Safety researchers have recognized a complicated malware marketing campaign that exploits WhatsApp’s messaging platform to deploy banking trojans focusing on Brazilian monetary establishments and cryptocurrency exchanges.
The self-propagating worm, which emerged on September 29, 2025, demonstrates superior evasion methods and multi-stage an infection chains designed to avoid trendy safety defenses.
The menace has already affected over 400 buyer environments throughout greater than 1,000 endpoints, highlighting the marketing campaign’s widespread attain and effectiveness.
The assault begins when victims obtain a malicious ZIP archive by WhatsApp Net from a beforehand contaminated contact.
The social engineering part is especially intelligent, because the message claims the connected content material can solely be considered on a pc, successfully forcing recipients to obtain and execute the malware on desktop methods reasonably than cellular gadgets.
WhatsApp message despatched from an contaminated WhatsApp contact (Supply – Sophos)
This strategic method ensures the malware operates in an surroundings the place it may set up persistence and deploy its full payload capabilities.
Sophos analysts recognized the malware’s subtle an infection mechanism throughout their investigation of a number of incidents throughout Brazil.
The menace actors exhibit deep understanding of Home windows safety structure and PowerShell capabilities, implementing obfuscation methods that permit the malware to function undetected for prolonged intervals.
The marketing campaign’s technical sophistication suggests involvement of skilled cybercriminals with substantial assets and data of Brazilian banking methods.
Multi-Stage PowerShell An infection Chain
The malware’s execution begins with a malicious Home windows LNK file hidden throughout the ZIP archive. When executed, the LNK file incorporates an obfuscated Home windows command that constructs and runs a Base64-encoded PowerShell command.
An infection chain (Supply – Sophos)
This primary-stage PowerShell script covertly launches an Explorer course of that downloads the next-stage payload from command and management servers, together with hxxps[:]//www.zapgrande[.]com, expansiveuser[.]com, and sorvetenopote[.]com.
The second-stage PowerShell command demonstrates the malware’s defensive evasion capabilities by specific safety management modifications.
Portuguese-language feedback embedded throughout the PowerShell code reveal the creator’s intentions to “add an exclusion in Microsoft Defender” and “disable UAC” (Consumer Account Management).
These modifications create a permissive surroundings the place the malware can function with out triggering safety alerts or requiring person interplay for privileged operations.
The marketing campaign delivers two distinct payloads relying on the contaminated system’s traits: a official Selenium browser automation instrument with matching ChromeDriver, and a banking trojan named Maverick.
The Selenium payload permits attackers to regulate lively browser periods, facilitating WhatsApp internet session hijacking and enabling the worm’s self-propagation mechanism.
In the meantime, the Maverick banking trojan displays browser visitors for connections to Brazilian banks and cryptocurrency exchanges, deploying extra .NET-based banking malware when monetary targets are accessed.
Comply with us on Google Information, LinkedIn, and X to Get Extra On the spot Updates, Set CSN as a Most well-liked Supply in Google.
