A sophisticated banking Trojan named Maverick has emerged in Brazil, leveraging WhatsApp as its primary distribution channel to compromise thousands of users.
The malware campaign was detected in mid-October 2025, with cybersecurity solutions blocking over 62,000 infection attempts in just the first ten days of the month.
The threat specifically targets Brazilian users through Portuguese-language messages containing malicious ZIP archives that bypass WhatsApp’s security filters.
The infection mechanism begins when victims receive a seemingly legitimate message on WhatsApp, often disguised as bank notifications or important documents.
These messages contain compressed ZIP files housing a weaponized .LNK file that initiates the attack chain. Once opened, the malware executes a complex series of commands through cmd[.]exe and PowerShell, contacting command-and-control servers with carefully validated authentication protocols to download additional payloads.
The entire infection process operates in a fully fileless manner, meaning all malicious components load directly into memory without writing files to disk, significantly complicating detection efforts.
Securelist researchers identified the malware as sharing substantial code similarities with Coyote, another Brazilian banking Trojan documented in 2024, though Maverick represents a distinct and more advanced threat.
The researchers noted that the malware employs artificial intelligence in its code-writing process, particularly for certificate decryption mechanisms and general development workflows.
This represents an concerning evolution in malware development techniques, where threat actors leverage AI tools to enhance their capabilities and evade traditional security measures.
.webp "New Banking Malware Abusing WhatsApp to Gain Complete Remote Access to Your Computer 3")
The banking Trojan implements geographic targeting by verifying the victim’s timezone, system language, region settings, and date formats to confirm Brazilian location before activating.
If these checks fail, the malware terminates execution, preventing analysis by researchers in other countries.
Once confirmed, Maverick deploys comprehensive surveillance capabilities including screenshot capture, browser monitoring, keylogging, mouse control, and overlay phishing pages designed to steal banking credentials from 26 Brazilian financial institutions, six cryptocurrency exchanges, and one payment platform.
Propagation Through Compromised WhatsApp Accounts
Perhaps the most alarming aspect of Maverick is its self-propagation mechanism that transforms infected devices into distribution nodes.
The malware utilizes WPPConnect, an open-source WhatsApp Web automation project, to hijack compromised accounts and automatically send malicious messages to the victim’s contact list.
This worm-like behavior creates exponential spread potential through one of the world’s most popular messaging platforms.
The command-and-control infrastructure demonstrates advanced operational security through multiple validation layers.
The C2 server authenticates each request using HMAC-256 signatures with the key “MaverickZapBot2025SecretKey12345” and validates User-Agent headers to ensure connections originate from the malware itself rather than security tools.
The API endpoints utilize encrypted shellcodes wrapped with Donut loaders, employing XOR encryption where decryption keys are stored in the final bytes of downloaded binaries.
The decryption algorithm extracts the last four bytes indicating key size, walks backward through the file to locate the encryption key, and applies XOR operations across the entire payload.
This sophisticated encryption scheme, combined with heavy code obfuscation using Control Flow Flattening techniques, significantly hampers reverse engineering efforts.
# Decryption Process
$keySize = [BitConverter]::ToInt32($binary[-4..-1], 0)
$keyStart = $binary.Length - 4 - $keySize
$xorKey = $binary[$keyStart..($keyStart + $keySize - 1)]Kaspersky security products detect the threat with verdicts HEUR:Trojan.Multi.Powenot.a and HEUR:Trojan-Banker.MSIL.Maverick.gen, providing protection from the initial LNK file through all subsequent infection stages.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
