A complicated banking Trojan named Maverick has emerged in Brazil, leveraging WhatsApp as its major distribution channel to compromise hundreds of customers.
The malware marketing campaign was detected in mid-October 2025, with cybersecurity options blocking over 62,000 an infection makes an attempt in simply the primary ten days of the month.
The risk particularly targets Brazilian customers by means of Portuguese-language messages containing malicious ZIP archives that bypass WhatsApp’s safety filters.
The an infection mechanism begins when victims obtain a seemingly official message on WhatsApp, usually disguised as financial institution notifications or essential paperwork.
These messages comprise compressed ZIP recordsdata housing a weaponized .LNK file that initiates the assault chain. As soon as opened, the malware executes a fancy sequence of instructions by means of cmd[.]exe and PowerShell, contacting command-and-control servers with fastidiously validated authentication protocols to obtain extra payloads.
All the an infection course of operates in a totally fileless method, that means all malicious elements load immediately into reminiscence with out writing recordsdata to disk, considerably complicating detection efforts.
Securelist researchers recognized the malware as sharing substantial code similarities with Coyote, one other Brazilian banking Trojan documented in 2024, although Maverick represents a definite and extra superior risk.
The researchers famous that the malware employs synthetic intelligence in its code-writing course of, notably for certificates decryption mechanisms and basic improvement workflows.
This represents an regarding evolution in malware improvement methods, the place risk actors leverage AI instruments to boost their capabilities and evade conventional safety measures.
An infection chain (Supply – Securelist)
The banking Trojan implements geographic concentrating on by verifying the sufferer’s timezone, system language, area settings, and date codecs to substantiate Brazilian location earlier than activating.
If these checks fail, the malware terminates execution, stopping evaluation by researchers in different international locations.
As soon as confirmed, Maverick deploys complete surveillance capabilities together with screenshot seize, browser monitoring, keylogging, mouse management, and overlay phishing pages designed to steal banking credentials from 26 Brazilian monetary establishments, six cryptocurrency exchanges, and one cost platform.
Propagation By means of Compromised WhatsApp Accounts
Maybe essentially the most alarming facet of Maverick is its self-propagation mechanism that transforms contaminated gadgets into distribution nodes.
The malware makes use of WPPConnect, an open-source WhatsApp Internet automation mission, to hijack compromised accounts and mechanically ship malicious messages to the sufferer’s contact record.
This worm-like habits creates exponential unfold potential by means of one of many world’s hottest messaging platforms.
The command-and-control infrastructure demonstrates superior operational safety by means of a number of validation layers.
The C2 server authenticates every request utilizing HMAC-256 signatures with the important thing “MaverickZapBot2025SecretKey12345” and validates Person-Agent headers to make sure connections originate from the malware itself quite than safety instruments.
The API endpoints make the most of encrypted shellcodes wrapped with Donut loaders, using XOR encryption the place decryption keys are saved within the last bytes of downloaded binaries.
The decryption algorithm extracts the final 4 bytes indicating key measurement, walks backward by means of the file to find the encryption key, and applies XOR operations throughout your complete payload.
This subtle encryption scheme, mixed with heavy code obfuscation utilizing Management Stream Flattening methods, considerably hampers reverse engineering efforts.
# Decryption Course of
$keySize = [BitConverter]::ToInt32($binary[-4..-1], 0)
$keyStart = $binary.Size – 4 – $keySize
$xorKey = $binary[$keyStart..($keyStart + $keySize – 1)]
Kaspersky safety merchandise detect the risk with verdicts HEUR:Trojan.Multi.Powenot.a and HEUR:Trojan-Banker.MSIL.Maverick.gen, offering safety from the preliminary LNK file by means of all subsequent an infection levels.
Comply with us on Google Information, LinkedIn, and X to Get Extra On the spot Updates, Set CSN as a Most well-liked Supply in Google.
