Analyzing the Link Between Two Evolving Brazilian Banking Trojans
Essential information
- Published
- 12/11/2025 09:45
- Modified
- 12/11/2025 10:01
- Tags
- .net 2025-11-12 banking trojan brazil coyote maverick multi-stage attack obfuscation powershell whatsapp
- Related entities
- 9 observables, 9 techniques (mitre), 2 malware, 2 others
Description
This intelligence report examines the connection between two Brazilian banking trojans, Maverick and Coyote. The malware spreads through WhatsApp, using a multi-stage attack that begins with a malicious LNK file. Both trojans share similarities in their infection methods, targeting Brazilian users and banks. The attack chain involves obfuscated PowerShell commands, downloading additional payloads from command and control servers. The malware employs anti-analysis techniques and targets specific browsers. Persistence is achieved through a batch file in the startup folder. The report provides technical details, including code samples and infection chain analysis, as well as indicators of compromise for the identified malware campaign.