In mid-October 2025, cybersecurity experts identified a new and sophisticated banking Trojan named Maverick, which has been actively targeting Brazilian users. This malware leverages WhatsApp, a widely used messaging platform, as its primary distribution channel, leading to over 62,000 blocked infection attempts within the first ten days of its detection.
Distribution Methodology
Maverick’s distribution strategy involves sending Portuguese-language messages via WhatsApp that appear to be legitimate bank notifications or important documents. These messages contain compressed ZIP files that house malicious .LNK files. When a recipient opens the .LNK file, it initiates a complex attack sequence. This sequence involves executing commands through cmd.exe and PowerShell, which then contact command-and-control (C2) servers to download additional payloads. Notably, the entire infection process is fileless, meaning all malicious components are loaded directly into the system’s memory without writing files to the disk. This approach significantly complicates detection efforts by traditional antivirus solutions.
Technical Sophistication and AI Integration
Upon analysis, researchers found that Maverick shares substantial code similarities with Coyote, another Brazilian banking Trojan documented in 2024. However, Maverick represents a more advanced and distinct threat. One of the notable advancements is the incorporation of artificial intelligence in its code-writing process, particularly for certificate decryption mechanisms and general development workflows. This integration of AI tools enhances the malware’s capabilities and allows it to evade traditional security measures more effectively.
Geographic Targeting and Activation Mechanism
Maverick employs a geographic targeting mechanism to ensure it primarily affects Brazilian users. Before activating, the malware verifies the victim’s timezone, system language, region settings, and date formats. If these checks do not confirm a Brazilian location, the malware terminates its execution. This strategy not only focuses the attack on a specific demographic but also prevents analysis by researchers located in other countries.
Surveillance Capabilities
Once activated, Maverick deploys a range of surveillance tools, including:
– Screenshot Capture: Allows attackers to view the victim’s screen in real-time.
– Browser Monitoring: Tracks and records the victim’s online activities.
– Keylogging: Records keystrokes to capture sensitive information such as passwords.
– Mouse Control: Enables remote manipulation of the victim’s mouse.
– Overlay Phishing Pages: Displays fake banking interfaces to steal credentials from 26 Brazilian financial institutions, six cryptocurrency exchanges, and one payment platform.
Self-Propagation via WhatsApp
A particularly alarming feature of Maverick is its ability to self-propagate through compromised WhatsApp accounts. The malware utilizes WPPConnect, an open-source WhatsApp Web automation project, to hijack infected accounts. It then automatically sends malicious messages to the victim’s contact list, mimicking the original distribution method. This worm-like behavior exponentially increases the malware’s spread potential through one of the world’s most popular messaging platforms.
Command-and-Control Infrastructure
Maverick’s C2 infrastructure exhibits advanced operational security through multiple validation layers:
– Authentication: Each request to the C2 server is authenticated using HMAC-256 signatures with a specific secret key.
– User-Agent Validation: Ensures that connections originate from the malware itself rather than security tools.
– Encrypted Payloads: API endpoints utilize encrypted shellcodes wrapped with Donut loaders, employing XOR encryption where decryption keys are stored in the final bytes of downloaded binaries.
The decryption algorithm extracts the last four bytes indicating key size, walks backward through the file to locate the encryption key, and applies XOR operations across the entire payload. This sophisticated encryption scheme, combined with heavy code obfuscation using Control Flow Flattening techniques, significantly hampers reverse engineering efforts.
Detection and Mitigation
Kaspersky security products have been updated to detect Maverick with verdicts HEUR:Trojan.Multi.Powenot.a and HEUR:Trojan-Banker.MSIL.Maverick.gen. These updates provide protection from the initial .LNK file through all subsequent infection stages. Users are advised to exercise caution when receiving unsolicited messages containing attachments, even from known contacts, and to keep their security software up to date to mitigate the risk of infection.
Conclusion
The emergence of Maverick underscores the evolving landscape of cyber threats, where attackers are increasingly leveraging popular communication platforms and advanced technologies to distribute malware. The integration of artificial intelligence in malware development, combined with sophisticated distribution and evasion techniques, presents significant challenges for cybersecurity professionals. Vigilance, user education, and robust security measures are essential to combat such advanced threats.
