A new WhatsApp worm is sweeping through Brazil, stealing bank logins and crypto keys from ordinary users, security firms warn.
Victims get a message that looks familiar — a delivery note, a government alert, or an invite to a group — and one click can let the threat spread through their contacts while a hidden trojan strips data from their machines.
This “fileless” step helps the malware avoid some antivirus tools. Based on reports, the infection also hijacks WhatsApp Web sessions to send the same bait to the victim’s friends, making the attack behave like a worm.
One analyst group said more than 400 “customer environments” and over 1,000 endpoints showed signs of compromise, while another firm blocked roughly 62,000 infection attempts in the first 10 days of October.
The other, known as Maverick, relies on automation tools such as WPPConnect to operate WhatsApp Web and to push malicious messages from infected accounts.
The threats look for local settings before fully activating, checking timezone and language so the code runs mainly on machines set to Brazil.
The list of targets is wide: it includes 26 Brazilian banks, six crypto exchanges, and one payment platform.
The attackers appear to avoid business or group contacts. That choice seems designed to keep messages within small personal circles and to reduce early detection.
Once a contact family or friend opens the link, the same cycle can repeat. Because the worm spreads by using trusted accounts, people are more likely to fall for the bait.
The use of widely available services like Gmail for control instructions makes it harder for defenders to block a single command server.
According to security experts, if funds are at risk, act fast. Freeze or lock accounts when possible, alert your exchange or bank, and report the incident to local authorities.
Featured image from Gemini, chart from TradingView
