/i.s3.glbimg.com/v1/AUTH_59edd422c0c84a879bd37670ae4f538a/internal_photos/bs/2021/H/w/YbA657S3aYVfC0P9wboQ/g1-favicon.png){kind=small}
/i.s3.glbimg.com/v1/AUTH_da025474c0c44edd99332dddb09cabe8/internal_photos/bs/2023/1/X/nkkB7tSdirnIUbGhakCQ/favicon-o-globo.png){kind=small}
Overview
- The campaign starts with ZIP attachments or links that deliver Windows shortcuts and scripts, which install persistent malware on desktop machines.
- If WhatsApp Web is active, the malware automatically forwards the malicious file to contacts and groups, driving infection chains and risking suspensions for spam-like behavior.
- Researchers report the malware surveils browsers and can overlay fake banking and crypto logins to harvest passwords and one-time codes.
- Telemetry shows 457 of 477 detections in Brazil, with language and locale checks indicating deliberate targeting of Brazilian users and organizations.
- Security guidance urges disabling automatic downloads, limiting file transfers on corporate devices, keeping endpoints updated, disconnecting WhatsApp Web when idle, and verifying unexpected attachments, while WhatsApp issued a general safety statement.