Bank attack via WhatsApp Web - Maverick
- Security Team
- Nov 13
- 2 min read
Since the beginning of October 2025, ICS Labs has identified a massive campaign to spread banking malware called Maverick , with over 62,000 observed attacks targeting Brazil . The threat exhibits characteristics of advanced social engineering, fileless execution, and automatic propagation via WhatsApp , affecting both home users and corporate environments.
Threat overview:
The infection begins with receiving a message on WhatsApp containing a compressed file (.zip), disguised as proof of purchase, invoice, or receipt.
Inside the file, there is a Windows shortcut (.lnk) that, when executed, calls PowerShell with obfuscated Base64 code, responsible for downloading and executing additional components directly from memory, without writing malicious files to disk.
Maverick performs a regional check (time zone, language, and date format) to ensure the target is located in Brazil, and then replicates itself to the system's startup folders, establishing persistence and connection with C2 (Command and Control) servers.
From there, the malware monitors banking activities, as well as capturing keystrokes, screenshots, and even sensitive data entered on financial websites and applications.
In addition to directly stealing information, Maverick also performs:
Internal phishing using fake bank login pages;
Automatic propagation via WhatsApp Web, sending copies of the malware to the victim's contacts;
Complete remote control of the compromised device, with the potential for deploying additional stealers;
Points of Attention Identified:
Suspicious PowerShell executions : script block events containing parameters such as -EncodedCommand, -WindowStyle hidden, -nop, -w hidden.
Creating anomalous processes : running powershell.exe from .lnk files extracted from .zip.
Activity in memory : persistent processes without a corresponding binary on disk.
Unusual network traffic : HTTPS connections to newly registered domains, C2 with the .NET WebClient User-Agent pattern, and possible requests to direct IP addresses.
Behavior in messaging apps : automated messages or sending ZIP files not recognized by the user.
Recommendation actions:
Preventive blocking : add the domains and IPs associated with the Maverick campaign to firewalls, proxies, and DNS filters.
Containing compromised hosts : Isolate suspicious machines and perform memory collection before rebooting to preserve execution artifacts in memory.
Immediate awareness : alert employees about the scam, emphasizing the risk of opening .zip attachments or .lnk links received via WhatsApp.
Strengthening and Prevention Measures :
Execution control : Apply AppLocker or Windows Defender Application Control (WDAC) to block unsigned scripts.
Continuous monitoring : create specific alerts for connections to newly created domains, hidden PowerShell, and processes started via .lnk shortcuts.
Security updates : keep Windows, browsers, and antivirus software up to date; enable reputation protection and in-memory behavioral scanning.
IOCs:
INDICADORES | TIPO |
casadecampoamazonas[.]com | Domínio |
sorvetenopote[.]com | Domínio |
181[.]41[.]201[.]184 | IP |
181[.]41[.]201[.]184 | IP |
https[://]zapgrande[.]com/api/v1/19230d53a96d4facbead047f645e02b8 | URL |
https[://]zapgrande[.]com/api/v1/252d6ed3bb6d49228181a1: | URL |
Latest updates:
September 29, 2025: According to the Sophos investigation , this date marks the beginning of the malicious campaign;
October 3, 2025: Alert from TrendMicro describing technical details of the PowerShell script used;
October 10, 2025: Sophos publishes research and recommendations on how to detect and respond to the threat;
October 15, 2025: In-depth technical disclosure from Kaspersky , documenting the threat's execution chain;
End of October 2025: Coverage from non-specialized media and advice for banks and companies;
November 2025: Further analysis from The Hacker News and variant tracking, reported by Cyber Press.
Comments