Coyote, Maverick Banking Trojans Run Rampant in Brazil TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsVulnerabilities & ThreatsPatch Now: Microsoft Flags Zero-Day & Critical Zero-Click BugsPatch Now: Microsoft Flags Zero-Day & Critical Zero-Click BugsbyJai Vijayan, Contributing WriterNov 11, 20254 Min ReadApplication SecurityOWASP Highlights Supply Chain Risks in New Top 10 ListOWASP Highlights Supply Chain Risks in New Top 10 ListbyJai Vijayan, Contributing WriterNov 10, 20255 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllThreat IntelligenceSilver Fox APT Blurs the Line Between Espionage & CybercrimeSilver Fox APT Blurs the Line Between Espionage & CybercrimebyNate Nelson, Contributing WriterAug 8, 20253 Min ReadThreat IntelligenceIran-Israel War Triggers a Maelstrom in CyberspaceIran-Israel War Triggers a Maelstrom in CyberspacebyNate Nelson, Contributing WriterJun 19, 20255 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryCyberattacks & Data BreachesApplication SecurityThreat IntelligenceEndpoint SecurityNewsBreaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa, and Asia Pacific.Coyote, Maverick Banking Trojans Run Rampant in BrazilSouth America's largest country is notorious for banking malware attacks; Maverick self-terminates if its targeted user is based outside Brazil.Alexander Culafi, Senior News Writer, Dark ReadingNovember 13, 20254 Min ReadSource: Ron Niebrugge via Alamy Stock PhotoMultiple banking Trojans have been claiming victims in Brazil as a result of threat campaigns in recent months.Researchers with security vendor CyberProof published research this week with an analysis of two strains of malware that have been targeting Brazilian citizens throughout the year: Coyote and Maverick. CyberProof first covered Coyote back in February, describing how the Trojan targets desktop WhatsApp users and harvests their banking and cryptocurrency credentials. More specifically, the research blog covers how CyberProof researchers found similarities between Coyote and other recently discovered banking Trojans such as Maverick (covered by Kaspersky and BlueVoyant), Sorvepotel (covered by Trend Micro), and a separate instance of a WhatsApp worm covered by Sophos last month. Tony Adams, senior threat researcher at Sophos Counter Threat Unit, tells Dark Reading that the security firm has seen several waves of activity in the Latin American region targeting WhatsApp users with banking Trojans. "Victim counts for these camaigns have numbered in the hundreds of organizations, and those doing business in the region, especially through WhatsApp, are likely to encounter these attacks sooner than later," he says. "For the most recent campaign we reported on in October, we have responded to early-stage activity in more than 400 customer environments across more than 1,000 endpoints."Related:GlassWorm Returns, Slices Back into VS Code ExtensionsAccording to Sophos data, almost all identified infections occurred in Brazil. The researchers tracked more than 450 cases, most involving public sector organizations, but they also saw incidents in manufacturing, technology, education, and construction.In all cases, the malware targets Brazilian desktop WhatsApp users, seizes financial secrets, and self-replicates to target a compromised victims' contact list. While financially focused malware is nothing new, and while researchers have observed similar campaigns prior to this year, CyberProof's research shows how localized threat campaigns can cause significant damage.Coyotes & MavericksSince its initial February report, CyberProof researchers have dealt with Coyote and a number of similar infections, and as a result, they have observed several parallels between it and the widely covered Maverick. Niranjan Jayanand, advanced threat hunting service lead at CyberProof, tells Dark Reading that Maverick "looks to be an updated version of Coyote's second version compared to its first version seen in 2024."Beyond the aforementioned similarities, Coyote and Maverick both spread when a prospective victim gets a message (often from an infected user in their contact list) with an attached zip file and a message instructing the target to open the attachment (and execute the included LNK shortcut file) from a desktop computer. When opened, the Windows LNK file executes PowerShell code to initiate a multistage attack.Related:ClickFix Campaign Targets Hotels, Spurs Secondary Customer AttacksThis includes connecting to a command-and-control (C2) server, downloading the remote payload, and harvesting banking and cryptocurrency secrets. Although CyberProof identified some differences between the two, both pieces of malware were written with .NET and used similar banking application monitoring routine code. Previously observed Maverick campaigns targeted users tied to banking institutions and hospitality organizations, as well as desktop WhatsApp users that got caught up in the self-replication scheme. Coyote's victimology appears to be similar. CyberProof recommends organizations invest in employee training (particularly regarding how to spot phishing attempts and common attack vectors), access controls, and advanced platforms capable of real-time monitoring. Why Brazil?Jayanand tells Dark Reading that CyberProof observed "several thousand infections" connected to these campaigns in its telemetry. In an email, a Trend Micro spokesperson writes that for the campaign the company's researchers tracked, nearly all identified infections occurred in Brazil and researchers tracked more than 450 cases. Related:SonicWall Firewall Backups Stolen by Nation-State ActorOne interesting function of Maverick's malware CyberProof highlighted was that the Trojan checks to see if a user is based in Brazil. If not, it self-terminates. This is notable because although Brazil is well known for being targeted by banking malware, such hyper-localization at this level is rare. As for why this is, Jayanand says Maverick and Coyote are focusing their efforts. "As Brazil’s global influence expands, its digital presence grows in parallel, attracting increased attention from both domestic and international cyber threat actors seeking to exploit its critical infrastructure," he says. Jon Baker, vice president of threat-informed defense at AttackIQ, says the combination of Brazil and WhatsApp makes a lot of sense, considering how much of the country's population uses the platform. "Given that ‎WhatsApp has over 148 million users in Brazil, it makes for a great platform for launching large scale attacks against Brazilian institutions. For financially motivated threat actors, WhatsApp provides a perfect opportunity to target users, stealing their credentials, and accessing their financial institutions," Baker says. "It's yet another example of adversaries continuing to innovate their technologies and identify new opportunities for large-scale attacks, and another reminder that there is potential for breaches in every corner of the globe."Read more about:DR Global Latin AmericaAbout the AuthorAlexander CulafiSenior News Writer, Dark ReadingAlex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels.See more from Alexander CulafiMore InsightsIndustry ReportsOrganizations Require a New Approach to Handle Investigation and Response in the Cloud2025 DigiCert DDoS Biannual ReportDigiCert RADAR - Risk Analysis, Detection & Attack ReconnaissanceThe Total Economic Impact of DigiCert ONEIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentAccess More ResearchWebinarsHow AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMore WebinarsYou May Also LikeDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

