Maverick Malware — a new and highly sophisticated banking malware — has emerged as one of the most alarming cyber-threats of 2025, specifically targeting customers of Brazil’s largest financial institutions. Cybersecurity researchers have warned that the malware spreads through WhatsApp Web, hijacks browser sessions, and steals sensitive banking credentials using advanced automation techniques.
Designed as a multi-stage infection chain with strong evasion capabilities, Maverick represents a new wave of self-spreading financial malware that combines social engineering, browser manipulation, and automated account takeover. Its rapid spread among Brazilian users has made it a serious concern for financial regulators and cybersecurity agencies.
How the Attack Begins ?
The infection typically starts with a malicious message sent through WhatsApp — not from unknown numbers, but directly from a user’s trusted contact. This is what makes the attack extremely convincing. Once a device is compromised, Maverick automatically sends infected files to the victim’s entire contact list, appearing as a normal personal message.
Victims receive a ZIP file with names resembling legitimate financial documents such as:
Inside this ZIP file lies a disguised Windows shortcut (.LNK file). When a user clicks on it, it silently launches a PowerShell command that downloads the first-stage payload from a remote server controlled by the attackers.
WhatsApp Web Hijacking: The Core Weapon
The most dangerous and unique feature of Maverick is its ability to hijack active WhatsApp Web sessions.
Instead of stealing passwords, the malware uses existing browser cookies and session tokens to log in automatically. It does this by:
- Copying the victim’s Chrome browser profile
- Using automation tools like ChromeDriver and Selenium
- Launching a WhatsApp Web session without needing QR code scanning
This means the attackers can impersonate the victim on WhatsApp Web exactly as if they were on the victim’s machine.
Once logged in, the malware sends infected ZIP files to all contacts using customized messages. These messages often include:
- The recipient’s name
- Time-based greetings
- Natural-looking text
This dramatically increases the success rate because receivers think the file came from a real friend or family member.
Targeting Brazil’s Major Banks
While self-propagation is one part of the attack, Maverick’s main objective is financial theft. Once installed, the malware monitors active browser tabs and looks for specific banking URLs. It contains a hardcoded list of major Brazilian banks including:
- Banco do Brasil
- Itaú
- Bradesco
- Caixa Econômica Federal
- Santander Brasil
If it detects a user accessing one of these banks, Maverick connects to its command-and-control server (C2) and can execute a range of malicious actions.
Why Maverick Is Extremely Dangerous ?
Several factors make Maverick especially harmful:
✔ Self-spreading capability: It doesn’t rely on mass spam campaigns; instead, it spreads directly through WhatsApp contacts, making infection chains extremely fast.
✔ Highly convincing social engineering: Messages appear to come from real contacts, making victims far more likely to trust them.
✔ Browser session hijacking: By stealing session data instead of passwords, the malware can evade many security mechanisms like two-factor authentication.
✔ Localized precision targeting: Brazil’s banks are attacked with precision, making it a focused and highly effective operation.
✔ multi-stage stealthy design: From disabling antivirus to using email as C2, the malware is built to avoid detection for long periods.
Conclusion :
Maverick represents a new era of malware where messaging platforms, browser automation, and banking fraud come together in a powerful, self-propagating attack. Its ability to hijack WhatsApp Web sessions and spread silently through trusted contacts makes it one of the most dangerous banking threats ever seen in Brazil.
As cybercriminals continue to develop region-specific tools, users and financial institutions must stay alert, strengthen their defenses, and promote cybersecurity awareness to counter such sophisticated threats.
