A major cybercrime campaign is sweeping across Brazil this time riding directly through victims’ WhatsApp Web sessions. Security researchers at K7 Labs revealed a sophisticated attack chain that infects a user’s machine, hijacks their open WhatsApp session, and automatically sends malware to all their contacts, leveraging trust between friends, family, and colleagues.
According to K7 Labs’ report, the malware doesn’t stop at spreading it also loads a powerful banking trojan directly into memory, targeting Brazil’s largest financial institutions and cryptocurrency users.
This is one of the most advanced social-engineering-driven campaigns of the year, and it shows how cybercriminals are becoming increasingly creative in exploiting everyday apps.
How the Infection Starts: A Simple Phishing Email
The campaign begins with something deceptively ordinary:
A phishing email delivering a ZIP file containing a heavily obfuscated VBS script.
Once executed, the script:
- Downloads additional malware components
- Installs Python, ChromeDriver, and Selenium automation tools
- Launches a Python script called whats.py the heart of the WhatsApp-spreading mechanism
The attackers use charcode and XOR encoding to evade antivirus detection, a hallmark of the broader Water-Saci threat campaigns previously seen across Brazil.
Weaponizing WhatsApp Web
The whats.py script does something particularly dangerous: it uses the victim’s already-authenticated WhatsApp Web browser session to send malware to contacts no QR code scan required.
It does so by:
- Stealing browser session files from Chrome, Firefox, or Edge
- Re-using the victim’s WhatsApp Web session with Selenium
- Injecting malicious JavaScript from GitHub into the WhatsApp Web page
- Sending the payload automatically to filtered contacts (excluding groups and businesses)
Contacts receive:
- A friendly message
- The malware file (delivered as a memory-based blob to evade detection)
- A follow-up message making the interaction feel natural and trustworthy
Because the message appears to come from someone they know, victims are far more likely to open the malicious file.
Part Two: Banking Trojan Loads Directly Into Memory
Alongside the WhatsApp-spreading module, the attackers deploy a highly capable banking trojan, installed through an MSI package using AutoIt.
It features:
- In-memory execution (avoiding disk writes to evade antivirus tools)
- Targeted surveillance of banking and crypto apps
- Credential theft
- Browser history analysis for Brazilian bank visits
- System reconnaissance (OS, IP, AV presence, hardware specs)
- Automatic execution when banking windows appear
Targets include Brazil’s largest financial institutions:
- Caixa
- Bradesco
- Itaú
- Santander
- Banco do Brasil
…and major crypto services such as Binance, Coinbase, Kraken, Mercado Bitcoin, and more.
The malware only “activates” when a victim interacts with one of these banks, making it efficient, stealthy, and devastatingly precise.
Why This Campaign Matters Globally – Including MEA
While this campaign currently hits Brazil, the techniques used WhatsApp session hijacking, automation scripts, in-memory payload delivery can easily be replicated elsewhere.
Countries across the Middle East and Africa, where WhatsApp is widely used for personal and business communication, should take note. Social-engineering-based malware propagation is far more effective in regions where WhatsApp is a dominant communication platform.
Organizations in MEA should proactively strengthen their awareness programs and review their endpoint defenses.
What Security Teams Should Do Now
- Educate employees about ZIP-based phishing and malicious script files.
- Block execution of VBS, BAT, and unknown scripts via enterprise policies.
- Deploy endpoint detection solutions capable of blocking in-memory malware.
- Restrict Python and automation tools installation on managed devices.
- Monitor for unauthorized ChromeDriver or Selenium activity.
- Warn employees not to trust files even from known WhatsApp contacts.
- Enable browser isolation controls to prevent session hijacking.
- Enforce least privilege users should not have local admin rights.
- Review and tighten banking-related access controls in corporate environments.
- Implement regular cybersecurity training & phishing simulations (training.saintynet.com).
For more global threat trends and previous breach analyses, readers can explore related coverage.
Conclusion: A New Frontier in Social Engineering
This Brazilian WhatsApp-based campaign is a stark reminder that attackers don’t always break in through technical vulnerabilities—sometimes, they simply exploit trusted relationships and human behavior.
By combining phishing, automation, and in-memory banking malware, this campaign demonstrates the next evolution of social-engineering attacks. Organizations and users worldwide must remain vigilant, strengthen awareness, and adopt layered defenses to prevent similar threats from spreading across the globe.
