Hackers Leveraging WhatsApp That Silently Harvest Logs and Contact Details

[Brownie2019]

Content source

https://cybersecuritynews.com/hackers-leveraging-whatsapp/

A new malware campaign targeting Brazilian users has emerged, using WhatsApp as its primary distribution channel to spread banking trojans and harvest sensitive information.
This sophisticated attack leverages social engineering by exploiting the trust victims place in their existing contacts, making the malicious files appear legitimate.
The campaign begins with phishing emails containing archived VBS scripts that employ advanced obfuscation techniques to evade detection by security software.
Once the initial payload runs, it downloads and installs Python and the Selenium WebDriver components, enabling automated interaction with WhatsApp Web.
The malware then injects malicious JavaScript code into the victim’s browser session, accessing WhatsApp’s internal APIs to enumerate contacts and distribute payloads.
This approach allows attackers to spread the infection without requiring QR code authentication by hijacking existing logged-in sessions by copying browser cookies and local storage data.

Read more here:

Hackers Leveraging WhatsApp to Silently Install Malware to Harvest Logs and Contact Details

A Brazil-focused malware campaign uses WhatsApp and phishing VBS scripts to spread banking trojans, harvest data, and automate attacks.

cybersecuritynews.com

 

[Bot]

Read more here:

Hackers Leveraging WhatsApp to Silently Install Malware to Harvest Logs and Contact Details

A Brazil-focused malware campaign uses WhatsApp and phishing VBS scripts to spread banking trojans, harvest data, and automate attacks.

cybersecuritynews.com

This is a good find and a worrying but very realistic attack chain, especially for regions where WhatsApp is heavily used for everyday communication and banking.

What this campaign is doing (based on your quote)
In simplified steps:

• Victims receive phishing emails with archived VBS scripts (for example, .zip containing .vbs).
• The VBS script is heavily obfuscated to evade detection and make manual analysis harder.
• Once executed, it downloads and installs Python + Selenium WebDriver on the system.
• Using Selenium, it automates the victim’s browser and hijacks their existing WhatsApp Web session.
• The malware injects malicious JavaScript into the browser session, using WhatsApp’s internal APIs to:
  • Enumerate contacts
  • Send out malicious messages/files to those contacts
• By copying cookies and local storage data, it avoids the QR-code step — it just rides on an already logged-in WhatsApp Web session.

The key thing: malicious messages appear to come from a trusted contact, and there is no new login warning on the phone because the existing web session is simply abused.

Why this is particularly dangerous

• Messages come from real contacts → users are much more likely to click/open.
• The initial infection is via email and script execution, where many people still run attachments “because it looks like work-related.”
• Using Python + Selenium gives attackers flexibility and makes behavior look like “normal browsing” at a low level.
• Hijacking existing sessions via cookies means no additional user action is needed – once infected, the spreading is largely automated.

How to reduce the risk (prevention tips)

1. Be extremely careful with script-based attachments

• Treat .vbs, .js, .wsf, .ps1 and similar files as high risk.
• Be suspicious of ZIP/RAR/7z attachments from:
  • Unknown senders
  • Known senders but unexpected content (“open this script”, “run this to view your invoice/report/payroll”)
• Make sure file extensions are visible in Windows, so something like “Document.pdf.vbs” is obvious.

2. Harden script execution where possible
If this is a home PC and you don’t legitimately need Windows scripting:

• Consider disabling Windows Script Host (WSH) so .vbs/.js scripts can’t run easily.
• On more advanced setups, use:
  • Software Restriction Policies or AppLocker (Pro/Enterprise)
  • Windows 11 Smart App Control if available
• Restrict PowerShell and script interpreters to admin accounts if you can.

3. WhatsApp / browser hygiene

• Regularly check “Linked devices” in WhatsApp and log out of all sessions you don’t recognize.
• Avoid leaving WhatsApp Web logged in on:
  • Shared PCs
  • Work PCs you don’t fully control
• Consider using a separate browser profile (or a dedicated browser) just for WhatsApp Web. That keeps cookies and local storage more isolated.
• If you notice odd WhatsApp behavior (contacts saying “you sent me something strange”), log out of all devices immediately and re-authenticate only from your own phone.

4. General security hygiene

• Keep your OS and browser fully updated.
• Use a reputable security suite or at least keep Microsoft Defender fully enabled and updated.
• Enable smartscreen/URL filters in your browser.
• Be cautious about entering banking credentials from links in WhatsApp or email. Prefer typing the bank URL directly or using official apps.

If you think you (or someone you know) might be infected

• Disconnect from the internet (at least temporarily: disable Wi-Fi/unplug cable).
• Run a full system scan with:
  • Microsoft Defender, and optionally
  • Another reputable on-demand scanner (e.g. Kaspersky, ESET, Bitdefender, Malwarebytes).
• Check WhatsApp on your phone:
  • Open Linked devices → log out of all sessions.
• Change passwords for:
  • Email accounts used for banking/logins
  • Online banking and payment services
• If banking data might be compromised, contact your bank’s fraud department and monitor transactions.
• If the system shows persistent signs of compromise, consider a full backup of important data and a clean OS reinstall.

If you’re worried about a specific file or email you received, it’s best not to open it at all. You can:

• Upload it to VirusTotal (stripped of any personal/sensitive data) for a multi-engine check.
• Post details (without sensitive info) in the Malware Removal Assistance or relevant forum section so members can guide you through proper diagnostics.

If you have details about a suspicious message or sample (minus personal info), feel free to share them and I can suggest more targeted next steps.