CyberWire Daily: Research Saturday – “Stealer in the status bar”

Date: February 14, 2026
Host: Dave Bittner (N2K Networks)
Guest: Ziv Mador, VP of Security Research at Level Blue Spider Labs
Main Topic: Discovery and analysis of a new banking Trojan, “Eternidad Stealer,” distributed via WhatsApp and targeting Brazilian users.

Overview

This episode of Research Saturday focuses on the identification and technical breakdown of a newly observed banking Trojan dubbed “Eternidad Stealer.” Host Dave Bittner discusses with Ziv Mador from Level Blue Spider Labs the infection chain, technical peculiarities, targets, and broader implications of this malware campaign—particularly notable for its abuse of WhatsApp as an initial vector and its focus on Portuguese-language Windows systems.

Key Discussion Points & Insights

1. Discovery and Initial Investigation

• Unusual PowerShell Activity:
  The malware was discovered after suspicious PowerShell script execution was detected on a client’s environment, prompting a deeper investigation.

  “Someone was trying to run some PowerShell script in the environment of one of our clients and that triggered our attention... that investigation eventually led to the discovery of this banking Trojan which we dubbed ‘Eternidad.’”
  — Ziv Mador (02:03)

2. Distribution and Targeting

• WhatsApp-based Social Engineering:
  • The primary distribution vector is personalized phishing messages sent via WhatsApp Web.
  • The campaign targets only Portuguese-language Windows systems, mainly focusing on Brazilian users—but potentially also Brazilian expatriates.
• Personalization and Execution:
  • Messages include the victim’s name and an appropriately timed greeting.
  • Victims are coaxed into clicking a malicious VBS file, which runs only on desktop systems (not mobile).

  “The message, first of all, is personalized... there’s a link to a VBS file. That file will run only if it’s a desktop, not a cellular phone... so usually it will execute only on WhatsApp Web.”
  — Ziv Mador (03:57)

3. Technical Workflow & Payloads

• Infection Chain:
  1. Victim receives a targeted WhatsApp message.
  2. On execution, the VBS downloads a batch file and the main payloads.
  3. Two payloads:
     • The Worm: Written in Python, this exfiltrates the victim’s WhatsApp contact list, forwarding them both to the attacker and sending them malicious messages to further propagate the attack.
     • Banking Trojan: Remains dormant until a banking or crypto site is accessed; then triggers credential-stealing mechanisms.
  • Scope: Nearly one million unique contacts harvested from around 10,000 infections so far.

  “…nearly a million contacts being sent to the attacker from about 10,000 infected clients.”
  — Ziv Mador (04:36)

4. Banking Trojan Characteristics

• Targeted Institutions:
  The Trojan specifically wakes up when users visit a list of about 15 Brazilian/Argentinian banks and 17–18 cryptocurrency services.

  “They try to capture the credentials and send them to attacker. And the rest is quite clear. What’s the intent of the attacker?”
  — Ziv Mador (05:44)

• Dormant Until Needed:
  The malware remains inactive until the victim accesses a targeted site, reducing its footprint and increasing detection difficulty.
  • It further fences itself by only running on Windows in Portuguese.

5. Technical Novelty & Infrastructure

• Use of Multiple Languages:
  • The campaign makes use of both Delphi and Python—Delphi for legacy reasons and Python as a modern, capable scripting tool.

  “Typically it’s for people who are experienced with Delphi... but we certainly see other languages being used as well.”
  — Ziv Mador (08:33)

• Command & Control via IMAP:
  • Instead of typical HTTP channels, the malware uses IMAP (an email retrieval protocol) to communicate with C2 servers, making its traffic blend in with normal email usage and harder to detect.

  “The use of the IMAP protocol... is unusual, so we pointed that out in the blog.”
  — Ziv Mador (09:42)

6. Threat Actor OpSec Observations

• Weak Security on C2 Accounts:
  • Researchers found that some attacker email accounts had no two-factor authentication; Level Blue was able to log in and observe exfiltrated data.

  “We’re able to see the emails sent by the malware... That allowed us to get leads... We’re working with law enforcement.”
  — Ziv Mador (10:28)

7. Credential Theft Technique

• Overlay Attacks:
  • The Trojan uses fake “overlay windows” masquerading as legitimate banking sites to steal user credentials. Users can be tricked by visually convincing replicas.

  “...they open artificial or fake windows that look very much like the bank site... By using that method, they can steal those details.”
  — Ziv Mador (11:13)

8. Attribution and Threat Assessment

• Working with Law Enforcement:
  • The team is collaborating with authorities but cannot publicly attribute the threat actor yet.
• Sophistication Level:
  • The campaign is considered “average” in technical complexity, but sophisticated in social engineering and operational coverage.

  “Running malware campaigns is fairly complicated... but the level of creativity and the level of technicality we see here is fairly average.”
  — Ziv Mador (12:21)

9. Defense and Recommendations

• User Vigilance:
  • Be highly skeptical of unexpected messages or files from any channel, even from known contacts.
• Indicators of Infection:
  • Watch for unusual banking site behaviors or unfamiliar pop-ups.
• General Best Practices:
  • Use updated antivirus, enable two-factor authentication, and keep software patched.

  “...be very cautious about messages you get... Use your judgment... All those measures will help you... reduce the risk to a minimum.”
  — Ziv Mador (12:58)

Notable Quotes & Memorable Moments

• On Contact Harvesting:
  “Nearly a million contacts being sent to the attacker from about 10,000 infected clients.”
  — Ziv Mador (04:36)

• On Command-and-Control Innovation:
  “The use of the IMAP protocol…is unusual…”
  — Ziv Mador (09:42)

• On Overlay Attacks for Credential Theft:
  “…they open artificial or fake windows that look very much like the bank site…”
  — Ziv Mador (11:13)

• On Campaign Sophistication:
  “The level of technicality we see here is fairly average to other malware campaigns.”
  — Ziv Mador (12:21)

Important Timestamps

• 02:03 — Discovery and initial PowerShell incident
• 03:57 — Infection chain: personalized WhatsApp phishing, desktop focus
• 04:36 — Scale of data exfiltration (contacts)
• 05:44 — Breadth of targeted banks and crypto services
• 08:33 — Use of Delphi and transition to Python
• 09:42 — Command and control via IMAP
• 10:28 — Observing attacker’s emails, cooperation with law enforcement
• 11:13 — Explanation of overlay attack technique
• 12:21 — Assessment of technical sophistication
• 12:58 — Key recommendations for protection

Summary in Context

This research-driven episode sharply details the complex, evolving nature of social engineering threats—showcasing how attackers combine personalized phishing, clever propagation through trusted networks (WhatsApp contacts), and context-aware malware activation for financial credential theft. The attackers’ use of familiar communication platforms and localized targeting illustrates the increasing precision of cybercrime operations, while the research underscores the importance of both end-user vigilance and up-to-date technical safeguards.