Cybersecurity researchers have uncovered an advanced malware campaign exploiting WhatsApp to distribute a banking Trojan targeting financial institutions and cryptocurrency trading platforms in Brazil.
اضافة اعلان
First detected on September 29, 2025, the malware is classified as a self-replicating worm with multi-stage obfuscation techniques, allowing it to bypass modern security systems. It has already infected over 400 organizations and more than 1,000 devices.
How the Attack Begins
The attack starts with a message sent via WhatsApp Web from an already infected contact. The message contains a malicious ZIP file falsely advertised as content that can only be opened on a computer, prompting users to run it on Windows systems instead of mobile devices. This social engineering tactic enables attackers to gain a more suitable environment for permanent malware installation.
Complex Infection Mechanism
Investigations by Sophos in Brazil revealed a sophisticated infection method, demonstrating deep knowledge of Windows security architecture and PowerShell commands. The initial executable is a shortcut (LNK) inside the compressed archive, containing an encrypted command that triggers a two-stage PowerShell script.
Stage 1: Creates an invisible Explorer process that downloads the next payload from C2 servers.
Stage 2: Disables security tools like Microsoft Defender and User Account Control (UAC) to ensure unrestricted operation for the malware.
Dual Payload: From Espionage to Full Control
Analysis shows the malware distributes two types of payloads depending on the infected system:
Selenium-based tool with ChromeDriver, allowing attackers to control active WhatsApp Web sessions and propagate the infection further.
Banking Trojan “Maverick”, monitoring browser activity to detect connections with banks or crypto exchanges, then deploying additional .NET-based malware to steal data or execute fraudulent transactions.
The Portuguese language commands and code complexity suggest a highly skilled group with detailed knowledge of Brazil’s banking system, likely part of a well-funded organized cybercrime operation.
How to Protect Yourself
Experts recommend basic cybersecurity measures:
Keep operating systems up to date.
Use reliable antivirus software.
Avoid downloading files from unknown sources.
Be alert to phishing messages that appear legitimate.
Enable multi-factor authentication (MFA) and maintain regular backups of sensitive data.
As attackers continue exploiting popular apps like WhatsApp, this campaign highlights the dangerous combination of social engineering and advanced malware techniques, underscoring the need for constant vigilance by both users and organizations.
