Executive Summary
In 2024, cybersecurity researchers observed a surge in banking Trojan activity in Brazil, notably from two malware strains named Coyote and Maverick. These Trojans specifically target financial institutions and individual banking customers by using advanced phishing campaigns, malicious email attachments, and fake banking apps to infiltrate devices. Once installed, they deploy credential-stealing modules, monitor browser activity, and intercept authentication data, often leveraging encrypted and east-west network traffic to evade security controls. Maverick is engineered to self-terminate if it detects a target located outside Brazil, indicating a strong geo-targeting component. The campaign’s impact includes stolen banking credentials, financial fraud, and operational disruption for affected users and banks in the region.
The continued advancement and targeted nature of these Brazilian banking Trojans demonstrate a significant evolution in threat actor sophistication, especially toward region-specific attacks. Organizations need to heighten their defenses and monitor emerging tactics as financially motivated cybercrime rises across Latin America.
Why This Matters Now
The proliferation of highly targeted banking malware like Coyote and Maverick in Brazil highlights the urgency for both financial institutions and consumers to adopt enhanced security controls. These Trojans’ refined geo-targeting and evasion techniques exemplify a rapidly evolving threat landscape, potentially foreshadowing similar attacks in other markets. Immediate attention to lateral movement defense, encrypted traffic inspection, and prompt threat detection is critical.
Attack Path Analysis
Attackers began by compromising end-user systems in Brazil through banking Trojan malware distribution, likely via phishing or drive-by downloads. Upon establishing foothold, the malware escalated privileges to maintain persistence and evade local security controls. The attackers used the infected host to move laterally within the network or cloud environment, seeking access to banking or financial workloads. Once persistent, the malware established command and control channels to communicate with external attacker infrastructure. Sensitive credentials and banking data were then exfiltrated via covert channels. Finally, the impact was financial loss and disruption to Brazilian banking operations.
Kill Chain Progression
Initial Compromise
Description
Users were tricked into running banking Trojan malware, likely via phishing emails or malicious downloads targeting Brazilian systems.
Related CVEs
CVE-2025-0411
CVSS 7.8A vulnerability in 7-Zip allows remote attackers to execute arbitrary code via double-archived files, bypassing Microsoft's Mark of the Web (MotW) protections.
Affected Products:
7-Zip 7-Zip – < 21.07
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Phishing
User Execution: Malicious File
Process Injection
Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder
System Information Discovery
Exfiltration Over C2 Channel
Clipboard Data
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication for System Components
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 9
CISA ZTMM 2.0 – Identity and Access Management - User Authentication
Control ID: 2.1.1
NIS2 Directive – Incident Detection and Response
Control ID: Article 21(2)(d)
GLBA – Implement Access Controls and Monitoring
Control ID: 16 CFR 314.4
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Banking/Mortgage
Primary target of Coyote and Maverick banking trojans in Brazil, requiring enhanced encrypted traffic monitoring and egress security to prevent financial data exfiltration.
Financial Services
High risk from Brazil-focused banking malware campaigns necessitating zero trust segmentation, threat detection capabilities, and compliance with financial data protection regulations.
Information Technology/IT
Critical infrastructure provider requiring multicloud visibility, anomaly detection systems, and inline IPS capabilities to protect against banking trojan lateral movement attacks.
Computer/Network Security
Must implement advanced threat intelligence, east-west traffic security, and cloud-native security fabric solutions to defend against sophisticated Brazilian banking malware operations.
Sources
- Coyote, Maverick Banking Trojans Run Rampant in Brazilhttps://www.darkreading.com/cyberattacks-data-breaches/coyote-maverick-banking-trojans-brazilVerified
- Maverick Banking Malware Spreads Via WhatsApp, Targets Brazilian Bankshttps://cyberwarzone.com/2025/11/11/maverick-banking-malware-spreads-via-whatsapp-targets-brazilian-banks/Verified
- Kaspersky unveils Coyote banking Trojan targeting over 60 institutionshttps://usa.kaspersky.com/about/press-releases/kaspersky-unveils-coyote-banking-trojan-targeting-over-60-institutionsVerified
- WhatsApp Malware 'Maverick' Hijacks Browser Sessions to Target Brazil's Biggest Bankshttps://thehackernews.com/2025/11/whatsapp-malware-maverick-hijacks.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Comprehensive zero trust segmentation, east-west traffic control, egress policy enforcement, and real-time anomaly detection could have significantly constrained the adversaries by blocking lateral pivots, detecting C2 communications, and stopping data exfiltration at multiple points across the cloud infrastructure.
Control: Threat Detection & Anomaly Response
Mitigation: Early detection of abnormal user or network behavior indicative of malware execution.
Control: Zero Trust Segmentation
Mitigation: Limited malware capability to access sensitive workloads or escalate beyond its current role.
Control: East-West Traffic Security
Mitigation: Blocked unauthorized internal movement between workloads and environments.
Control: Egress Security & Policy Enforcement
Mitigation: Prevented or alerted on unauthorized outbound C2 connections.
Control: Encrypted Traffic (HPE) & Cloud Firewall (ACF)
Mitigation: Detected and blocked unauthorized or unencrypted exfiltration.
Rapid detection and remediation of business impact by centralized monitoring.
Impact at a Glance
Affected Business Functions
- Online Banking
- Customer Account Management
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of customer banking credentials and personal information due to malware interception of online banking sessions.
Recommended Actions
Key Takeaways & Next Steps
- • Implement zero trust segmentation and least privilege policies to limit lateral movement from any compromised endpoint or user.
- • Enforce strict egress filtering and encrypted traffic analysis to detect and block outbound C2 or data exfiltration from workloads and user devices.
- • Deploy anomaly detection and threat analytics to surface early indicators of compromise or suspicious privileged activities.
- • Enhance east-west workload security and microsegmentation across cloud and hybrid infrastructure for proactive containment.
- • Centralize multicloud visibility, policy enforcement, and incident response capabilities to minimize attack dwell time and business impact.
