A sophisticated malware campaign has been identified, exploiting WhatsApp’s messaging platform to deploy banking trojans targeting Brazilian financial institutions and cryptocurrency exchanges. This self-propagating worm, which emerged on September 29, 2025, demonstrates advanced evasion techniques and multi-stage infection chains designed to circumvent modern security defenses. The threat has already affected over 400 customer environments across more than 1,000 endpoints, highlighting the campaign’s widespread reach and effectiveness.
Infection Mechanism
The attack begins when victims receive a malicious ZIP archive through WhatsApp Web from a previously infected contact. The social engineering component is particularly clever, as the message claims the attached content can only be viewed on a computer, effectively forcing recipients to download and execute the malware on desktop systems rather than mobile devices. This strategic approach ensures the malware operates in an environment where it can establish persistence and deploy its full payload capabilities.
Multi-Stage PowerShell Infection Chain
The malware’s execution begins with a malicious Windows LNK file hidden within the ZIP archive. When executed, the LNK file contains an obfuscated Windows command that constructs and runs a Base64-encoded PowerShell command. This first-stage PowerShell script covertly launches an Explorer process that downloads the next-stage payload from command and control servers, including hxxps[:]//www.zapgrande[.]com, expansiveuser[.]com, and sorvetenopote[.]com.
The second-stage PowerShell command demonstrates the malware’s defensive evasion capabilities through explicit security control modifications. Portuguese-language comments embedded within the PowerShell code reveal the author’s intentions to add an exclusion in Microsoft Defender and disable UAC (User Account Control). These modifications create a permissive environment where the malware can operate without triggering security alerts or requiring user interaction for privileged operations.
Payloads and Capabilities
The campaign delivers two distinct payloads depending on the infected system’s characteristics: a legitimate Selenium browser automation tool with matching ChromeDriver, and a banking trojan named Maverick.
The Selenium payload enables attackers to control active browser sessions, facilitating WhatsApp web session hijacking and enabling the worm’s self-propagation mechanism. Meanwhile, the Maverick banking trojan monitors browser traffic for connections to Brazilian banks and cryptocurrency exchanges, deploying additional .NET-based banking malware when financial targets are accessed.
Comparison with Previous Banking Trojans
The Maverick banking trojan shares similarities with the earlier Coyote banking trojan, which in 2024–2025 was delivered through malicious LNK files and multi-stage PowerShell infection chains. The overlapping techniques, infrastructure, and language artifacts suggest that Maverick could be an evolved version of Coyote optimized for WhatsApp-based propagation.
Recommendations for Users
To protect against such sophisticated malware campaigns, users are advised to:
– Be cautious of unsolicited messages, even from known contacts, especially those containing attachments or links.
– Avoid downloading and opening files from unknown or untrusted sources.
– Keep operating systems and software up to date to patch known vulnerabilities.
– Use reputable antivirus and anti-malware solutions to detect and prevent infections.
– Regularly back up important data to mitigate the impact of potential malware attacks.
By remaining vigilant and following these best practices, users can reduce the risk of falling victim to such sophisticated malware campaigns.
