Maverick.StageTwo
Maverick.StageTwo is a malware payload identified in reporting on the Sorvepotel campaign. Trend Micro reported that Sorvepotel, a Windows malware spread via WhatsApp messages containing a ZIP file and the Portuguese lure "baixa o zip no PC e abre," hijacks WhatsApp Web sessions and auto-forwards the malicious file to contacts and group chats. Sorvepotel ultimately delivers additional payloads aimed at stealing banking information, including Maverick.StageTwo and Maverick.Agent. Reporting states that Maverick.StageTwo targets Brazilian banking users. The broader campaign primarily affected Brazil, with infections concentrated in government agencies and public service entities, along with other sectors. High-confidence details in the provided content do not include specific file hashes, domains, or other concrete IOCs for Maverick.StageTwo itself.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Secondary payload delivered by Sorvepotel to steal banking information (credential theft and related banking fraud functionality).
Secondary payload delivered by Sorvepotel to steal banking information (credential theft and related banking fraud functionality).
Maverick.StageTwo is a secondary payload delivered by Sorvepotel, targeting Brazilian banking users to gather banking information.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.