There’s a new cyber threat making the rounds on WhatsApp, and it’s nastier than usual. Security researchers have discovered a WhatsApp Worm Banking Malware that sneaks through chat messages, steals banking information, and even spreads to your friends automatically.
It started in Brazil but is already being watched closely worldwide. The scary part? The attack looks completely normal until it’s too late.
How the Infection Starts
Everything begins with what looks like an innocent message on WhatsApp Web. You might get a note from someone you know, sharing a ZIP file and saying it must be opened on a computer. Since it comes from a real contact, most people don’t think twice.
Once that file is unzipped, though, it quietly runs a Windows shortcut that fires up a hidden PowerShell script. That script reaches out to remote servers and starts pulling down more malware.
Why It Spreads So Easily
This worm relies on one thing — trust. Because it uses your own WhatsApp account to send messages to friends, it feels legitimate. After infecting a new system, it automatically forwards the same ZIP file to all of your contacts. Within hours, entire groups or office networks can be hit. It’s social engineering at its best — or worst, depending on how you look at it.
How It Stays Hidden
Researchers say this malware is unusually advanced for something spreading on a chat app. The PowerShell code is disguised so that security software can’t recognize it easily.
It even changes a few Windows security settings, turning off things like User Account Control and creating exclusions in Microsoft Defender. These tweaks let the malware work quietly in the background without showing pop-ups or warnings.
The Layers Behind the Attack
This infection doesn’t just drop one file and disappear — it comes in stages.
- The victim opens the ZIP file and triggers a hidden PowerShell command.
- The command connects to websites such as zapgrande[.]com and sorvetenopote[.]com to fetch more code.
- Depending on what system it finds, it installs either a browser automation tool or a banking trojan called Maverick.
That combination lets it both spread further and start stealing sensitive information at the same time.
How It Steals Your Data
Once active, the Maverick trojan watches your web browser. When you log into a bank account or crypto exchange, it quietly captures usernames, passwords, and tokens.
The other payload, which uses Selenium automation, takes control of your WhatsApp Web session to send more messages on its own. Basically, it turns your computer into a delivery system for the next attack.
Why Brazil Is Being Targeted
Most of the early infections have shown up in Brazil. The comments in the code and the list of banking websites being monitored point directly to that region. Local cybersecurity firms say over 400 companies and 1,000 computers have already been affected. Since Brazilian banks rely heavily on online transactions, the payoff for the attackers can be huge.
Who Might Be Behind It
Experts from Sophos believe the attackers are well-organized and have strong technical backgrounds. They understand Windows internals, PowerShell scripting, and browser automation. The way the malware avoids detection and controls multiple payloads at once suggests that this isn’t a beginner’s project — it’s likely backed by an experienced cybercrime group that focuses on financial theft.
How to Protect Yourself
1. Don’t open strange attachments
If someone sends a ZIP file through WhatsApp, double-check before opening it — even if it’s a friend. Hackers depend on that trust.
2. Keep everything updated
Install updates for Windows, PowerShell, and your antivirus software. Most worms succeed because systems are outdated.
3. Turn on multi-factor authentication
Use MFA for your banking and crypto accounts. It adds a second lock, even if your password gets stolen.
4. Watch for odd behavior
Slow performance, unexpected PowerShell windows, or disabled antivirus tools are warning signs that something’s off.
Teach your coworkers and family about these scams. Awareness is often the best defense.
Red Flags to Look For
- Messages you never sent appearing in WhatsApp chats.
- Security tools like Microsoft Defender suddenly turned off.
- Connections to unknown domains.
- Pop-ups asking for extra permissions when opening files.
If you see any of these, unplug from the internet and run a full system scan right away.
How Experts Are Fighting Back
Teams from Sophos, Kaspersky, and other cybersecurity firms are tracing the servers and code patterns behind the WhatsApp Worm Banking Malware. They’re sharing threat indicators so companies can block the related domains. Security analysts also recommend limiting PowerShell access, using EDR tools, and educating users to avoid suspicious links.
Final thoughts
The WhatsApp Worm Banking Malware is proof that cybercriminals are getting better at mixing social tricks with technical skill. By turning trusted chat app into a delivery system, they’ve created a threat that feels almost personal.
Staying safe now means slowing down, thinking twice before opening files, and keeping your system patched. The more cautious we are today, the fewer victims there will be tomorrow.
