Overview
- Researchers detailed a two‑stage infection that starts with an obfuscated VBScript dropping a Python WhatsApp worm alongside an MSI/AutoIt installer for the Delphi‑based trojan.
- The worm hijacks WhatsApp Web via the WPPConnect library, steals full contact lists, filters out groups and business accounts, and auto‑sends personalized Portuguese messages with malicious attachments.
- Lures observed include fake government programs, delivery notifications, and fraudulent investment group invitations designed to trick users into opening files or links.
- The trojan checks for Brazilian Portuguese before activating, uses process hollowing to inject into svchost.exe, and supports keystroke logging, screenshots, file theft, and overlay credential theft against banks, fintechs, and crypto wallets.
- Operator infrastructure shows IMAP‑retrieved C2 details with fallback addresses and strict geofencing to Brazil and Argentina, with panels logging 454 connection attempts and 452 blocks, prompting warnings to watch for suspicious WhatsApp activity and unexpected MSI or script execution.