In this part of the “Hunting Infostealers” series, we explore the growing abuse of trusted communication services and software ecosystems—including messaging platforms like WhatsApp and seemingly benign PDF converter tools—to propagate malware and deploy credential stealers such as Eternidade Stealer, lowering user suspicion and complicating detection. Throughout the blog, we map observed activity to Microsoft Defender XDR coverage and provide actionable guidance to help organizations detect, mitigate, and respond to infostealers.

Platform Abuse (WhatsApp, PDF Converters)
Since late 2025, Platform abuse has become an increasingly prevalent tactic in the modern threat landscape, wherein adversaries deliberately exploit the legitimacy, scale, and user trust associated with widely used applications and services. By weaponizing platforms such as WhatsApp and seemingly benign PDF conversion tools, threat actors are able to disguise malicious activity within normal user behavior, enabling efficient malware delivery, lateral propagation, and evasion of traditional security controls.

WhatsApp Abused to Deliver Eternidade Stealer

During the third week of November 2025, Microsoft Defender Experts (DEX) identified a WhatsApp platform abuse campaign that leverages a multi-stage infection chain and worm-like propagation techniques to distribute malware. The activity begins with the execution of an obfuscated Visual Basic script, which drops a malicious batch file that launches multiple PowerShell instances to download additional payloads from adversary-controlled command-and-control domains. These payloads include a Python script responsible for WhatsApp Web–based dissemination of the malware in a worm-like manner, as well as a malicious MSI installer that ultimately delivers the Eternidade Stealer. To ensure successful execution, the batch script also installs the required Python dependencies on the compromised system.

The Python script establishes communication with a remote server and leverages the open-source project WPPConnect to automate message sending from hijacked WhatsApp accounts. As part of this process, it harvests the victim’s entire contact list while filtering out groups, business contacts, and broadcast lists. The malware then collects, for each contact, the associated WhatsApp phone number, name, and an indicator showing whether the contact is saved. This information is exfiltrated to an attacker-controlled server via an HTTP POST request. In the final stage of this propagation mechanism, the malware sends a malicious attachment to all harvested contacts, using a predefined messaging template populated with time-based greetings and contact names to increase the likelihood of interaction.

The malicious MSI installer drops several components, including encrypted payload files with .dmp and .tda extensions, an AutoIt executable, and a script loader disguised as a .log file. Despite its benign appearance, the .log file functions as an AutoIt-based malicious script that conducts environment reconnaissance, performs anti-detection checks, and loads payloads in memory using large hex-encoded binary blobs to initialize native components. The encrypted .tda file acts as an injector and employs a process hollowing technique to execute the final payload. Specifically, the injector reads the .dmp file, decrypts the embedded payload, and injects the Eternidade Stealer into svchost.exe, allowing the malware to run stealthily under the guise of a trusted system process.

Eternidade Stealer, a Delphi-based credential stealer, continuously monitors active windows and running processes for strings associated with banking portals, payment services, and cryptocurrency exchanges and wallets. These include, but are not limited to, Bradesco, BTG Pactual, MercadoPago, Stripe, Binance, Coinbase, MetaMask, and Trust Wallet, highlighting its focus on harvesting sensitive financial and cryptocurrency-related information

WhatsApp Abuse to Deliver Eternidade Stealer Attack Chain

Malicious Crystal PDF installer campaign

In late September 2025, Microsoft Defender Experts (DEX) discovered a malicious campaign conducted by an unknown threat actor centered on an application masquerading as a PDF editor named Crystal PDF. The campaign leveraged malvertising and search engine optimization (SEO) poisoning techniques, using misleading advertisements to lure users into downloading a malicious payload.

The attack chain begins when a user clicks the download button for the PDF editor on crystalpdf[.]com. The request is redirected to one of two actor-controlled domains, from which the CrystalPDF.exe payload is downloaded. Users most likely arrived at this website through deceptive advertisements distributed via Google Ads, which served as the primary lure for the campaign. Microsoft suspects that Google Ads were used based on the URL format observed in telemetry: hxxps://smartdwn[.]com/download?v=<GUID>&campaign_id=<ID#>&utm_source=google_b2b&subid=<domainSource>&kw=true&gad_source=5&gad_campaignid=<ID#>&gclid=<>.

 

 

When CrystalPDF.exe is downloaded and executed on the device, it performs several actions to establish persistence and enable further activity. A copy of the CrystalPDF.exe payload is created in the AppData\Local\Temp\crys directory, and a malicious scheduled task is created to ensure continued execution on the compromised device. In addition, a second binary named Crystal PDF.exe (note the space in the filename) is dropped in the user’s Desktop folder.

