Maverick, a new banking malware, is spreading via WhatsApp, targeting Brazilian financial institutions. First documented in October 2025, Maverick shares notable similarities with the established Coyote banking trojan, suggesting an evolving threat for online banking customers in Brazil.
Maverick poses a significant threat with its advanced self-propagation and focus on desktop users. Both Maverick and Coyote, developed in .NET, target Brazilian banks. They share identical functions: decrypting data, monitoring banking applications, and intercepting banking URLs. Researchers at CyberProof, Kaspersky, Sophos, and Trend Micro track Maverick’s rapid spread and technical details.
Maverick infections begin when users receive a malicious ZIP file via WhatsApp Web. These files, often disguised as “WhatsApp Receipt“ or “November Invoice,“ contain a malicious Windows LNK file. When executed, the LNK file launches a complex, fileless infection chain. Trend Micro identified the self-propagating component as SORVEPOTEL. SORVEPOTEL establishes persistence through scheduled tasks or registry key changes, then hijacks the victim’s WhatsApp account. It then automatically distributes the malicious ZIP payload to the victim’s contacts.
Maverick aims to steal banking credentials. It monitors active browser tabs for URLs belonging to major Latin American banks, including Banco do Brasil, Itaú, Bradesco, Caixa Econômica Federal, and Santander Brasil. When it detects a matching URL, the malware injects malicious scripts. These scripts display fake login forms, manipulate legitimate transactions, log keystrokes, and capture screenshots. Maverick communicates with its command-and-control (C2) server using HTTP POST requests, often routed through compromised legitimate websites to hide the server’s true location.
Trend Micro first documented Maverick and attributed it to “Water Saci.” Ongoing analysis by other security firms highlights the malware’s evolution. Sophos suggests Maverick could be a new Coyote variant. CyberProof notes Maverick’s more advanced User Account Control (UAC) bypass techniques and refined WhatsApp Web self-propagation. This continuous development shows banking Trojans targeting Brazil remain persistent and adaptable.
Maverick’s emergence, shared characteristics, and advanced propagation techniques present a persistent threat to Brazilian banking customers.
- Update operating systems and applications regularly.
- Exercise extreme caution with unsolicited attachments received via messaging platforms like WhatsApp.
- Verify the sender and content of any suspicious files before opening.
