Executive Summary
In November 2025, cybersecurity researchers identified a new banking malware called Maverick targeting users in Brazil via malicious WhatsApp messages. Leveraging similarities to the known Coyote strain, Maverick is written in .NET and specifically attacks customers of major Brazilian banks. The malware deceives users into installing it, then hijacks browser sessions, intercepts banking credentials, and enables real-time monitoring of financial transactions to facilitate fraud. This attack underscores the growing sophistication of financially-motivated threats exploiting popular messaging platforms as infection vectors, while leveraging encrypted communications to bypass traditional security controls.
This incident is indicative of a rising trend in banking malware that utilizes encrypted and social engineering channels, challenging established security models. It highlights the need for organizations—particularly in financial services—to adopt advanced detection, segmentation, and encrypted traffic monitoring to reduce the impact of evolving threats.
Why This Matters Now
Banking-focused malware like Maverick threatens the security of financial transactions by exploiting widely used platforms such as WhatsApp, making detection and response challenging. With attackers continuously adapting malware to evade controls and hijack user sessions, proactive measures are urgently needed to protect digital banking customers and meet stringent regulatory compliance requirements.
Attack Path Analysis
The attack began with the delivery of the Maverick banking malware through WhatsApp phishing messages targeting Brazilian users. Upon execution, the malware leveraged user context or weak permissions to access sensitive browser sessions and banking applications. Next, it spread internally, potentially targeting other hosts or services within the network to expand access. The malware established outbound command and control to exfiltrate banking session data and receive attacker instructions. Sensitive data, such as banking credentials and session tokens, were exfiltrated over the network. Ultimately, the adversary hijacked banking sessions to facilitate fraudulent transactions, resulting in financial theft and reputational harm.
Kill Chain Progression
Initial Compromise
Description
Victims received a WhatsApp message containing the Maverick malware, which was installed via social engineering tactics.
MITRE ATT&CK® Techniques
Phishing: Spearphishing Attachment
Drive-by Compromise
Command and Scripting Interpreter: Visual Basic
Obfuscated Files or Information
Brute Force: Password Guessing
Use Alternate Authentication Material: Pass the Cookie
Application Layer Protocol: Web Protocols
Browser Session Hijacking
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Authenticate Access to System Components
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy and Program
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Art. 9(2)
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Enforce Robust Credential and Session Protections
Control ID: Identity Pillar: Credential and Session Management
NIS2 Directive – Technical and Organizational Measures
Control ID: Article 21(2)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Banking/Mortgage
Primary target of Maverick malware through WhatsApp distribution, enabling session hijacking, credential theft, and unauthorized banking transactions requiring enhanced egress security.
Financial Services
Critical exposure to .NET-based banking malware targeting Brazilian financial institutions, necessitating zero trust segmentation and encrypted traffic protection for customer data.
Telecommunications
WhatsApp infrastructure exploitation creates communication channel vulnerabilities, requiring threat detection capabilities and secure hybrid connectivity to prevent malware propagation vectors.
Information Technology/IT
Browser session hijacking techniques demand comprehensive security fabric implementation including inline IPS, anomaly detection, and multicloud visibility for enterprise protection.
Sources
- WhatsApp Malware 'Maverick' Hijacks Browser Sessions to Target Brazil's Biggest Bankshttps://thehackernews.com/2025/11/whatsapp-malware-maverick-hijacks.htmlVerified
- Maverick Banking Malware Spreads Via WhatsApp, Targets Brazilian Bankshttps://cyberwarzone.com/2025/11/11/maverick-banking-malware-spreads-via-whatsapp-targets-brazilian-banks/Verified
- WhatsApp Worm Targets Brazilian Banking Customershttps://news.sophos.com/en-us/2025/10/10/whatsapp-worm-targets-brazilian-banking-customers/Verified
- Maverick: a new banking Trojan abusing WhatsApp in a mass-scale distributionhttps://securelist.com/maverick-a-new-banking-trojan-abusing-whatsapp-in-a-mass-scale-distribution/109123/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
CNSF capabilities such as network segmentation, strict egress policy, encrypted traffic enforcement, and layered threat detection would have limited malware propagation, prevented unauthorized outbound data transfer, and enabled rapid detection and containment of the Maverick attack. Zero Trust controls further restrict lateral movement and session hijacking within the cloud perimeter.
Control: Threat Detection & Anomaly Response
Mitigation: Early detection of anomalous user or device activity related to malware delivery.
Control: Zero Trust Segmentation
Mitigation: Limits the scope of compromised credentials and session abuse.
Control: East-West Traffic Security
Mitigation: Restricts unauthorized internal communication and lateral spread.
Control: Egress Security & Policy Enforcement
Mitigation: Automated blocking of unapproved outbound C2 communications.
Control: Cloud Firewall (ACF) & Inline IPS (Suricata)
Mitigation: Detects and blocks unusual outbound data flows and signatures.
Rapid detection, segmentation, and automated response minimizes damage.
Impact at a Glance
Affected Business Functions
- Online Banking
- Customer Support
- Fraud Detection
Estimated downtime: 5 days
Estimated loss: $5,000,000
Potential exposure of customer banking credentials, personal information, and financial data due to credential theft and session hijacking.
Recommended Actions
Key Takeaways & Next Steps
- • Implement network-wide Zero Trust segmentation to contain malware to its initial entry point and prevent lateral spread.
- • Enforce strong egress security policies with centralized FQDN and IP filtering to block C2 and exfiltration traffic.
- • Enable inline IPS and anomaly detection for real-time monitoring and automated response to suspicious activity and malware indicators.
- • Ensure robust encryption for all data in transit, especially between workloads, to mitigate credential theft and session hijacking.
- • Maintain continuous multicloud visibility and incident response readiness to quickly isolate infected sessions and restore operations.
