Threat analysts have discovered strong links between a recently disclosed malware variant named Maverick and an existing banking trojan known as Coyote. Both malware strains appear to be part of a growing cybercrime campaign targeting financial institutions and users in Brazil. CyberProof’s threat intelligence team has attributed a high degree of similarity to their behavior, structure, and technical implementation, suggesting a shared codebase—or at least common authorship.
Maverick’s Stealthy Propagation Tactics Arrive via WhatsApp
Maverick has come under scrutiny after it was observed being distributed through malicious WhatsApp messages. This peer-to-peer delivery mechanism is particularly deceptive and leverages the trusted nature of messaging platforms to increase infection rates among users in Brazil. Social engineering remains a core tactic in Brazilian cybercrime circles, and this malware variant follows well-established patterns.
According to CyberProof, this campaign targets consumers of Brazilian banking services. It is engineered with specific mechanisms to interfere with banking sessions and obtain authentication data and user credentials.
“The use of WhatsApp represents an upgraded delivery vector, reflecting a trend among Latin American threat groups toward using encrypted messaging apps,” analysts noted.
Code Similarities Point to Shared Development Between Maverick and Coyote
Upon reverse-engineering both pieces of malware, researchers observe extensive overlap in structure and functionality. Threat actors working in the Brazilian financial sector frequently recycle or iterate upon existing tools to deploy new variants—often with minimal mutations or added obfuscation layers.
Core Technical Similarities
CyberProof’s analysis enumerated several major overlaps between Maverick and Coyote:
- Both malware families are written in Microsoft’s .NET Framework, offering rapid development and obfuscation capabilities.
- Each contains modules that perform SSL decryption to intercept banking-related sessions.
- Embedded targeting lists comprise similar Brazilian banking domains.
- Screen overlay functions allow both variants to capture sensitive user input during active banking sessions.
This reuse of code and functionality has led researchers to theorize that these strains may be derived from the same malware-as-a-service (MaaS) infrastructure—or possibly developed by the same actor or group.
Functionality Specifies Focus on Brazilian Financial Ecosystem
While both Maverick and Coyote are highly specialized banking trojans, their geographical targeting firmly anchors them within the Latin American threat landscape. Brazilian banks are frequent targets of credential-stealing campaigns, and multiple financially motivated groups operate out of the region.
Primary Functional Features Observed
CyberProof outlines the following capabilities shared by both malware strains:
- Targeted URL monitoring – Detects and activates malicious routines when a victim accesses a banking site
- Credential theft via screen capture – Captures login pages and user input through fake overlays
- Encrypted communication – Uses custom or built-in routines to maintain secure channels with command-and-control (C2) infrastructure
- Application-specific targeting – Identifies and actively interferes with local banking software
These characteristics align with known techniques used by Brazilian threat actor collectives such as Guildma, Mekotio, and Grandoreiro. Such groups frequently deploy modular malware suites focused on hijacking online banking sessions.
Implications for Financial Cybersecurity
Despite analysis pointing to a reused codebase, the appearance of Maverick on mobile-focused platforms like WhatsApp underscores an ongoing evolution in the attacker toolkit. Threat actors are continually refining their propagation strategies, combining traditional banking malware functionality with modern delivery methods.
Financial institutions operating in Brazil should assess whether their fraud prevention systems are prepared to address threats not only from desktop-based malware infections but also from mobile-first intrusions. The reuse of banking malware code also emphasizes the importance of behavioral analysis and endpoint detection tuned to region-specific tactics.
Financial cybersecurity professionals should focus on the following defensive strategies:
- Enhancing phishing and social engineering awareness training among customers
- Monitoring for unusual screen overlay activity or DLL injection into banking applications
- Updating endpoint detection and response (EDR) tooling to reflect .NET malware patterns
- Engaging in threat intelligence sharing to correlate activity across institutions
Coordinated Threat Campaign or Malware Copycat?
The degree of overlap between Maverick and Coyote still leaves open the question of whether these strains are maintained by one threat actor or propagated via a shared underground resource. The threat intelligence community continues to analyze cross-functional data to determine if this signifies a malware toolkit sold to multiple actors or the work of a single evolving adversary.
Regardless of origin, the emergence of Maverick demonstrates that even established malware families can be repurposed and re-executed with modernized tactics. For defenders in the Brazilian financial system, staying ahead of threat actor innovation remains a difficult but necessary challenge in securing user transactions and protecting banking environments from persistent threats.
