disconnect from the internet immediately
-
Scan your device with a trusted antivirus
-
Change your passwords from another device
-
Contact your bank if you think your data was compromised
At TecnetOne, we’re committed to helping you avoid risks before they turn into problems. Cybersecurity starts with simple, conscious decisions.