The Maverick Spider Sinks Its Fangs into WhatsApp Web to Liquefy Banking Data

Javier Conejo del Cerro
12 nov 2025
3 Min. de lectura

From the tangled digital webs of Brazil, a new predator has emerged — Maverick, a cunning evolution linked to the Coyote malware family. Disguised within familiar WhatsApp messages, this malicious spider spreads its venom through browser sessions and ZIP attachments, hijacking communication channels to drain data from Brazil’s largest financial institutions. Beneath the everyday façade of chat exchanges, Maverick weaves a patient web of trust and deception, liquefying digital identities into stolen credentials and drained accounts.

Phase 1: The Lure and the Prey – Catching the Victims in the Web

The campaign primarily targets Brazilian users, a region where WhatsApp is deeply integrated into daily communication. Victims include customers of major national banks, hotel operators, and contacts of already infected accounts, all reached through compromised WhatsApp Web sessions.

By focusing on Portuguese-language systems and Brazil’s regional settings, the threat actors ensure that their malware activates only within their desired hunting grounds, filtering out foreign systems and analysts. Each infection begins innocently — a message from a known contact, carrying a ZIP file, a link, or a “budget quote” attachment (Orçamento.zip). Once opened, the spider begins spinning.

Phase 2: The Bite – How the Infection Strikes

The entry vector is deceptively simple yet brutally effective. The attack starts when the victim downloads and opens a ZIP file sent via WhatsApp Web, containing a malicious Windows shortcut (LNK) and an obfuscated Visual Basic Script (VBS) called SORVEPOTEL. Once executed, this script runs a PowerShell loader that disables Microsoft Defender and User Account Control (UAC), fetches a .NET payload, and clones the Chrome browser profile to harvest cookies, tokens, and sessions.

Through ChromeDriver and Selenium automation, Maverick hijacks WhatsApp Web directly — no QR scan, no login prompts — and uses the victim’s session to propagate itself automatically to all contacts. It persists quietly, ensuring each compromised device becomes a node in an expanding infection web.

Once established, Maverick monitors active browser tabs for banking URLs, especially those belonging to Brazil’s largest institutions. When detected, it fetches commands from remote C2 servers and IMAP-controlled email accounts, serving phishing pages that mimic online banking interfaces. The spider’s venom extracts Microsoft credentials, cookies, session tokens, system fingerprints, and contact lists, all exfiltrated to remote infrastructure to enable fraud and account takeover.

Phase 3: The Venom Spreads – Evolution of a Predator

What makes Maverick particularly dangerous is its sophistication and its connection to the broader Brazilian cyber-criminal ecosystem. It inherits traits from Coyote but evolves them into stealthier behavior — replacing traditional payloads with legitimate automation frameworks like ChromeDriver, Selenium, and Remote Monitoring and Management (RMM) tools.

The actors behind Maverick, known as Water Saci, have perfected multi-vector persistence and operational stealth. Their infrastructure uses IMAP email accounts protected by MFA to relay commands, and the malware includes mechanisms to pause, resume, or monitor propagation in real time. This precision control turns each compromised host into a bot within a coordinated financial web, capable of exfiltrating sensitive data at scale without immediate detection.

By exploiting everyday communication tools, Maverick bypasses conventional defenses — proof that modern threats are not only about code, but about exploiting trust itself.

Maverick represents a new evolution of social-engineered banking malware, where messaging platforms become delivery chains and browser automation replaces trojans. Its success stems from its camouflage — blending legitimate scripts, familiar workflows, and trusted communication platforms.

To fend off this predator before it tightens its web around more victims: