Full Report
Counter Threat Unit™ (CTU) researchers are investigating multiple incidents in an ongoing campaign targeting users of the WhatsApp messaging platform. The campaign, which started on September 29, 2025, is focused on Brazil and seeks to trick users into executing a malicious file attached to a self-spreading message received from a previously infected WhatsApp web session. […]
Analysis Summary
# Incident Report: WhatsApp Worm Campaign Targeting Brazilian Banking Customers
## Executive Summary
An ongoing cyber campaign, identified starting September 29, 2025, utilizes a self-spreading WhatsApp worm to target users in Brazil. Attackers leverage malicious LNK files distributed via WhatsApp messages to drop PowerShell scripts that disable security controls and ultimately install a banking trojan (Maverick) or the Selenium browser automation tool. The campaign has impacted over 400 customer environments, posing a significant risk of financial credential theft.
## Incident Details
- **Discovery Date:** On or shortly after September 29, 2025 (Campaign start date)
- **Incident Date:** Campaign started September 29, 2025
- **Affected Organization:** Individual banking and cryptocurrency users targeted; Sophos detected activity in over 400 customer environments.
- **Sector:** Financial Services (Targeting banking/crypto users)
- **Geography:** Brazil
## Timeline of Events
### Initial Access
- **Date/Time:** Starting September 29, 2025
- **Vector:** Malicious attachment delivered via a WhatsApp message originating from a known, previously infected contact's WhatsApp Web session.
- **Details:** The message included a lure suggesting content could only be viewed on a computer, tricking the victim into downloading and opening a ZIP archive containing a malicious Windows LNK file.
### Lateral Movement
- **Details:** Upon execution of the LNK file, the worm used subsequent PowerShell commands to replicate itself by sending the malicious attachment to the victim’s WhatsApp contacts via their active WhatsApp Web session.
### Data Exfiltration/Impact
- **Details:** The ultimate goal was the installation of the Maverick banking trojan, which monitors browser sessions for connections to target Brazilian bank or cryptocurrency exchange domains, leading to the installation of a feature-rich .NET banking trojan for credential theft. In some cases, the Selenium automation tool was installed instead.
### Detection & Response
- **Details:** Sophos Counter Threat Unit (CTU) researchers investigated multiple incidents. Over 1,000 endpoints showed first-stage PowerShell activity.
- **Response actions taken:** Analysis was performed to understand the stages, C2 infrastructure, and payloads (Maverick/Selenium). Specific response actions by affected users (not fully detailed in the source) would involve containing endpoints and remediation after detection.
## Attack Methodology
- **Initial Access:** Malicious LNK file delivered via WhatsApp attachment.
- **Persistence:** Not explicitly detailed for the primary payload delivered, but the worm nature implies automatic spreading via contacts.
- **Privilege Escalation:** Not explicitly detailed, but disabling UAC suggests gaining elevated rights.
- **Defense Evasion:** PowerShell scripts explicitly added exclusions to Microsoft Defender and disabled UAC (User Account Control).
- **Credential Access:** Installation of the Maverick banking trojan to harvest credentials from active financial browsing sessions.
- **Discovery:** Anti-analysis checks were performed by the C2 server before deploying the final payload.
- **Lateral Movement:** Self-spreading mechanism targeting the victim’s WhatsApp contacts list via the compromised WhatsApp Web session.
- **Collection:** Monitoring of active user browser sessions for predetermined financial target URLs.
- **Exfiltration:** Delivery of the banking trojan to exfiltrate credentials upon matching target activity.
- **Impact:** Successful installation of banking malware leading to potential financial fraud, or installation of browser automation tools.
## Impact Assessment
- **Financial:** High potential for direct financial loss due to banking trojan deployment stealing credentials for Brazilian financial institutions and crypto exchanges.
- **Data Breach:** Financial login credentials and potentially other sensitive data handled by the browser.
- **Operational:** Disruption at the user level due to malware installation and security control alteration. Sophos observed activity on >1,000 endpoints.
- **Reputational:** Potential damage to the reputation of compromised contacts whose accounts were used to spread the worm.
## Indicators of Compromise
- **Network indicators:** C2 activity observed at hxxps://www.zapgrande[.]com. Three unique C2 domains observed.
- **File indicators:** Malicious ZIP archives (e.g., NEW-20251001_150505-XXX_XXXXXXX.zip, ORCAMENTO_XXXXXXX.zip, COMPROVANTE_20251002_XXXXXXX.zip), and a malicious Windows LNK file inside.
- **Behavioral indicators:** Execution of obfuscated, Base64-encoded PowerShell commands originating from an LNK file execution, attempts to add Microsoft Defender exclusions, and attempts to disable UAC. Presence of legitimate Selenium/ChromeDriver tools or the Maverick implant.
## Response Actions
- **Containment measures:** Isolation of infected endpoints where activity was observed by Sophos analysts.
- **Eradication steps:** Unknown based on the article, but would involve removing the PowerShell scripts, LNK files, and the installed payloads (Maverick/Selenium).
- **Recovery actions:** Unspecified, but highly likely involves credential resets for targeted financial accounts.
## Lessons Learned
- **Key takeaways:** Attackers are leveraging trusted applications (WhatsApp Web) and social engineering (luring recipients to use a desktop) to deliver highly effective malware chains involving LNK files and multi-stage PowerShell execution.
- **What could have been done better:** Users need heightened awareness regarding unexpected attachments received via chat platforms, even from known contacts, particularly when platform context (like "only viewable on desktop") is used as a lure.
## Recommendations
- **Prevention measures for similar incidents:**
1. **Enable Multi-Factor Authentication (MFA)** on all critical accounts, including WhatsApp Web sessions.
2. **Disable or restrict VBScript/PowerShell auto-execution** where possible, and apply strict constraints on LNK file execution.
3. **Maintain robust Endpoint Detection and Response (EDR)** capable of flagging obfuscated PowerShell execution and attempts to disable security features (like Defender or UAC).
4. **Educate users** specifically on the dangers of opening unexpected attachments received via messaging applications, regardless of the purported sender.
5. **Review browser security settings** and restrict automated browser tool installations onto standard endpoints.