Maverick WhatsApp Web banking malware targeting Brazil
Malware Activity
Summary
Hide ▲
Show ▼
The Maverick banking malware is actively spreading through WhatsApp Web, increasing the risk of credential theft and contact-list abuse across Brazilian victims. It uses a self-propagating delivery chain to move from infected accounts to new targets and focus on banking URLs. The activity matters because the malware combines propagation, browser-session hijacking, and phishing in a single operation.
Related Happenings
WhatsApp VBScript attachment distribution campaign
Campaign
H score42
First: 23.06.2026 08:38
Last: 23.06.2026 08:38
Sources 1
About this happening:
The active **WhatsApp VBScript** campaign is spreading malicious attachments that can lead to **remote access** on victim systems. It targets **WhatsApp Desktop** and **WhatsApp W...
WhatsApp VBScript attachment distribution campaign
CampaignAbout this happening: The active **WhatsApp VBScript** campaign is spreading malicious attachments that can lead to **remote access** on victim systems. It targets **WhatsApp Desktop** and **WhatsApp W...
WhatsApp VBScript phishing campaign targeting users in multiple countries
Campaign
H score43
First: 23.06.2026 01:42
Last: 23.06.2026 01:42
Sources 1
About this happening:
An **ongoing phishing campaign** is using **compromised WhatsApp accounts** to send **obfuscated VBScript files** to users in **multiple countries**, creating a path to **remote s...
WhatsApp VBScript phishing campaign targeting users in multiple countries
CampaignAbout this happening: An **ongoing phishing campaign** is using **compromised WhatsApp accounts** to send **obfuscated VBScript files** to users in **multiple countries**, creating a path to **remote s...
TCLBANKER banking trojan activity targeting 59 financial platforms
Malware Activity
H score20
First: 08.05.2026 21:12
Last: 08.05.2026 21:12
Sources 1
About this happening:
**TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...
TCLBANKER banking trojan activity targeting 59 financial platforms
Malware ActivityAbout this happening: **TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...
TCLBanker self-spreading banking trojan
Malware Activity
H score31
First: 08.05.2026 01:06
Last: 08.05.2026 01:06
Sources 1
About this happening:
The **TCLBanker** trojan now combines **trojanized installer** delivery with **self-spreading worm modules**, widening access to **59 banking, fintech, and cryptocurrency platform...
TCLBanker self-spreading banking trojan
Malware ActivityAbout this happening: The **TCLBanker** trojan now combines **trojanized installer** delivery with **self-spreading worm modules**, widening access to **59 banking, fintech, and cryptocurrency platform...
JanelaRAT malware activity targeting Latin American banks
Malware Activity
H score29
First: 13.04.2026 20:15
Last: 13.04.2026 20:15
Sources 1
About this happening:
**JanelaRAT** continues targeting **Latin American banks and financial institutions**, with telemetry showing **14,739 attacks in Brazil** in **2025** and **11,695 in Mexico**, ra...
JanelaRAT malware activity targeting Latin American banks
Malware ActivityAbout this happening: **JanelaRAT** continues targeting **Latin American banks and financial institutions**, with telemetry showing **14,739 attacks in Brazil** in **2025** and **11,695 in Mexico**, ra...
Timeline
-
11.11.2025 20:37 2 articles · 8mo ago
Maverick WhatsApp Web banking malware targets Brazil
Initial DisclosureCyberProof, Trend Micro, Sophos, and Kaspersky described Maverick as a WhatsApp Web-propagated banking trojan linked to Water Saci, with code and behavior overlapping Coyote. The malware targets Brazilian users and banks, monitors banking URLs, delivers payloads through a ZIP archive and a Windows shortcut (LNK) that launches cmd.exe or PowerShell to fetch content from zapgrande[.]com, and can disable Microsoft Defender Antivirus and UAC; CyberProof also saw targeting of hotels in Brazil, while Trend Micro described SORVEPOTEL, an email-based C2 path, and remote pause/resume control.
Show sources
- WhatsApp Malware 'Maverick' Hijacks Browser Sessions to Target Brazil's Biggest Banks — thehackernews.com — 11.11.2025 20:37
- WhatsApp Malware 'Maverick' Hijacks Browser Sessions to Target Brazil's Biggest Banks — thehackernews.com — 11.11.2025 20:37