A new malware campaign using WhatsApp has been linked to a previously disclosed banking trojan called Coyote. The malicious program, dubbed Maverick, targets Brazilian users and banks, featuring identical functionality to decrypt and monitor banking URLs and applications. Both malware strains are written in .NET and include the ability to spread through WhatsApp Web.
The campaign involves two components: a self-propagating malware referred to as SORVEPOTEL that’s spread via the desktop web version of WhatsApp, and a ZIP archive containing the Maverick payload. The malware is designed to monitor active browser window tabs for URLs matching financial institutions in Latin America, establishing contact with a remote server to fetch follow-on commands.
Cybersecurity firms have found code overlaps between Maverick and Coyote, suggesting an evolution of the banking trojan’s propagation methods. The latest findings reveal that Maverick includes anti-analysis techniques to check for reverse engineering tools, as well as features like remote control mechanisms and sophisticated email-based command-and-control infrastructure.
The widespread nature of the campaign is driven by WhatsApp’s popularity in Brazil, with over 148 million active users making it a prime target for malicious actors. The link between Water Saci and Coyote indicates a bigger picture of aggressive cybercrime tactics within the Brazilian ecosystem.
Source: https://thehackernews.com/2025/11/whatsapp-malware-maverick-hijacks.html