A new wave of cyberattacks has been uncovered in Brazil, where a sophisticated banking malware called “Maverick” is spreading through WhatsApp. According to cybersecurity researchers, this malicious software is an upgraded version of the previously known “Coyote” Trojan, and is capable of hijacking browser sessions and stealing sensitive banking data from unsuspecting users.
Malware Spreading Through WhatsApp
A report by CyberProof reveals that both “Maverick” and “Coyote” are developed using the .NET framework and are primarily targeting Brazilian banks and customers. The two malware variants share a similar operational pattern — monitoring banking websites, stealing user credentials, and taking control of active web sessions.
What makes “Maverick” particularly dangerous is its ability to spread through WhatsApp Web. Once a user’s device is infected, the malware automatically sends a malicious ZIP file to all the victim’s WhatsApp contacts. This ZIP file contains the payload that installs “Maverick” on the recipient’s system when opened.
‘Water Saci’ Group Behind the Attack
Cybersecurity firm Trend Micro attributes the attack to a criminal group known as “Water Saci”, which has been using PowerShell and VBScript to hijack WhatsApp Web sessions.
The malware collects browser cookies, authentication tokens, and login data from the infected device, giving hackers unauthorized access to the user’s WhatsApp account — all without triggering any security alerts.
How the Malware Operates
The infection begins when the victim opens a malicious ZIP file that contains a hidden LNK shortcut. As soon as the file is executed, it triggers a command that downloads the real malware from a remote server.
During this process, the malware disables Microsoft Defender and then downloads the main “Maverick” module. Before activating, it verifies that the system is located in Brazil by checking the region, language, and time zone settings.
Expanding Targets: From Banks to Hotels
CyberProof has warned that the scope of “Maverick” is no longer limited to the banking sector. The malware has reportedly started targeting the hospitality industry, aiming to steal customers’ financial and booking data.
Advanced Attack Infrastructure
Unlike older trojans, “Maverick” uses a command-and-control (C2) system based on email servers instead of traditional hosted servers. This setup allows hackers to remotely control infected machines, pause or resume attacks in real-time, and make detection much harder for security tools.
Expert Warnings
Security analysts believe that the “Maverick” campaign marks a new phase in cybercrime, where attackers are leveraging trusted platforms like WhatsApp and Chrome browser profiles to reach their victims.
With over 148 million WhatsApp users in Brazil, experts warn that the country has become a prime target for large-scale cyberattacks.
Safety Recommendations
- Avoid downloading or opening unknown ZIP files received via WhatsApp or email.
- Always enable Two-Factor Authentication (2FA) for your banking and online accounts.
- Keep antivirus software up to date.
- Report any suspicious activity to your bank or local cybercrime helpline immediately.
The emergence of “Maverick” shows how cybercriminals are evolving beyond traditional phishing attacks. By exploiting communication platforms and browser sessions, they are creating a new layer of risk for global users.
Experts caution that such malware could soon spread beyond Brazil, posing serious threats to international banking systems and digital security networks.
