Cybersecurity researchers have uncovered a sophisticated new campaign targeting WhatsApp users in Brazil with self-propagating malware designed to steal banking credentials and cryptocurrency exchange login information.
The attack, first detected on September 29, 2025, represents a dangerous evolution in social engineering tactics that exploits users’ trust in familiar contacts to spread malicious payloads across messaging networks.
The campaign begins when victims receive seemingly legitimate messages from previously infected WhatsApp contacts through the web-based version of the messaging platform.
These messages contain ZIP archives with names like “NEW-20251001_150505-XXX_XXXXXXX.zip” or use Portuguese terms such as “ORCAMENTO” (Budget) and “COMPROVANTE” (Voucher) to appear authentic.
The messages specifically instruct recipients that the content can only be viewed on a computer, deliberately steering victims away from mobile devices where security protections might be more robust.
Once downloaded, the ZIP file contains a malicious Windows LNK file that triggers a complex multi-stage PowerShell infection chain.
Security researchers at Sophos have detected this initial PowerShell activity across more than 400 customer environments, affecting over 1,000 endpoints.
Brazilian Financial Institutions
The second-stage PowerShell commands attempt to disable critical security defenses, with Portuguese comments explicitly stating intentions to “add an exclusion in Microsoft Defender” and “disable UAC” (User Account Control).
This defense evasion enables the deployment of either a Selenium browser automation tool for session hijacking or a banking trojan called Maverick, which specifically monitors for connections to Brazilian banks and cryptocurrency exchanges.
When victims access targeted financial websites, the malware installs a feature-rich .NET banking trojan designed to steal login credentials and facilitate unauthorized transactions.
The sophistication of this payload suggests significant development resources and detailed knowledge of Brazilian banking systems.
Counter Threat Unit researchers have identified possible connections to previous campaigns involving the Coyote banking trojan, which has targeted Brazilian users since February 2024 using similar distribution methods.
Self-Propagation Mechanism Amplifies Threat
The most concerning aspect of this campaign is its self-propagating nature. After successful infection, the malware attempts to spread itself to the victim’s WhatsApp contacts, creating an exponential distribution network that leverages social trust.
This worm-like behavior significantly amplifies the campaign’s reach and effectiveness, as recipients are more likely to open attachments from known contacts.
As threat actors continue to refine their social engineering tactics, vigilance and security awareness remain the first line of defense against these evolving cyber threats.
Security experts emphasize that this attack demonstrates the evolving threat landscape where cybercriminals increasingly target messaging platforms and social media channels.
The use of WhatsApp Web specifically allows attackers to bypass mobile security measures while exploiting the platform’s widespread adoption in Brazil, where WhatsApp serves as a primary communication tool for both personal and business purposes.
Organizations and individuals can protect themselves by educating users about the risks of opening suspicious attachments, even from known contacts.
Rapid response to PowerShell execution alerts can help contain infections in early stages, while maintaining updated endpoint security solutions provides crucial defense against these sophisticated multi-stage attacks.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
