Cybersecurity researchers uncover malware targeting Brazilian users via WhatsApp Web

Cybersecurity firms CyberProof, Trend Micro, Sophos, and Kaspersky believe Maverick attacks WhatsApp web users by combining Visual Basic Script and PowerShell with browser automation to hijack accounts and send malicious ZIP archives to contacts.

CyberProof’s SOC team investigated an incident where a suspicious file was downloaded through WhatsApp’s web interface. The file was a ZIP archive named NEW-20251001_152441-PED_561BCF01.zip. 

They recovered hashes SHA1 aa29bc5cf8eaf5435a981025a73665b16abb294e and SHA256 949be42310b64320421d5fd6c41f83809e8333825fb936f25530a125664221de. When victims execute a shortcut (LNK) inside the archive, it deobfuscates code to build and run either cmd or PowerShell, and the commands contact an attacker server to fetch the first stage payload.

Maverick malware loader hidden through classic obfuscation

According to a blog post published last Monday by the CyberProof research team, the loader has split tokens combined with Base64 and UTF‑16LE encoded PowerShell. It checks for reverse‑engineering tools, and if analysts are present, the loader self‑terminates. Otherwise, it downloads a worm called SORVEPOTEL and a banking trojan known as Maverick.

Trend Micro first documented Maverick, the banking trojan that monitors web activity, early last month, and linked it to an actor it calls Water Saci. SORVEPOTEL is a self‑propagating malware that spreads via WhatsApp Web by delivering the ZIP archive that carries malicious code. 

Maverick scans active browser tabs for URLs that match a hard‑coded list of Latin American financial institutions from Brazil. If a match appears, the trojan fetches follow‑on commands from a remote server and requests system data to send phishing pages meant to harvest credentials.

Anti-virus software company Kaspersky’s security team detected several code overlaps between Maverick and an older banking malware called Coyote. British security software Sophos said there is a possibility Maverick is an evolution of Coyote, but Kaspersky treats Maverick as a distinct threat to Brazil-based WhatsApp web users.

How Maverick hijacks WhatsApp web

CyberProof’s research stated that the campaign avoids .NET binaries in favor of VBScript and PowerShell. The ZIP archive contains an obfuscated VBScript downloader named Orcamento.vbs, which researchers tie to SORVEPOTEL. 

The VBScript executes a PowerShell command that runs tadeu.ps1 directly in memory, while PowerShell payload automates Chrome via ChromeDriver and Selenium. It takes over the victim’s WhatsApp Web session and distributes the malicious ZIP to all contacts.

The malware terminates any running Chrome processes and copies the legitimate Chrome profile to a temporary workspace before sending any messages. 

“This data includes cookies, authentication tokens, and the saved browser session, and allows the malware to bypass WhatsApp Web’s authentication to give a hacker immediate access to the victim’s WhatsApp account without any security alerts or QR code scanning,” American-Japanese cyber security software company Trend Micro surmised.

The script, after taking control of the Web app, displays a deceptive banner labeled “WhatsApp Automation v6.0” to hide its ongoing operations activity. The PowerShell code retrieves message templates from a command‑and‑control (C2) server and exfiltrates the victim’s contact list. 

The propagation loop iterates through every harvested contact before sending each message and after checking if the C2 has issued a pause command. Messages are personalized by substituting variables with time‑based greetings and contact names.

Trend Micro notes the campaign uses a sophisticated remote C2 that supports real‑time management. Operators can pause, resume and monitor propagation to run coordinated operations in infected hosts. 

Maverick Malware only deploys after confirming client is in Brazil 

Cyberproof and Trend Micro confirmed that Maverick installs only after confirming the host is in Brazil through checking the time zone, language, system region, and date and time format. The latter company also found that the chain restricts execution to Portuguese‑language systems. 

The C2 infrastructure includes email‑based channels, according to Trend Micro’s report, adding to its redundancy while making it hard to detect. CyberProof also found evidence the malware singled out hotels in Brazil. The security firms feared the actor may broaden its objectives to the hospitality industry, well frequented by targets of high value.

VirusTotal searches helped the team collect related samples and tie their findings to public research from Kaspersky, Sophos and Trend Micro. Yet, security firm CyberProof’s incident analysis revealed that the full infection chain could not be observed because files from the C2 failed to deliver during its investigation.

Join Bybit now and claim a $50 bonus in minutes