MalwareUsed by 1 actor

Maverick

Maverick is a Brazilian banking trojan first reported in 2024 and primarily targeting Windows users in Brazil. It is distributed through WhatsApp-centric worm activity, notably via the SORVEPOTEL spreader and hijacked WhatsApp Web sessions, with observed delivery through ZIP archives containing malicious LNK files that trigger multi-stage, largely fileless PowerShell and .NET infection chains. Multiple reports describe Maverick as using social engineering, WhatsApp abuse, and fileless execution, and as sharing significant code and technique overlap with the Brazilian banking trojan Coyote; some researchers assess it as a distinct new threat, while later reporting assesses TCLBANKER as a major evolution/update of the Maverick/SORVEPOTEL family. Trend Micro-linked reporting associates Maverick activity with the Water Saci cluster.

Its core functionality is credential theft and banking fraud against Brazilian financial institutions. Reported capabilities include monitoring browser sessions and active tab titles/URLs for targeted Brazilian banks, cryptocurrency exchanges, and at least one payment platform; opening phishing overlays; keylogging; screenshot capture; mouse control; process termination; screen blocking during banking access; and broader remote-command functionality through a .NET agent. One report states Maverick monitored 26 Brazilian bank websites, six cryptocurrency exchanges, and one payment platform. It specializes in browser monitoring, overlay phishing, keylogging, and screenshots to steal credentials and enable fraudulent transactions on desktop banking platforms.

Maverick includes a WhatsApp propagation component that abuses authenticated WhatsApp Web sessions, using Selenium and the open-source WPPConnect project to automate message sending to victims’ contacts in a worm-like manner. Campaign reporting describes self-spreading WhatsApp messages sent from previously infected sessions, often using Portuguese-language lures and archive attachments. The malware geofences victims and self-terminates or refuses installation outside Brazil, with checks including timezone, language/locale, region, and date format.

Observed infrastructure and indicators directly tied to Maverick reporting include sorvetenopote[.]com, casadecampoamazonas[.]com, expansiveuser[.]com, and zapgrande[.]com. Reported detections include HEUR:Trojan.Multi.Powenot.a and HEUR:Trojan-Banker.MSIL.Maverick.gen. Kaspersky reported blocking about 62,000 Maverick infection attempts in Brazil in the first 10 days of October in one observed campaign.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Water Saci

The malware family is assessed to be a major update of the Maverick, which is known to leverage a worm called SORVEPOTEL to spread via WhatsApp Web to a victim's contacts.

via the hacker newsthehackernews.com

MITRE ATT&CK

Techniques & procedures

15 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1189Drive-by CompromiseEvidence1

Desktop threats continued to be distributed via traditional delivery methods like malicious emails, compromised websites, and droppers.

Execution

4 techniques

T1059Command and Scripting InterpreterEvidence1

This threat group employs a wider-ranging attack model focused on a bespoke delivery and propagation mechanism that includes WhatsApp, ClickFix techniques, and email-centric phishing.

T1059.001PowerShellEvidence1

The target field of the LNK file contained an obfuscated Windows command that constructed and ran an initial Base64-encoded PowerShell command.

T1204.002Malicious FileEvidence2

The archive contained a malicious Windows LNK file that, when launched, initiated a series of malicious PowerShell commands. | The campaign ... seeks to trick users into executing a malicious file attached to a self-spreading message received from a previously infected WhatsApp web session.

T1574.001DLLEvidence1

These MSI installer packages are abusing a signed Logitech program called Logi AI Prompt Builder. The malware leverages DLL side-loading against the application to launch a malicious DLL ("screen_retriever_plugin.dll")

Persistence

1 technique

T1547.009Shortcut ModificationEvidence1

The archive contained a malicious Windows LNK file that, when launched, initiated a series of malicious PowerShell commands.

Privilege Escalation

2 techniques

T1547.009Shortcut ModificationEvidence1

The archive contained a malicious Windows LNK file that, when launched, initiated a series of malicious PowerShell commands.

T1548Abuse Elevation Control MechanismEvidence1

Comments written in Portuguese in the PowerShell explicitly stated the author’s defense evasion goals: ... “disable UAC”

Stealth

4 techniques

T1027Obfuscated Files or InformationEvidence1

The target field of the LNK file contained an obfuscated Windows command that constructed and ran an initial Base64-encoded PowerShell command.

T1027.011Fileless StorageEvidence1

Other notable actors included Coyote and emerging families like Maverick, which abused WhatsApp for distribution while maintaining fileless techniques and overlaps with established Brazilian banking malware to steal credentials and enable fraudulent transactions on desktop banking platforms.

T1497Virtualization/Sandbox EvasionEvidence1

Both payloads were delivered via the same C2 infrastructure and only to hosts that passed a set of anti-analysis checks.

T1574.001DLLEvidence1

Discovery

1 technique

T1497Virtualization/Sandbox EvasionEvidence1

Both payloads were delivered via the same C2 infrastructure and only to hosts that passed a set of anti-analysis checks.

Collection

1 technique

T1185Browser Session HijackingEvidence1

It employs a two-pronged approach that involves a WhatsApp Web worm that hijacks authenticated browser sessions

Command and Control

2 techniques

T1071.001Web ProtocolsEvidence1

The first-stage PowerShell command ... downloaded the next-stage PowerShell command from a remote command and control (C2) server hosted on hxxps://www.zapgrande[.]com.

T1105Ingress Tool TransferEvidence1

The first-stage PowerShell command covertly launched an Explorer process that downloaded the next-stage PowerShell command from a remote command and control (C2) server hosted on hxxps://www.zapgrande[.]com.

Other

2 techniques

T1562Impair DefensesEvidence1

The downloaded second-stage PowerShell command attempted to modify local security controls. Comments written in Portuguese in the PowerShell explicitly stated the author’s defense evasion goals: “add an exclusion in Microsoft Defender” and “disable UAC”.

T1562.001Disable or Modify ToolsEvidence1

Comments written in Portuguese in the PowerShell explicitly stated the author’s defense evasion goals: “add an exclusion in Microsoft Defender”

INDICATORS OF COMPROMISE

IOCs tracked for this family

4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

2 tracked

IPs, domains, and DNS infrastructure linked to this family.

Other

2 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

ip.v4●●●●●●●●●●●●View more in app2 months ago

uri●●●●●●●●●●●●View more in app2 months ago

uri●●●●●●●●●●●●View more in app9 months ago

domain●●●●●●●●●●●●View more in app9 months ago

ACTIVITY FEED

Recent activity

19 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

19 SOURCESView more in app

cyber security newsNews

May 9, 2026

TCLBANKER Malware Targets Users Through Self-Propagating WhatsApp and Outlook Worm Modules

Older malware family referenced as a predecessor or related family to TCLBANKER.

the hacker newsNews

May 8, 2026

TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms

Brazilian banking trojan family assessed as the predecessor or basis for TCLBANKER. It is known to use the SORVEPOTEL worm for propagation via WhatsApp Web.

elastic security labsNews

Apr 11, 2026

TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook - Elastic Security Labs

Previously known LATAM/Brazilian banking trojan family assessed in the report as the predecessor or earlier family from which TCLBANKER is a major update.

securelistNews

Apr 8, 2026

Kaspersky financial threat report 2025 | Securelist

Emerging Brazilian banking malware distributed via WhatsApp, using fileless techniques to steal credentials and facilitate fraudulent transactions on desktop banking platforms.

+15 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching4

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping15

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.