This intelligence report analyzes the link between two evolving Brazilian banking trojans, Maverick and Coyote, which share similar infection methodologies and target Brazilian banking users. The infection vector begins with a malicious LNK file distributed through WhatsApp messages, exploiting social engineering to trick users into execution. Upon execution, the malware runs obfuscated PowerShell commands that download additional payloads from attacker-controlled command and control (C2) servers. The malware leverages anti-analysis techniques to evade detection and targets specific browsers to intercept banking credentials. Persistence is achieved by placing a batch file in the Windows startup folder, ensuring the malware runs on system reboot. The attack chain involves multiple stages, including code injection (T1055), command execution via PowerShell (T1059.001), and obfuscation (T1027). The malware also uses network communications (T1071.001) to maintain contact with C2 infrastructure. Indicators of compromise include several file hashes, IP addresses, and domains associated with the malware campaign. Although the primary focus is on Brazilian targets, the malware’s techniques and delivery mechanisms could be adapted or inadvertently impact European organizations, especially those with business or personnel links to Brazil. No known exploits in the wild are reported, and no CVSS score is assigned, but the complexity and targeted nature suggest a medium severity threat.

For European organizations, the direct impact is currently limited due to the malware’s focus on Brazilian banking users. However, organizations with subsidiaries, partners, or employees in Brazil could face indirect risks, including credential theft and financial fraud. The malware’s use of WhatsApp as a propagation vector highlights the risk of social engineering attacks exploiting popular communication platforms. If adapted to target European banks or users, the trojans could lead to significant financial losses, data breaches, and reputational damage. The multi-stage infection and persistence mechanisms increase the difficulty of detection and remediation. Additionally, the malware’s targeting of specific browsers could compromise online banking sessions and sensitive transactions. The presence of obfuscated PowerShell commands and anti-analysis techniques complicates forensic investigations and incident response. Overall, the threat underscores the need for vigilance against social engineering and multi-vector attacks in financial sectors.

European organizations should implement targeted detection rules for the identified indicators of compromise, including the specific file hashes, IP addresses, domains, and URLs linked to Maverick and Coyote trojans. Monitoring and restricting the execution of LNK files received via messaging platforms like WhatsApp can reduce initial infection risk. Deploy advanced endpoint detection and response (EDR) solutions capable of identifying obfuscated PowerShell activity and suspicious batch file persistence mechanisms. Enforce strict application whitelisting policies to prevent unauthorized script execution and persistence. Conduct user awareness training focused on social engineering risks, especially related to messaging apps and unexpected file attachments. Network segmentation and monitoring of outbound connections to suspicious IPs and domains can limit malware communication with C2 servers. Regularly update and patch browsers and security software to mitigate exploitation of targeted browser vulnerabilities. Finally, implement multi-factor authentication (MFA) for banking and critical systems to reduce the impact of credential theft.