The attacker configures the payload to run daily at 7:15 AM local system time using a scheduled task named Crystal_updater. When triggered, this scheduled task launches the malicious CrystalPDF.exe, which initiates network connections to three command-and-control domains: negmari[.]com, ramiort[.]com, and strongdwn[.]com.

The secondary executable, Crystal PDF.exe, stored in the Desktop directory, establishes network connections to multiple cloudconvert[.]com-related domains. CloudConvert is a legitimate service used to convert files into different formats, including converting various document types into PDF files. Analysis of this file indicates that it is a clean file and is designed to appear as a legitimate application that leverages CloudConvert to provide document-to-PDF conversion functionality.

Despite presenting itself as a legitimate PDF conversion and merging tool, CrystalPDF.exe ultimately functions as an information stealer. It covertly hijacks Firefox and Chrome browsers and attempts to access sensitive files located in the AppData\Roaming directory, which stores user-specific configuration and profile data that must persist across sessions. This includes cookies and session data, sign-in and credential caches, and profile settings. By harvesting credentials, tokens, and session cookies stored in the browser, the attacker can bypass standard authentication mechanisms and impersonate the user to gain unauthorized access to accounts and services that the user is authorized to use.

Crystal PDF Installer Attack Chain

Mitigation and protection guidance

Microsoft recommends the following mitigations to reduce the impact of trusted platform abuse used to deliver infostealers as discussed in this report. These recommendations draw from established Defender blog guidance patterns and align with protections offered across Microsoft Defender XDR.

Organizations can follow these recommendations to mitigate threats associated with this threat:            

Strengthen user awareness & execution safeguards

• Educate users on social‑engineering lures, including malvertising redirect chains, fake installers, and ClickFix‑style copy‑paste prompts.

Control outbound traffic & staging behavior

• Block direct access to known C2 infrastructure where possible, informed by your organization’s threat‑intelligence sources.

Protect against cross‑platform payloads

• Harden endpoint defenses around LOLBIN abuse, such as wscript.exe executing Visual Basic scripts.
• Evaluate activity involving AutoIt and process hollowing, common in platform‑abuse campaigns.

Microsoft also recommends the following mitigations to reduce the impact of this threat.

• Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats.
• Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
• Enable network protection and web protection in Microsoft Defender for Endpoint to safeguard against malicious sites and internet-based threats.
• Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.
• Allow investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
• Turn on tamper protection features to prevent attackers from stopping security services. Combine tamper protection with the DisableLocalAdminMerge setting to prevent attackers from using local administrator privileges to set antivirus exclusions.
• Microsoft Defender XDR customers can also implement the following attack surface reduction rules to harden an environment against LOLBAS techniques used by threat actors:

o   Block execution of potentially obfuscated scripts

o   Block executable files from running unless they meet a prevalence, age, or trusted list criterion

o   Block JavaScript or VBScript from launching downloaded executable content

Microsoft Defender XDR detections   

Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against attacks like the threat discussed in this blog.

Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.

 

Threat intelligence reports

Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

Microsoft Defender XDR Threat analytics 

• Malicious Crystal PDF installer campaign

Hunting queries 

Microsoft Defender XDR

Microsoft Defender XDR customers can run the following queries to find related activity in their networks:

Use the following queries to identify activity related to WhatsApp Abused to Deliver Eternidade Stealer

// Identify the files dropped from the malicious VBS execution
DeviceFileEvents
| where InitiatingProcessCommandLine has_all ("Downloads",".vbs")
| where FileName has_any (".zip",".lnk",".bat") and FolderPath has_all ("\\Temp\\")

 

// Identify batch script launching powershell instances to drop payloads
DeviceProcessEvents
| where InitiatingProcessParentFileName == "wscript.exe" and InitiatingProcessCommandLine  has_any ("instalar.bat","python_install.bat")
| where ProcessCommandLine !has "conhost.exe"

 

// Identify AutoIT executable invoking malicious AutoIT script
DeviceProcessEvents
| where InitiatingProcessCommandLine   has ".log" and InitiatingProcessVersionInfoOriginalFileName == "Autoit3.exe"

 

Use the following queries to identify activity related to Malicious CrystalPDF Installer Campaign

// Identify network connections to C2 domains
DeviceNetworkEvents
| where InitiatingProcessVersionInfoOriginalFileName == "CrystalPDF.exe"

 

// Identify scheduled task persistence
DeviceEvents
| where InitiatingProcessVersionInfoProductName == "CrystalPDF"
| where ActionType == "ScheduledTaskCreated

Indicators of compromise

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. 

References

Infostealers Strike Again: Malicious Installers Pass Through EDRs Undetected

SpiderLabs IDs New Banking Trojan Distributed Through WhatsApp

Learn more  

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.