Maverick Banking Trojan Spreads via WhatsApp and Steals Financial Credentials
A new banking Trojan named Maverick has been identified targeting users in Brazil through a sophisticated, fileless malware campaign. The infection chain begins with the distribution of malicious ZIP files containing LNK shortcuts, which are sent via WhatsApp messages. These LNK files are not blocked by WhatsApp, allowing the malware to propagate widely among Brazilian users. Once a device is infected, the Maverick Trojan leverages the open-source WPPConnect project to automate the sending of further malicious messages from the victim’s WhatsApp Web account, effectively turning compromised devices into worms that spread the malware to additional contacts. The Trojan is highly targeted, checking the infected system’s time zone, language, and regional settings to ensure it only installs on Brazilian machines. Upon successful infection, Maverick operates entirely in memory, minimizing disk activity and making detection more difficult. The malware is modular, using PowerShell and .NET components to execute its payloads. Its primary objective is to steal banking and UPI credentials by monitoring browser activity, taking screenshots, logging keystrokes, and overlaying phishing pages when users access banking websites. Maverick can also control the mouse, block the screen during sensitive operations, and terminate processes to evade detection. The campaign specifically targets 26 Brazilian banks, 6 cryptocurrency exchanges, and a major payment platform, indicating a broad financial focus. The command-and-control infrastructure is designed to verify that downloads originate from the malware itself, adding another layer of evasion. Researchers have noted significant code overlap between Maverick and the previously known Coyote Trojan, but Maverick is considered a distinct and new threat. The use of WhatsApp as a distribution vector is particularly concerning, as it exploits the trust between contacts and the widespread use of the messaging platform in Brazil. The fileless nature of the attack chain, combined with the use of legitimate open-source tools, complicates detection and remediation efforts. Security experts recommend heightened vigilance for suspicious WhatsApp messages containing attachments, especially those in Portuguese or referencing financial matters. Organizations and individuals are urged to update their security solutions and educate users about the risks of opening unsolicited files, even from known contacts. The emergence of Maverick underscores the evolving tactics of cybercriminals targeting the Brazilian financial sector and highlights the need for robust, multi-layered defenses.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Researchers publicly disclose Maverick as a distinct new banking threat
Securelist published technical analysis identifying Maverick as a new Brazilian banking trojan, noting code and technique overlap with Coyote but assessing it as a separate threat. The report detailed its banking credential theft, overlays, keylogging, screenshots, and remote-control capabilities.
Kaspersky records 62,000 Maverick infection attempts in early October
Kaspersky reported blocking about 62,000 infection attempts in Brazil during the first 10 days of October. The company detected the activity as HEUR:Trojan.Multi.Powenot.a and HEUR:Trojan-Banker.MSIL.Maverick.gen.
Maverick uses hijacked WhatsApp accounts to self-propagate
The malware incorporated a WhatsApp account hijacking and spam module using WPPConnect and Selenium to automate WhatsApp Web and send malicious messages to victims' contacts. This added worm-like propagation to the banking trojan campaign.
Maverick banking trojan campaign begins large-scale spread in Brazil
A new Brazilian banking trojan dubbed Maverick was distributed at scale through WhatsApp messages carrying ZIP archives with malicious Windows LNK files. The campaign used a modular, largely fileless infection chain with PowerShell, in-memory .NET loading, and geofencing to restrict infections to Brazil.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Maverick Fileless Trojan Turns Infected Phones into WhatsApp Worms to Steal Banking and UPI Credentials
securityonline.info
Open sourceMaverick: a new banking trojan abusing WhatsApp in a massive scale distribution | Securelist
securelist.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Eternidade Stealer Banking Trojan Propagated via WhatsApp Worm in Brazil
Cybersecurity researchers have identified a new campaign targeting Brazilian users in which the Eternidade Stealer, a Delphi-based banking trojan, is distributed through a WhatsApp worm. The attack leverages social engineering and WhatsApp hijacking, with the threat actor deploying a Python script—marking a shift from previous PowerShell-based methods—to hijack WhatsApp Web sessions and spread malicious attachments. The campaign uses an obfuscated Visual Basic Script as the initial infection vector, which then drops a batch script responsible for delivering two payloads, including the Python-based worm. The malware utilizes the Internet Message Access Protocol (IMAP) to dynamically retrieve command-and-control (C2) addresses, allowing the attacker to update C2 infrastructure as needed. This activity is part of a broader trend in Brazil, where WhatsApp's ubiquity makes it a favored vector for distributing banking trojans and information stealers. The use of Delphi for malware development remains prevalent in Latin America due to its technical efficiency and regional familiarity. Researchers note that this campaign represents an evolution in tactics, building on previous attacks such as Water Saci, and highlights the increasing sophistication of social engineering and malware propagation techniques in the region's cybercrime ecosystem.
