Analyzing the Link Between Two Evolving Brazilian Banking Trojans

Nov. 12, 2025, 10:01 a.m.

Description

This intelligence report examines the connection between two Brazilian banking trojans, Maverick and Coyote. The malware spreads through WhatsApp, using a multi-stage attack that begins with a malicious LNK file. Both trojans share similarities in their infection methods, targeting Brazilian users and banks. The attack chain involves obfuscated PowerShell commands, downloading additional payloads from command and control servers. The malware employs anti-analysis techniques and targets specific browsers. Persistence is achieved through a batch file in the startup folder. The report provides technical details, including code samples and infection chain analysis, as well as indicators of compromise for the identified malware campaign.

External References

https://www.cyberproof.com/blog/maverick-and-coyote-analyzing-the-link-between-two-evolving-brazilian-banking-trojans/
https://otx.alienvault.com/pulse/691457292075d4131c6db0ed
Tags
obfuscation
whatsapp
powershell
.net
banking trojan
brazil
multi-stage attack
coyote
2025-11-12
maverick

Date

  • Created: Nov. 12, 2025, 9:45 a.m.
  • Published: Nov. 12, 2025, 9:45 a.m.
  • Modified: Nov. 12, 2025, 10:01 a.m.

Indicators

  • 77ea1ef68373c0dd70105dea8fc4ab41f71bbe16c72f3396ad51a64c281295ff
  • 949be42310b64320421d5fd6c41f83809e8333825fb936f25530a125664221de
  • 181.41.201.184
  • 77.111.101.169
  • 109.176.30.141
  • https://sorvetenopote.com
  • zapgrande.com
  • sorvetenopote.com
  • casadecampoamazonas.com
Download all indicators here!

Attack Patterns

  • Maverick
  • Coyote

Additional Informations

  • Finance
  • Brazil