"Maverick": New Banking Trojan Spreads via WhatsApp in Brazil
New "Maverick" Banking Trojan Spreads via WhatsApp in Massive Campaign Targeting Brazilian Users
Impact Scope
People Affected
Over 62,000 infection attempts
Industries Affected
Geographic Impact
Related Entities
Full Report
Executive Summary
A new, highly evasive banking Trojan named Maverick is at the center of a massive malware campaign targeting financial users in Brazil. Researchers at Kaspersky reported on October 5, 2025, that the Trojan is being distributed through WhatsApp, using malicious LNK files concealed in ZIP archives to infect victims. The entire attack chain is fileless, operating in-memory to thwart traditional antivirus detection. Maverick's primary goal is to steal credentials for a wide range of Brazilian financial institutions and cryptocurrency exchanges. It also employs a potent self-propagation mechanism, using the victim's own WhatsApp account to spread to their contacts, leading to exponential growth in infections, with over 62,000 attempts blocked in early October alone.
Threat Overview
The Maverick campaign is notable for its sophisticated delivery and execution. The use of LNK files within ZIP archives is a clever tactic to bypass WhatsApp's filtering of executable files. Once a user is tricked into opening the shortcut, a fileless infection chain is initiated. The malware is modular and uses multiple layers of obfuscation to hide its true purpose. Researchers also noted that the code shows signs of being developed with the assistance of AI, suggesting a potential trend in malware development. The Trojan's ultimate goal is financial theft through credential harvesting.
Technical Analysis
Maverick employs a multi-stage, fileless infection process:
Initial Access (
T1204.002 - User Execution: Malicious File): The victim receives a ZIP file via WhatsApp. Inside is a malicious LNK shortcut file that, when clicked, executes a PowerShell command.Execution (
T1059.001 - PowerShell): The initial PowerShell script downloads and executes the next stage of the malware directly into memory.Defense Evasion (
T1027 - Obfuscated Files or Information): The core payload is a .NET loader that decrypts and executes shellcode. The shellcode itself is generated using the Donut framework, which converts .NET assemblies into position-independent code that can run in memory, making it difficult for security tools to analyze.Credential Access: The final payload is the banking Trojan itself, which monitors the victim's browser activity and uses web injection or form grabbing to steal credentials for 26 Brazilian banks, six cryptocurrency exchanges, and one payment platform.
Lateral Movement / Propagation (
T1566.002 - Spearphishing Link): Maverick's most dangerous feature is its worm-like propagation. It uses the open-source WPPConnect project and the Selenium browser automation framework to programmatically control the victim's active WhatsApp Web session. It then sends the malicious ZIP file to every contact in the victim's address book, rapidly spreading the infection.
Impact Assessment
The Maverick Trojan poses a significant threat to financial users in Brazil:
- Direct Financial Loss: The primary impact is the theft of banking and cryptocurrency credentials, which can be used to drain victim accounts.
- Rapid, Uncontrolled Spread: The WhatsApp propagation mechanism allows the malware to spread incredibly quickly through trusted social contacts, making victims unwitting accomplices in the campaign.
- Evasive Nature: Its fileless, in-memory execution makes it very difficult for traditional, signature-based antivirus solutions to detect and remove.
- Identity Theft: Beyond financial credentials, the malware could be updated to steal other personal information, leading to broader identity theft.
Cyber Observables for Detection
Detection focuses on the infection vector and in-memory execution.
| Type | Value | Description |
|---|---|---|
| file_name | *.lnk within a .zip |
The initial delivery method via WhatsApp. |
| process_name | powershell.exe |
Monitor for PowerShell being launched with suspicious arguments, especially from a user clicking an LNK file. |
| process_name | msedgedriver.exe or chromedriver.exe |
The Selenium browser driver being launched unexpectedly could indicate the WhatsApp propagation module is active. |
| network_traffic_pattern | Outbound connections from browser to WPPConnect infrastructure. | WPPConnect is used to control WhatsApp Web. |
Detection & Response
- Endpoint Monitoring (AMSI): Use EDR or antivirus solutions that support the Antimalware Scan Interface (AMSI). AMSI provides visibility into script contents (like PowerShell) in memory, allowing for the detection of fileless threats like Maverick.
- Process Monitoring: Monitor for unexpected processes being launched, particularly browser automation tools like Selenium, or PowerShell scripts being executed by non-administrative users.
- User Awareness: Since the attack relies on social engineering, user awareness is key. Warn users to be extremely suspicious of unsolicited ZIP files received via WhatsApp, even from trusted contacts.
- D3FEND Techniques: Employ
D3-PA: Process Analysiswith a focus on parent-child process relationships to detectexplorer.exespawning PowerShell via an LNK file. Use [`D3-DSA: Dynamic
Timeline of Events
MITRE ATT&CK Mitigations
User Training
Educate users to be suspicious of unsolicited file attachments, even from known contacts, on messaging platforms like WhatsApp.
Behavior Prevention on Endpoint
Use EDR solutions with behavioral detection capabilities to identify fileless attack chains and suspicious process behavior.
Mapped D3FEND Techniques:
Execution Prevention
Configure PowerShell execution policies to be more restrictive, preventing the running of unsigned or untrusted scripts.
Mapped D3FEND Techniques:
D3FEND Defensive Countermeasures
To counter the fileless nature of the Maverick Trojan, organizations must rely on advanced process analysis via an EDR tool with AMSI integration. Security teams should create detection rules that focus on the attack chain's behavior rather than file signatures. Specifically, alerts should be generated when a user opens a .lnk file that spawns a powershell.exe process with encoded commands or download strings. Further, any instance of a browser process (like Chrome or Edge) launching a Selenium WebDriver process (chromedriver.exe, msedgedriver.exe) outside of a legitimate development or testing context should be treated as a high-severity alert, as this is a strong indicator of the WhatsApp propagation module being activated.
A key component of Maverick's execution is its abuse of PowerShell. Organizations can significantly harden their defenses by configuring PowerShell execution policies to prevent untrusted scripts from running. The most secure policy, AllSigned, would prevent Maverick's initial script from running altogether. If that is too restrictive, RemoteSigned can provide a good balance of security and usability. Additionally, enabling PowerShell Script Block Logging and Module Logging (forwarded to a SIEM) provides crucial forensic data and detection opportunities, even if the script itself is fileless. This hardening measure directly disrupts the malware's ability to execute its in-memory payload.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats