Listen to this Post

Introduction
Brazil is facing another surge in highly coordinated cyberattacks, and this time the threat is spreading through a platform millions of people trust every day: WhatsApp Web. Security analysts have uncovered a fresh wave of banking malware campaigns that disguise themselves as routine document messages, hiding behind carefully crafted ZIP files that are anything but harmless. Beneath these seemingly normal downloads lie powerful, multi-stage payloads connected to the Maverick and Coyote banking trojans, two infamous malware families now showing unmistakable signs of shared origins. Their goal is simple but devastating, steal financial credentials, hijack online banking sessions, and burrow deep enough into systems that victims may not notice anything until their accounts are drained.
Below is a full breakdown of the campaign, how it works, why it matters, and what these discoveries reveal about the evolution of Brazilian cybercrime groups.
Main Summary
WhatsApp Web as a Stealthy Infection Vector
Threat hunters from CyberProof and multiple research teams have identified a fast-spreading malware campaign distributed through WhatsApp Web. Attackers are sending malicious ZIP files that mimic legitimate communication, often with filenames such as NEW-20251001_152441-PED_561BCF01.zip, engineered to appear routine and harmless. Most targets are Brazilian users, especially those working in finance, hospitality, and trading.
Inside the Disguised ZIP Package
Once downloaded, the ZIP archive contains what looks like a simple PDF document. Instead, it hides a manipulated Windows shortcut file (.LNK) engineered to execute a deeply obfuscated chain of commands. When the victim clicks it, it silently launches cmd.exe, initiating several layers of nested loops and Base64-encoded payloads that build a hidden PowerShell downloader.
Fileless Malware Designed to Evade Detection
The reconstructed PowerShell script reaches out to zapgrande[.]com, pulling down additional malware components that run directly in memory. This fileless approach allows the attack to bypass many endpoint defenses and avoid writing suspicious executables to disk. The trend signals a shift toward stealthier Brazilian banking malware capable of slipping under conventional antivirus radar.
Loader Behavior and Anti-Analysis Techniques
The second-stage payload arrives as a .NET-based loader equipped with anti-sandbox, anti-debugging, and anti-emulation checks. It communicates with multiple command-and-control paths hosted under the same zapgrande infrastructure, each serving modules for credential theft, remote access, screenshot capture, and WhatsApp Web hijacking.
Persistence Achieved Through Startup Scripts
Once the system is compromised, the malware plants batch files in the Startup directory using a format like HealthApp-{GUID}.bat, ensuring the infection reignites after each reboot. These scripts contact sorvetenopote[.]com, acting as a fallback channel when other components fail, and in some cases disabling Microsoft Defender and User Account Control to stay hidden.
Strong Parallels Between Maverick and Coyote Trojans
Research teams analyzing the code discovered numerous similarities between the Maverick and Coyote banking trojans. Both use .NET loaders, multi-layer PowerShell obfuscation, AES-encrypted data lists, and GZIP compression. The overlap extends to targeted financial institutions, including Itaú, Bradesco, Caixa, and Banco do Brasil.
Shared Targets, Shared Infrastructure
Earlier Coyote campaigns focused primarily on corporate banking, while Maverick expanded the target list to hotels and trading firms. The overlapping codebase, identical persistence strategies, and shared command-and-control behavior strongly suggest either code sharing, common developers, or a single threat actor operating multiple malware brands.
AI-Enhanced Code Evolution and Faster Mutation
The current versions show signs of automated code mutation, with researchers speculating the use of AI-driven obfuscation techniques. This evolution makes every new sample harder to detect, more polymorphic, and more capable of bypassing static malware signatures.
A Growing Threat to Brazilian Financial Security
Security experts caution that
What Undercode Say:
A Coordinated Malware Ecosystem Emerging in Brazil
The patterns observed here point to something far more organized than a single rogue campaign. Brazil has become a laboratory for advanced banking trojans, many of which borrow techniques from global malware families but adapt them to the local financial ecosystem. The Maverick-Coyote overlap is not accidental—it signals a coordinated malware ecosystem where code is modular, shared, and rapidly deployable across different criminal operations.
WhatsApp Web Has Become a High-Trust Attack Surface
Many Brazilians rely on WhatsApp for personal and business communication, making the platform a perfect Trojan horse. A user downloading a ZIP file from a colleague or client feels normal, and threat actors exploit this trust brilliantly. The mechanism is simple, the psychological manipulation is powerful, and the distribution scale is massive.
Fileless Malware Represents the Next Stage of Brazilian Cybercrime
Traditional banking trojans relied on visible executables and persistent registry modifications. This new wave operates almost entirely in memory. By running PowerShell payloads that never touch disk, the malware can evade antivirus engines that depend on scanning files. Brazilian banking malware groups are adopting tactics previously reserved for nation-state operators.
Multi-Stage PowerShell Loaders Offer Flexibility
The layered loader approach benefits attackers in several ways. It complicates analysis, allows modules to update independently, and provides redundancy. If one part of the chain fails, another can resume from a backup domain. This redundancy is a hallmark of well-funded cybercrime groups rather than small opportunistic actors.
The Overlap With Coyote Is a Red Flag
Coyote was already considered one of Brazil’s more dangerous banking trojans due to its precision targeting and modular architecture. Seeing Maverick use the same structures means developers are iterating on a shared foundation. This is not competition between malware families; it is collaboration. Either the same developers are behind both, or multiple groups are licensing a core malware kit.
Financial Institutions Must Shift to Behavioral Detection
Static antivirus signatures are becoming useless. Behavioral indicators such as unusual PowerShell execution, unauthorized WhatsApp Web sessions, or outbound traffic to known malicious domains must now trigger immediate response. Banks need to invest in anomaly detection systems that recognize suspicious patterns instead of relying on outdated blocklists.
Remote Hijacking of WhatsApp Web Could Be Devastating
By intercepting session cookies or injecting malicious scripts, attackers can impersonate victims, steal files, or launch social-engineering campaigns from legitimate accounts. This creates a ripple effect, infecting additional users through trusted contacts.
The AI Mutation Trend Is Real
If AI-based mutation engines are being used, Brazilian malware will soon become nearly impossible to detect through static signatures. Each new sample will behave similarly but look entirely different at the code level. This trend pushes defenders into a new era where machine learning and behavioral analytics are no longer optional.
Brazil’s Cybercrime Landscape Is Growing More Sophisticated
The Maverick-Coyote connection shows a shift from isolated attacks to industrialized cybercrime. This is how malware ecosystems form, evolve, and solidify. Without aggressive intervention from financial institutions, threat intelligence teams, and law enforcement, Brazil may see the emergence of a continent-wide cybercrime hub.
🔍 Fact Checker Results
Technical similarities between Maverick and Coyote are confirmed by multiple research teams. ✅
Use of WhatsApp Web for distributing disguised ZIP files has been verified in active campaigns. ✅
Claims of AI-enhanced mutation remain speculative, though strongly supported by behavior patterns. ❌
📊 Prediction
Brazil is likely to see a surge in hybrid social-engineering malware attacks over the next 12 months. 📈
Expect more trojans sharing codebases, more WhatsApp-based propagation, and wider targeting of corporate sectors. 🧩
If AI-assisted obfuscation becomes the norm, defenders will face unprecedented detection challenges. ⚠️
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.stackexchange.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




