A massive phishing campaign targeting Brazil is spreading malware through WhatsApp Web using an open-source automation script and loading a banking trojan into memory. The attack begins with a phishing email containing a malicious VBS script that downloads and executes an MSI file and another VBS file. The second VBS installs Python and Selenium, which are used to inject malicious JavaScript into WhatsApp Web. This allows the malware to send itself to the victim's contacts. The MSI file drops an AutoIt script that monitors for Brazilian banking and cryptocurrency-related windows, then loads an encrypted payload into memory to avoid detection. The payload targets specific Brazilian financial institutions and cryptocurrency wallets.