A single zipped shortcut arriving in a WhatsApp chat can quietly trigger a full‑blown heist-grade intrusion chain that looks routine to defenders until the browsers of a Brazilian victim start betraying their bank sessions. That is the unsettling scenario emerging from an investigation into the Maverick banking trojan, whose delivery and inner mechanics align strikingly with the older Coyote campaign. Both families lean on Windows-native tooling, hide their intent behind layers of scripting tricks, and light up only on Brazilian systems. The question is less whether the techniques look alike and more whether the code and operations converge to a degree that implies shared authorship—because the overlaps reach far beyond coincidence and push into the domain of inherited design, iterative retooling, and coordinated infrastructure.
Tracing the Shared DNA
Infection Flow and Living-off-the-Land Tactics
Maverick enters through deceptively benign ZIP archives shared over WhatsApp, a channel that blends trust and informality to suppress suspicion at the moment of click. Inside waits an LNK shortcut that launches heavily obfuscated PowerShell, stitched together from fragments with nested FOR loops that rebuild powershell.exe and parameters only at runtime. The script layers Base64 with UTF‑16LE encoding and prolific string concatenation, taking advantage of Windows defaults and telemetry blind spots to stall detection. Once decoded, PowerShell reaches attacker infrastructure—domains such as zapgrande[.]com—then drips the next stages, ensuring each component is present only when needed. Persistence follows with a batched foothold named in a pattern like HealthApp-.bat dropped in Startup, giving a low-profile reentry point after reboot.
Geo-Fencing, Target Decryption, and Browser Monitoring
The payload refuses to run unless the host environment fits a Brazilian profile, checking timezone, locale, regional settings, and date formats with unusual rigor. That geo-fencing curbs noise and reduces exposure, while signaling confidence in high-value returns within a tightly defined financial ecosystem. When conditions match, the malware unpacks target lists for more than 50 Brazilian institutions through a consistent scheme: data stored in Base64, compressed via GZIP, and decrypted with AES in CBC mode. This sequence repeats across Maverick and Coyote, indicating code-level inheritance, not casual copying. Active monitoring then hooks major browsers—Chrome, Firefox, Edge, Opera, Brave—to capture banking events and insert theft logic at the exact moment of session activity. Beaconing to domains such as sorvetenopote[.]com provides remote control and telemetry that keeps operators informed and adaptive.
Evidence Of a Common Lineage
Code Parity and Operational Reuse
The anchors tying the two families together are as operational as they are technical. The LNK → obfuscated PowerShell → staged download pipeline is not a trope here; it is nearly identical across campaigns, down to the nested loop technique that reconstructs commands on the fly. Both strains adopt deep obfuscation to frustrate static analysis and manipulate encoded layers to exhaust simple detections. More telling is the parity of encryption workflows for embedded target lists and the modular staging that keeps artifacts sparse on disk. Even persistence choices show convergent style, favoring batch-based autostarts over more conspicuous registry methods. Seen together, these consistencies describe a developer philosophy as much as a toolkit—one that values Windows-native execution, low-noise artifacting, and fast iteration across related branches.
Campaign Discipline and Brazilian Focus
Delivery through WhatsApp capitalizes on social familiarity and mobile-to-desktop transfer habits, which reduce vigilance around ZIP and LNK content. Infrastructure reuse across domains shortens deployment timelines and simplifies control, with rotating hosts serving interchangeable payloads. The Brazilian-only activation gates reduce collateral infections, a move that cuts researcher visibility while maximizing regional success. This strategy dovetails with modular staging and anti-analysis, producing campaigns that can be tuned quickly without rewriting the core logic. As a result, Maverick does not feel like a knockoff; it reads like an evolution of Coyote’s approach, adapted for fresh lures, refined obfuscation, and a resilient delivery cadence that survives routine takedowns and signature updates.
What Security Teams Should Do Next
The operational and code-level overlap between Maverick and Coyote pointed to sustained development by the same actors or by closely aligned teams working from a shared codebase. That conclusion mattered because it suggested defenses could pivot from chasing labels to detecting the stable backbone: LNK-triggered PowerShell with nested loop reconstruction, Base64 plus UTF‑16LE layering, AES-CBC with GZIP for target lists, and Startup folder batch persistence. Network filters tuned to WhatsApp-delivered ZIP/LNK patterns, script-block logging that captures reconstructed command lines, and browser telemetry that flags injection attempts during Brazilian banking sessions had provided real leverage. Prioritizing geo-fenced heuristics and infrastructure clustering also paid off by surfacing families that tried to stay local and quiet.