Mar 21, 2026
TCLBANKER Banking Trojan Uses Logitech Sideloading and Self-Spreads via WhatsApp
Elastic Security Labs disclosed **TCLBANKER**, a Brazilian banking trojan assessed as a major evolution of the **MAVERICK/SORVEPOTEL** family, delivered through a trojanized MSI installer for Logitech's signed **Logi AI Prompt Builder** and executed via DLL sideloading. The malware targets **59** Brazilian banking, fintech, and cryptocurrency services, using anti-analysis checks, environment-gated payload decryption, ETW patching, watchdog functions, and .NET Reactor-protected modules to evade detection and maintain execution. Once active, it monitors browser activity through UI Automation and opens a WebSocket command-and-control channel when victims visit monitored financial sites. The malware's fraud tooling includes a **WPF full-screen overlay** framework that can present fake login prompts, counterfeit Windows Update screens, vishing wait pages, and screen-capture-resistant overlays to steal credentials and support operator-driven account takeover. A separate worm component propagates through **WhatsApp Web** by hijacking authenticated browser sessions and through **Microsoft Outlook** by using COM automation to send phishing emails from the victim's own account. Researchers said the campaign relies heavily on **Cloudflare Workers** for payload hosting and C2, and appears to be in an early operational stage based on exposed developer artifacts and unfinished phishing infrastructure.
May 9, 2026
Self-Propagating SORVEPOTEL Malware Spreads via WhatsApp Targeting Brazilian Windows Users
A new malware campaign, identified as SORVEPOTEL, has been actively targeting Windows users in Brazil by exploiting the WhatsApp messaging platform as its primary infection vector. The campaign is engineered for rapid propagation rather than data theft or ransomware, focusing on widespread distribution through social engineering tactics. Attackers initiate the infection by sending convincing phishing messages from already compromised WhatsApp accounts, which increases the credibility of the malicious communication. These messages contain ZIP file attachments that masquerade as legitimate documents, such as receipts or health app files, and are specifically crafted to require opening on a desktop, indicating a focus on enterprise environments. Upon opening the ZIP file, victims are prompted to execute a Windows shortcut (LNK) file, which silently triggers the malware installation on the system. Once installed, SORVEPOTEL leverages active WhatsApp Web sessions to automatically send the same malicious ZIP file to all contacts and groups associated with the victim’s account, enabling rapid self-propagation. This automated spamming behavior often results in the infected WhatsApp accounts being banned due to excessive activity. Trend Micro telemetry indicates that out of 477 detected cases, 457 occurred in Brazil, highlighting a strong regional focus. The campaign has notably impacted government and public service organizations, but has also affected entities in manufacturing, technology, education, and construction sectors. While the primary goal appears to be mass distribution, there is concern that similar techniques have previously been used in Brazil to target financial data, raising the risk of future campaigns with more damaging objectives. Researchers have also observed that, in addition to WhatsApp, the attackers may use email as a secondary distribution channel, sending the same malicious ZIP files from seemingly legitimate email addresses. The use of social trust and automation in this campaign demonstrates a sophisticated approach to maximizing infection rates. There is currently no evidence that SORVEPOTEL exfiltrates data or encrypts files, but the potential for further exploitation remains. The campaign underscores the importance of user awareness regarding phishing tactics, especially those leveraging trusted communication platforms. Security teams are advised to monitor for suspicious WhatsApp Web activity and educate users about the risks of opening unsolicited attachments. The incident highlights the evolving threat landscape where messaging platforms are increasingly abused for malware propagation, particularly in regions with high platform adoption.
Mar 21, 2026