Portuguese 
English 
Spanish 
5 min of reading 
0 comments 
Malware Spreading Through WhatsApp Web Uses Fake Screen to Capture Banking and Brokerage Passwords. Program Affects Only Brazilian Machines and Has Already Made Thousands of Automatic Dispatches Through the Platform.
A new malware dubbed maverick is spreading through WhatsApp Web and stealing access credentials from clients of banks and cryptocurrency brokerages in Brazil.
The threat uses a fake screen that imitates financial institution pages to capture passwords and tokens, according to technical analyses from cybersecurity firms.
Experts point out that the campaign is active, focused in the country, and aimed at computer users, not mobile users.
-
An impressive phenomenon in Northern Brazil causes rivers of different colors to flow side by side, revealing secrets about sediments, currents, and biodiversity.
-
While many schools are still struggling with the basics, a teacher in China went viral for having elementary school students build a two-stage rocket using plastic bottles, water, and pressurized air in a science class that caught the attention of the entire world.
-
10 million robots per year in unprecedented industrial scale place China at the forefront of automated production and raise the question of how far machines can manufacture other machines.
-
Researchers in Malaysia buried sensors at 15 and 30 cm and can now predict soil moisture with 95.49% accuracy, helping the field to irrigate only at the right time and reduce water waste.
The scam begins with the receipt of a “.zip” compressed file sent by a contact who has already been compromised.
Within the package, there is a “.lnk” shortcut; executing this shortcut activates the malicious code.
From there, the malware takes control of the browser, accesses the session of WhatsApp Web, and automatically forwards the same “.zip” to all of the victim’s contacts, exponentially spreading the infection.
Independent surveys describe exactly this vector and the automation of sending through the victim’s own account.
How the Maverick Tricks the User
According to researchers, the maverick was written with comments in Brazilian Portuguese, uses URLs with names in Portuguese, and includes checks to operate only in Brazilian environments, which explains the emphasis on keyboards with “ç” and local patterns.
In addition to the language, the central technique is interface overlay: when the victim accesses the bank’s site, the malware <strongfreezes the screen and displays a “security” warning requesting full credentials.
In analysis, Kaspersky analyst Anderson Leite describes this behavior as the key to stealing data without having to scour through the user’s entire system.
“When the victim enters the bank’s website, the virus freezes the computer screen and shows a false security message, as if the bank is asking for their credentials to validate something,” he stated.
There is also a component that reinforces the realism of the deception.
The standard message disseminated by the criminals attempts to convince the recipient that the content can only be viewed on the PC and that Chrome may flag the download as it is a compressed file, normalizing the risk to induce a click.
At the moment the shortcut is executed, the malware initiates persistence routines, monitors machine restarts, and hijacks the session of WhatsApp Web to continue the cycle of dissemination.
Technical reports detail this self-propagating behavior and the creation of mechanisms to keep the infection active.
Tools Used by Attackers
The takeover of the session relies on the use of Selenium, a browser automation tool.
Since the actions come from the user’s own environment, WhatsApp interprets the requests as legitimate.
When questioned, Meta states that it is working to add layers of protection, with resources that provide more context when receiving messages from unknown sources and with end-to-end encryption in conversations.
In parallel, security labs recommend updating antivirus signatures to block the “.zip” package and interrupt the infection vector.
Sophos confirms that it began observing the campaign as of September 29, focusing on Brazil and mass sending via WhatsApp Web.
Operation with Signs of Professionalization
In addition to the technique, the supporting infrastructure indicates organization.
A report cited by industry sources mentions the use of automatic name generators for the malicious files, a statistical dashboard with delivery and success metrics, and distribution controls.
“These artifacts point to a professionalized operation,” states Felipe Guimarães, information security director at Solo Iron.
Although complete data on the targeted financial institutions has not been disclosed, various analyses highlight that the main targets are clients of Brazilian banks and crypto asset platforms.
In technical publications, Kaspersky describes the maverick as a “banker” mass distributed via WhatsApp, with modern evasion components.
Relation to the “Coyote,” Brazilian Trojan from 2024
Samples of the maverick share code snippets with the coyote, a banking trojan of Brazilian origin documented by Kaspersky in February 2024.
In that case, the criminals exploited a chain of infection with Squirrel and targeted more than 60 institutions.
Researchers assess that the similarities suggest continuity or links between groups, although there is no official confirmation of authorship.
In 2025, new variants of the coyote showed evolution to bypass defenses, reinforcing the reuse of techniques by local gangs.
Position of the Financial Sector and WhatsApp
Febraban reports that banks maintain robust monitoring structures, with biometric authentication, tokenization, and the use of big data and artificial intelligence in fraud prevention.
Meanwhile, Meta states that it continues to invest in security mechanisms in WhatsApp, without detailing specific impacts from this campaign.
In parallel, response teams from companies like Trend Micro and Sophos have published technical alerts, describing the sending of ZIP files with “.lnk” shortcuts as a dissemination vector and the worm behavior on the platform.
What to Do If You Were Exposed or Suspect Infection
Consulted professionals recommend not opening attachments received via WhatsApp without prior validation, even when sent by known contacts.
The most effective measure is to confirm the sending through a second channel, reducing the risk of executing fraudulent content.
In corporate environments, restricting file transfer in personal applications helps to reduce the attack surface.
It is also advisable to disable automatic downloads in WhatsApp, keep your antivirus updated, and monitor bank statements after any incident.
If the file has been executed, the guidance is to remove everything that was downloaded, run a full scan, and consider reinstalling the browser or restoring the system to a previous point.
Next, change bank passwords and enable additional verification methods, such as token and biometrics, informing the bank of any suspicious transactions.
In recent reports, labs emphasize that self-propagating campaigns on WhatsApp evolve rapidly, which is why immediate response is crucial to contain damage.
Be Careful Not to Confuse Different Campaigns
During the same period, other families of malware also exploited WhatsApp as a distribution channel, such as SORVEPOTEL and related operations.
Although they share the sending of ZIP with LNK and the propagation via compromised contacts, they are distinct campaigns with tactics and objectives that may vary.
The distinction is important for technical teams to apply correct IOCs and not confuse signatures or indicators when blocking the attack.
With the spread of a trojan that imitates banking pages and uses WhatsApp Web itself to propagate, what alert signal have you come to consider indispensable before opening attachments received from colleagues, clients, or family?
-
-
-
-
7 pessoas reagiram a isso.