What would you do if your WhatsApp account suddenly began sending messages you never typed and, worse, began recruiting your contacts into a malware campaign? That is the stark dilemma facing users in Brazil after cybersecurity researchers disclosed a scheme that pairs WhatsApp account hijacking with a Delphi-based banking trojan called Eternidade Stealer.
The campaign, described in reporting by cybersecurity outlets, uses social engineering to gain access to victims’ WhatsApp sessions and then propagates through victims’ contact lists, spreading a payload that is notable both for its Delphi origins and for how its command-and-control infrastructure is resolved in real time. According to the reporting, the threat retrieves C2 addresses dynamically via Internet Message Access Protocol (IMAP), making static blocklists less effective and giving operators agile control over infected systems. The Hacker News has published the full technical write-up and indicators of compromise for those who need to investigate further: https://thehackernews.com/2025/11/python-based-whatsapp-worm-spreads.html
Background: Trojan families evolve, and so do their plumbing and social tactics. Banking trojans historically focused on credential theft and transaction manipulation; more recent campaigns blend credential theft with lateral propagation and data exfiltration. Eternidade Stealer stands out because its core binary is written in Delphi—an older but still viable compiled language—while the campaign around it leverages modern distribution techniques, including messaging-platform abuse and dynamic C2 resolution via IMAP. The result is a hybrid that combines legacy malware code with agile, cloud-enabled communications.
What we know about the current campaign
- Initial vector: attackers perform social-engineering steps that lead to WhatsApp account takeover or session abuse—techniques can include SIM swapping, social-engineered backup restoration, or tricking users into granting sessions to malicious devices.
- Propagation method: once a WhatsApp account is controlled or abused, the campaign sends malicious links or files to the victim’s contact list, leveraging trust networks to increase click-through rates.
- Payload and capabilities: the delivered payload is the Delphi-based Eternidade Stealer, a banking trojan designed to harvest credentials, browser-stored data, and potentially one-time passwords and session tokens relevant to financial access.
- Command-and-control resilience: the campaign uses IMAP to fetch C2 addresses dynamically, enabling operators to update infrastructure without pushing new binaries to victims—a tactic that complicates takedowns and static detection.
Why the IMAP trick matters
Using IMAP to retrieve C2 addresses is clever at two levels. Technically, it abstracts the malware’s control plane from the binary itself, allowing the operator to move, rotate, or otherwise mutate endpoints without altering distributed executables. Operationally, IMAP-based lookup can blend in with normal mail traffic and make the C2 retrieval step look like legitimate mailbox activity. This means defenders who rely on fixed lists of malicious hosts or on signature-based detection may see a weakened signal.
Context from wider trends
The adoption of scripting languages, cloud tunneling, and dynamic C2 has become more common across campaigns; recent research has shown other threat actors delivering Python-based payloads and using Cloudflare or similar tunneling services to obscure communications. This campaign’s mix of an older compiled trojan with modern distribution and C2 mechanisms reflects a broader pattern: attackers combine familiar, tested malware with newer delivery and concealment strategies to evade detection and amplify reach .
Who is affected and how badly
At present the most-at-risk population appears to be users in Brazil, where the attackers have concentrated social-engineering lures tailored to the local context and language. Because WhatsApp is a primary communication channel for many Brazilians, abuse of that platform amplifies reach and trust—friends and family receiving a message are far more likely to click than a random email.
In practical terms, compromised users face several risks:
- Financial loss through stolen credentials and session tokens.
- Privacy violations via exfiltration of messages, photos, and contact lists.
- Reputational and secondary harm to contacts who receive malicious messages from a known account.
Perspectives to consider
Technologists: Security teams must treat messaging platforms as first-class threat surfaces. Detection should include behavioral indicators—unexpected device changes, rapid contact messaging, and unusual IMAP traffic patterns—rather than relying solely on static file signatures. Network defenders should monitor for anomalous IMAP connections and correlate them with suspicious endpoint behavior.
Policymakers: Regulation and industry standards can push messaging platforms to harden account recovery and session management. Simple changes—like stronger, less-fragile multi-factor authentication for account restoration, rate limits on session activation, and clearer user notifications about active sessions—could materially raise the cost of hijacking campaigns.
Users: Practice skepticism even with messages from trusted contacts. If a WhatsApp contact sends an unexpected link or file, verify via a second channel (a call, SMS, or in-person) before opening. Enable platform protections such as two-step verification, review active sessions regularly, and treat account restoration messages with caution.
Adversaries: For criminal operators, this campaign illustrates an economical truth: combine trusted communication channels with automated infrastructure tricks and you can multiply infections while complicating detection. For defenders, it means adapting to adversaries who reuse reliable malware cores and focus innovation on delivery and command infrastructure.
What defenders can do now
- Raise user awareness about account-hijacking vectors and verification practices.
- Monitor for abnormal IMAP traffic and implement rules that flag hostnames or mailbox activity inconsistent with organizational norms.
- Harden WhatsApp account recovery and session notification procedures within organizations that rely on the platform for business communications.
- Share indicators of compromise and IOCs with industry information-sharing groups and with endpoint vendors capable of blocking known Delphi-based binaries and their behaviors.
Limitations and open questions
Public reporting gives a view into discovered samples and techniques, but it rarely captures the full operational scope: how many systems are infected, the identity or location of operators, and whether the campaign is a targeted fraud ring or a broader commodified operation. Those unknowns matter for response priorities and for determining whether a takedown is feasible.
Conclusion
We are reminded that innovation in cybercrime often looks a lot like creative recombination—old tools repurposed with new plumbing. A Delphi trojan riding the trust rails of WhatsApp and steering itself with IMAP-based C2 is not a science-fiction surprise so much as an applied economics lesson: attackers reuse what works and adapt around defenses. The question for defenders, policymakers, and everyday users is whether detection, policy, and personal vigilance can adapt faster than this adversarial improvisation. If not, how many more trusted conversations will be weaponized before we make the necessary changes?
Source: https://thehackernews.com/2025/11/python-based-whatsapp-worm-spreads.html




