/i.s3.glbimg.com/v1/AUTH_59edd422c0c84a879bd37670ae4f538a/internal_photos/bs/2021/H/w/YbA657S3aYVfC0P9wboQ/g1-favicon.png){kind=small}
/i.s3.glbimg.com/v1/AUTH_da025474c0c44edd99332dddb09cabe8/internal_photos/bs/2023/1/X/nkkB7tSdirnIUbGhakCQ/favicon-o-globo.png){kind=small}
Overview
- Researchers have logged 477 infections to date, with 457 in Brazil, and messages often urge victims to open files on a PC, pointing to a desktop and corporate focus.
- Malicious ZIPs sent over WhatsApp or email contain Windows shortcuts that launch scripts such as PowerShell to install persistent malware under attacker control.
- If a WhatsApp Web session is active, the malware auto‑forwards the same file to contacts and groups, which can trigger spam detection and account bans.
- The strain monitors browsing and aims to steal banking and crypto credentials, with major Brazilian institutions including Banco do Brasil, Itaú, Bradesco, Caixa and Santander cited as targets.
- WhatsApp advises opening files only from trusted senders, while Trend Micro recommends disabling automatic downloads, disconnecting WhatsApp Web when unused, keeping systems and antivirus updated, and tightening corporate file‑sharing policies.