Pulse Detail — Threat Intelligence

PULSE NAME

Heimdall Security Research from ISH Tecnologia analyzes the WhatsWorm campaign leading to the implementation of Eternidade Stealer.

WHITE IcaroCesar 2025-11-24 Modified: 2025-11-24

IOCs

LOW VOLUME

↓ CSV ↓ JSON

Heimdall Security Research at ISH Tecnologia has identified an advanced malware dissemination campaign via WhatsApp, called WhatsWorm. The threat uses Python automation to spread malicious files among contacts and install Eternidade Stealer, a banking trojan focused on stealing credentials and sensitive data. The attack combines multiple phases, obfuscation techniques, in-memory execution, use of Process Hollowing, and communication with C&C servers – a pattern increasingly present in campaigns targeting the Brazilian public.

WhatsWorm Eternidade Stealer

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1193 T1059.006 T1059.001 T1059.005 T1070.004 T1218.007 T1055.012 T1071.003 T1071.001 T1020 T1140 T1027

Indicators of Compromise (10)

All FileHash-SHA256 domain

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-SHA256	0d1174292357f91d0d6721aefecd19873a8b27d295d1c6089efaa455c453a0aa	—	2025-11-24
FileHash-SHA256	fb71f48345e3568b7e7ba1eb5078b055b7350673a92379dba231fd66dbd9dadc	—	2025-11-24
FileHash-SHA256	ce24c65c285ff240a7555fafb85f53843085092e9133e1f8558a0f2898952737	—	2025-11-24
FileHash-SHA256	495697717be4a80c9db9fe2dbb40c57d4811ffe5ebceb9375666066b3dda73c3	—	2025-11-24
FileHash-SHA256	de07516f39845fb91d9b4f78abeb32933f39282540f8920fe6508057eedcbbea	—	2025-11-24
FileHash-SHA256	bdd2b7236a110b04c288380ad56e8d7909411da93eed2921301206de0cb0dda1	—	2025-11-24
FileHash-SHA256	6e6ca850804982086b8d34e092ee0d5ed047fdc2bea18a55c360c317dd1d19d9	—	2025-11-24
domain	013net.com.br	—	2025-11-24
domain	empautlipa.com	—	2025-11-24
domain	coffe-estilo.com	—	2025-11-24

References (1)

↗ https://ish.com.br/wp-content/uploads/2025/11/Analise-da-Campanha-do-WhatsWorm-levando-a-implementacao-do-Eternidade-Stealer-1.pdf