Coyote banking Trojans are running rampant in Brazil, posing a significant cybersecurity threat. This issue was brought to light by research conducted by CyberProof, a security vendor that identified two malware strains, Coyote and Maverick, targeting Brazilian citizens primarily through desktop WhatsApp users. The research, published in November 2025 by Dark Reading, details the operational mechanics of these Trojans and their impact on organizations across various sectors, including public sector, manufacturing, technology, education, and construction.

A key aspect of the threat landscape is the localization of these attacks. Maverick, in particular, exhibits a unique function: it self-terminates if the user accessing it is located outside of Brazil. This indicates a focused effort by cyber threat actors, likely driven by Brazil’s expanding global digital presence and its attractiveness as a target due to critical infrastructure and a large user base utilizing WhatsApp. CyberProof researchers tracked over 450 confirmed cases of the malware's infection. This activity is part of a broader trend targeting WhatsApp users, evidenced by multiple campaigns and a growing number of victim organizations.

The malware's operational procedures are consistent across both Coyote and Maverick. These Trojans target Brazilian desktop WhatsApp users, stealing financial and cryptocurrency credentials. They propagate via infected users sending zip files with LNK shortcut files to prospective victims. Upon execution, the LNK file initiates a multistage attack that includes connecting to a command-and-control server, downloading the remote payload, and harvesting sensitive data. Researchers identified similarities in the code utilized by both Trojans, including .NET-based development and similar banking application monitoring routines.

CyberProof recommends organizations invest in employee training, particularly regarding phishing awareness and attack vectors, alongside accessing advanced platforms for real-time monitoring. Researchers noted that the campaigns extended beyond simply theft, leveraging the infected user contact lists to self-replicate and target a wider audience.

The findings highlight the importance of understanding the specific threat landscape in Brazil, given its growing digital influence. As noted by Jon Baker, Vice President of Threat-Informed Defense at AttackIQ, combining Brazil and WhatsApp gives cybercriminals a considerable advantage. Considering that WhatsApp boasts over 148 million users in Brazil, it provides threat actors with a perfect platform to launch large-scale attacks against Brazilian institutions, exploiting the platform for financial gain.

Niranjan Jayanand, Advanced Threat Hunting Service Lead at CyberProof, elaborated on the strategic targeting, explaining that Maverick and Coyote are focusing on Brazil as its global influence expands. The widespread infection rates suggest a sophisticated and coordinated effort by threat actors interested in exploiting Brazil’s digital environment.

The research underscores the need for organizations to adapt their cybersecurity strategies to address these evolving threats. As emphasized by Alexander Culafi, a Senior News Writer at Dark Reading, the combination of Brazil and WhatsApp creates a high-risk environment, reminding businesses to continually innovate their defenses and recognize potential breaches across the globe.