Few attack chains have blended social engineering, browser subversion, and automation as seamlessly as the campaign now roping WhatsApp Web into a high-velocity delivery system for Brazil-focused financial malware, and the trick that makes it sing is deceptively simple: steal an already logged-in session, then let Selenium do the talking while trust does the rest. The operation hinges on a modular pipeline that begins in email but quickly relocates into the browser, where authentication tokens live and users rarely look. By lifting cookies, local storage, and IndexedDB artifacts into a temporary profile and launching Chrome with the user-data-dir flag, the attackers sidestep the QR gate that ordinarily protects WhatsApp Web. From that beachhead, automated outreach sprays malicious ZIP files to a victim’s contacts, seeding further compromises while a memory-only banking trojan lurks for financial activity.
Orchestrated Intrusion Tactics
From Phish to Browser Takeover
The opening move is a phish that does not try to be clever in subject matter but is painstaking in execution. A ZIP file hides a Visual Basic Script whose strings are built character by character and decoded with XOR routines that break signature-based detection. Once launched, that first-stage script pulls in a companion MSI and another obfuscated VBS. These stages lay down a Python runtime alongside ChromeDriver and Selenium, setting the table for scripted browser control. The attackers then copy session data—cookies, local storage entries, and IndexedDB databases—from the victim’s default Chrome profile into a throwaway directory. With a crafted launch of Chrome using the user-data-dir flag, the malware inherits an authenticated WhatsApp Web session without triggering the QR handshake, essentially borrowing the user’s trust token to act in their name at scale.
With a live session in hand, automation becomes the multiplier. The toolchain injects helper JavaScript sourced from public repositories to tap internal WhatsApp Web APIs for contact harvesting and message dispatch. It scrapes the address book, strips groups and known patterns that would raise noise, and composes one-to-one messages that mirror everyday sharing habits. Attached ZIPs carry the same obfuscated launcher that perpetuates the chain, while telemetry—logs, error states, and delivery outcomes—flows back to an attacker-controlled backend. This blend of “living off the browser” and social proximity is potent: recipients see a familiar name and a plausible file, and hesitation fades. Moreover, because the distribution runs through a real user session, rate limits and anomaly detectors on the platform see little that looks overtly malicious in the moment.
Scaling Through Social Trust
The campaign’s reach grows because it weaponizes relationships rather than infrastructure. Instead of blasting from throwaway domains, it drafts ordinary accounts already present in a victim’s social graph, converting each endpoint into a relay point with minimal friction. The scripts choreograph timing, message cadence, and contact selection to avoid obvious spikes, and they adapt to session states, relaunching ChromeDriver when tabs crash or cookies refresh. Meanwhile, exfiltration keeps operators informed about the local environment, including OS details, installed security tools, and messaging outcomes, allowing mid-course corrections without visibly touching the host. In contrast to botnets that broadcast uniformly, this approach drips malware into trusted channels, effectively laundering intent through genuine user identities and normalizing the appearance of malicious attachments. The WhatsApp angle also rebalances the economics of detection. Security programs tuned to scan email gateways see only the first step; once compromised, the locus of activity shifts to browser automation that looks like routine WebDriver traffic controlling a legitimate app. Because Python, Selenium, and ChromeDriver are ubiquitous in testing and IT workflows, their presence alone raises few flags. The campaign leans on this ambiguity, folding malicious behavior into processes that administrators tolerate and that endpoint tools often under-prioritize. Even the JavaScript layer is careful, using documented objects and query patterns that mirror WhatsApp’s own front-end operations. In short, the attackers do not need an exploit when they can rent the browser, borrow the session, and speak the platform’s native language convincingly.
Monetization and Defensive Pressure
Memory-Resident Trojan and Evasion
Distribution is only half the story; monetization kicks in with a banking trojan tuned to Brazilian institutions and popular crypto services. A separate MSI stage lays down an AutoIt wrapper with encrypted blobs and registry-based persistence, then idles as a watcher. It scans for window titles, URLs, and process metadata tied to bank portals or wallet apps, and when conditions match, it decrypts the payload and injects it directly into memory. No file ever lands on disk during activation, blunting signature engines and thwarting many EDR workflows that key on write events. The trojan then surveils sessions, manipulates overlays, and can hijack transactions, with contingencies for MFA prompts and session timeouts. Its triggers are context-driven, so it remains quiescent outside banking flows, reducing noise and elongating dwell time.
Obfuscation layers reinforce that stealth. Strings remain XOR-encoded until the last responsible moment, imports are resolved dynamically, and function boundaries are smeared to complicate heuristics. The AutoIt script itself doubles as a controller, capable of updating configuration, switching C2 endpoints, or toggling features if defenders close in. Telemetry that rides alongside WhatsApp outreach provides near-real-time feedback on what banks are in use and which security products are installed, enabling the operators to prioritize targets most likely to yield funds. Because the trojan loads in memory and unhooks gracefully when windows close, forensic artifacts are sparse, and incident responders face a reconstruction burden that favors the attacker’s tempo.
Strategic Implications and Mitigation Paths
The campaign illustrated a broader pivot toward hybrid operations that braid email lures, session hijacking, and messaging-platform automation into a single, resilient chain. Bypassing QR authentication was not a zero-day but a procedural sidestep: where tokens live, access follows. That reality put browser-resident data—cookies, local storage, IndexedDB—squarely in the crosshairs, challenging assumptions that two-factor prompts end at the login screen. It also shifted the battleground to client-side controls, where users, test frameworks, and everyday workflows regularly launch Chrome with custom profiles, creating room for malware to hide in plain sight. Moreover, the use of internal Web APIs underscored how front-end architectures can be repurposed against their ecosystems when session context is stolen.
Defenders had actionable levers. Endpoint policies could restrict user-data-dir launches, lock profile directories, and flag rapid WebDriver orchestration tied to consumer apps. Browsers could bind session artifacts more tightly to device secrets and runtime checks, making copies less portable. Messaging platforms could rate-limit attachment sends from newly observed browser fingerprints, probe for automation cues, and prompt lightweight re-verification when contact-level messaging spikes. On hosts, blocking unsigned AutoIt interpreters and monitoring for memory-only module loads increased friction without hindering legitimate work. Finally, security teams that treated messaging clients as high-risk endpoints and applied the same scrutiny used for email gateways stood a better chance of breaking the chain before trust did the attackers’ work.