WhatsApp Web in the crosshairs! How the worm that distributes the banking Trojan works

Redazione RHC : 14 October 2025 07:20 Sophos analysts have discovered a complex malware operation by security experts that uses the popular messaging service WhatsApp to spread banking Trojans, targeting Brazilian banks and cryptocurrency exchanges. A self-replicating malware emerged on September 29, 2025, featuring advanced evasion techniques and a complex, multi-stage infection chain designed to bypass current security protections. The attack campaign had a widespread impact, affecting more than 1,000 endpoints across over 400 customer environments, demonstrating the effectiveness and vast reach of the threat. The attack occurs when victims download a malicious ZIP archive via WhatsApp Web from a previously infected contact. The social engineering component is particularly clever as the message claims that the attached content can only be viewed on a computer , thus tricking recipients into downloading and running the malware on desktop systems rather than mobile devices. While investigating several incidents in Brazil, Sophos analysts discovered the complex infection mechanism used by the malware. This tactical approach allows the malware to operate in a stable environment and fully activate its payload capabilities. The malware begins execution with a malicious Windows LNK file hidden within the ZIP archive . Once executed, the LNK file contains an obfuscated Windows
Read More