Security researchers have identified a sophisticated malware campaign that exploits WhatsApp’s messaging platform to deploy banking trojans targeting Brazilian financial institutions and cryptocurrency exchanges.
The self-propagating worm, which emerged on September 29, 2025, demonstrates advanced evasion techniques and multi-stage infection chains designed to circumvent modern security defenses.
The threat has already affected over 400 customer environments across more than 1,000 endpoints, highlighting the campaign’s widespread reach and effectiveness.
The attack begins when victims receive a malicious ZIP archive through WhatsApp Web from a previously infected contact.
The social engineering component is particularly clever, as the message claims the attached content can only be viewed on a computer, effectively forcing recipients to download and execute the malware on desktop systems rather than mobile devices.
.webp "New WhatsApp Worm Attacks Users with Banking Malware to Users Login Credentials 2")
This strategic approach ensures the malware operates in an environment where it can establish persistence and deploy its full payload capabilities.
Sophos analysts identified the malware’s sophisticated infection mechanism during their investigation of multiple incidents across Brazil.
The threat actors demonstrate deep understanding of Windows security architecture and PowerShell capabilities, implementing obfuscation techniques that allow the malware to operate undetected for extended periods.
The campaign’s technical sophistication suggests involvement of experienced cybercriminals with substantial resources and knowledge of Brazilian banking systems.
Multi-Stage PowerShell Infection Chain
The malware’s execution begins with a malicious Windows LNK file hidden within the ZIP archive. When executed, the LNK file contains an obfuscated Windows command that constructs and runs a Base64-encoded PowerShell command.
.webp "New WhatsApp Worm Attacks Users with Banking Malware to Users Login Credentials 4")
This first-stage PowerShell script covertly launches an Explorer process that downloads the next-stage payload from command and control servers, including hxxps[:]//www.zapgrande[.]com, expansiveuser[.]com, and sorvetenopote[.]com.
The second-stage PowerShell command demonstrates the malware’s defensive evasion capabilities through explicit security control modifications.
Portuguese-language comments embedded within the PowerShell code reveal the author’s intentions to “add an exclusion in Microsoft Defender” and “disable UAC” (User Account Control).
These modifications create a permissive environment where the malware can operate without triggering security alerts or requiring user interaction for privileged operations.
The campaign delivers two distinct payloads depending on the infected system’s characteristics: a legitimate Selenium browser automation tool with matching ChromeDriver, and a banking trojan named Maverick.
The Selenium payload enables attackers to control active browser sessions, facilitating WhatsApp web session hijacking and enabling the worm’s self-propagation mechanism.
Meanwhile, the Maverick banking trojan monitors browser traffic for connections to Brazilian banks and cryptocurrency exchanges, deploying additional .NET-based banking malware when financial targets are accessed.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
