216.73.217.22

New Banking Trojan Identified, Distributed Through WhatsApp

· Published 20/11/2025 02:17 · Modified 21/11/2025 01:29

Export JSON

Essential information

Published
20/11/2025 02:17
Modified
21/11/2025 01:29
Tags
2025-11-20 banking trojan brazil credential-theft delphi eternidade stealer imap social engineering whatsapp
Related entities
1 vulnerabilities (cve), 23 observables, 20 techniques (mitre), 1 malware, 3 others

Description

A new dubbed has been identified, distributed through hijacking and . The malware, written in , uses to retrieve C2 addresses dynamically. It's spread via a worm campaign using a Python script. The attack chain involves an obfuscated VBScript, a batch file, and an MSI installer deploying the Trojan. targets Brazilian victims, checks for specific banking and cryptocurrency applications, and uses sophisticated techniques for credential harvesting and maintaining persistence. The malware communicates with its C2 server using encrypted commands and can deploy fake overlays to steal banking information.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Vulnerabilities (CVE) (1)

CVE-2025-59287 KEV
9.8 Critical

Microsoft Windows Server Update Service (WSUS) contains a deserialization of untrusted data vulnerability that allows for remote code execution.

Attack vector
Network
Published
24/10/2025
Modified
21/12/2025
Undergoing Analysis

Observables (23)

  • 74.138.187.2
  • 62.120.71.56
  • 4.21.48.41
  • 140.99.164.172
  • 103.84.176.107
  • https://itrexmssl.com/jasmin/altor/receptor.php
  • https://varegjopeaks.com/altor/teste_obscado.vbs
  • http://varegjopeaks.com/altor/whats.py
  • http://varegjopeaks.com/altor/installer.msi
  • http://centrogauchodabahia123.com/altor/installer.msi
  • http://serverseistemasatu.com/data.php?recebe
  • http://alentodolcevitad.com/admin.php
  • serverseistemasatu.com
  • omimoveis1.com.br
  • itrexmssl.com
  • domimoveis1.com.br
  • centrogauchodabahia123.com
  • alentodolcevitad.com
  • adilsonralfadvocaciad.com
  • mazdafinancialsevrices.com
  • miportuarios.com
  • 6168d63fad22a4e5e45547ca6116ef68bb5173e17e25fd1714f7cc1e4f7b41e1
  • 2c885d1709e2ebfcaa81e998d199b29e982a7559b9d72e5db0e70bf31b183a5f

Techniques (MITRE) (20)

Malware (1)

  • Eternidade Stealer
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 20:09 · Modified 22/12/2025 00:08

Others (3)

  • Argentina
  • Brazil
  • Finance

External references