A new and highly sophisticated malware campaign is leveraging WhatsApp’s messaging platform to launch targeted attacks against Brazilian financial institutions and cryptocurrency exchanges. The self-propagating worm, identified by Sophos analysts, utilizes clever social engineering and a multi-stage infection chain to bypass modern security defenses, infecting over 400 customer environments and thousands of endpoints. The core of the attack lies in forcing users to download and execute a malicious archive on desktop computers, where the malware works to establish persistence and hijack user sessions.
Clever Social Engineering Tricks Victims into Desktop Infection
The attack’s initial vector exploits the trust established between WhatsApp contacts. Victims receive a malicious ZIP archive, typically through WhatsApp Web, from a contact whose account has been previously compromised. The attackers employ a particularly effective piece of social engineering: the message claims that the attached content is only viewable on a computer. This crucial instruction effectively forces recipients to download and execute the malware on desktop systems rather than more protected mobile devices, setting the stage for the full infection. Once the malicious Windows LNK file hidden within the ZIP archive is executed, it begins an obfuscated process to run a Base64-encoded PowerShell command.
A Multi-Stage Infection Chain to Evade Security
Security researchers have detailed the campaign as highly advanced, suggesting the involvement of experienced cybercriminals with a deep understanding of Windows security architecture and banking systems. The infection process is executed in multiple stages to ensure stealth and persistence. A first-stage PowerShell script covertly launches an Explorer process, which then contacts command and control servers, such as zapgrande[.]com, to download the subsequent payload. This second stage is dedicated to defensive evasion, with Portuguese-language comments in the code revealing the author’s intentions to explicitly modify security controls by “add[ing] an exclusion in Microsoft Defender” and “disable[ing] UAC (User Account Control).” These modifications create a permissive environment for the malware to operate undetected and establish a long-term foothold.
FCRF Launches CCLP Program to Train India’s Next Generation of Cyber Law Practitioners
Two-Pronged Payload: Hijacking and Financial Theft
The campaign deploys two distinct and potent payloads, adapting based on the infected system’s characteristics. The first payload is a legitimate Selenium browser automation tool, complete with a matching ChromeDriver. This tool is weaponized by the attackers to control active browser sessions, enabling the hijacking of WhatsApp Web sessions. This capability is key to the worm’s self-propagation mechanism, allowing it to continue spreading to new contacts. The second, and more financially destructive payload, is a banking trojan named Maverick. The Maverick trojan actively monitors browser traffic, specifically looking for connections to Brazilian banks and cryptocurrency exchanges. When a financial target is accessed, the trojan deploys additional .NET-based banking malware, allowing the threat actors to siphon funds.
Widespread Impact Highlights Threat’s Sophistication
Emerged on September 29, 2025, the self-propagating worm has already demonstrated widespread reach and effectiveness, affecting over 400 customer environments and more than 1,000 endpoints. The threat actors’ strategic approach to ensuring the malware operates in an environment where it can establish persistence and deploy its full payload capabilities underscores the campaign’s sophistication. Sophos analysts, who identified the sophisticated infection mechanism during their investigation of multiple incidents across Brazil, highlight this campaign as a major and evolving threat to the nation’s financial stability and digital security.
