Counter Threat Unit™ (CTU) researchers are investigating multiple incidents in an ongoing campaign targeting users of the WhatsApp messaging platform. The campaign, which started on September 29, 2025, is focused on Brazil and seeks to trick users into executing a malicious file attached to a self-spreading message received from a previously infected WhatsApp web session. If executed, the worm attempts to replicate itself to the victim’s WhatsApp contacts and install a banking trojan tailored for Brazilian banks and cryptocurrency exchanges.
In one incident observed by Sophos analysts, a user downloaded a ZIP archive via the web-based version of the WhatsApp messaging platform. Third-party reports of similar activity reveal that the archive file was attached to a WhatsApp message originating from a known WhatsApp contact. The message stated the content could only be viewed on a computer (see Figure 1), a ploy to ensure the recipient opened the file on a desktop computer versus a mobile device. The archive contained a malicious Windows LNK file that, when launched, initiated a series of malicious PowerShell commands.
Figure 1. WhatsApp message sent from an infected WhatsApp contact (left, source: X.com), with translation (right)
The target field of the LNK file contained an obfuscated Windows command that constructed and ran an initial Base64-encoded PowerShell command. The first-stage PowerShell command covertly launched an Explorer process that downloaded the next-stage PowerShell command from a remote command and control (C2) server hosted on hxxps://www.zapgrande[.]com (see Figure 2).
Figure 2. First-stage PowerShell command launches from malicious LNK file. (Source: Sophos)
The downloaded second-stage PowerShell command attempted to modify local security controls. Comments written in Portuguese in the PowerShell explicitly stated the author’s defense evasion goals: “add an exclusion in Microsoft Defender” and “disable UAC” (see Figure 3).
Figure 3. Second-stage PowerShell aims to disable security defenses. (Source: Sophos)
As of this publication, Sophos has detected first-stage PowerShell activity in over 400 customer environments on more than 1,000 endpoints. The archive files follow several naming patterns, including NEW-20251001_150505-XXX_XXXXXXX.zip, ORCAMENTO_XXXXXXX.zip, and COMPROVANTE_20251002_XXXXXXX.zip. ‘Orcamento’ and ‘Comprovante’ are Portuguese for ‘Budget’ and ‘Voucher’. Three unique C2 domains were observed, and an additional payload was identified in five infections. This additional payload was the legitimate Selenium browser automation tool, which enabled control of running browser sessions on the infected host.
Sophos analysis of the Selenium cases is ongoing, but the initial stages of infection and the presence of the Selenium payload align with third-party reporting that describes the same campaign delivering two possible payloads to infected endpoints: a Selenium instance with a matching ChromeDriver, and a banking trojan named Maverick. Both payloads were delivered via the same C2 infrastructure and only to hosts that passed a set of anti-analysis checks. The Maverick implant monitored active browser sessions for connections to a target list of URLs associated with Brazilian banks and cryptocurrency exchanges. When traffic matched a target financial domain, a subsequent feature-rich .NET banking trojan was installed.
Sophos researchers are also investigating possible links between the ongoing campaign and a series of prior reported campaigns that distributed a banking trojan named Coyote targeting users in the Brazilian. Coyote was first reported in February 2024 and was distributed as a Windows application updater built using the Squirrel utility. In January 2025, threat actors used malicious LNK files to start a multi-stage PowerShell infection chain that infected hosts with Coyote payloads created with the Donut shellcode generation tool. A May 2025 report attempted to link prior Coyote malware campaigns with the Coyote banking trojan being distributed via WhatsApp Web messages in January. None of the infections observed by Sophos in the September campaign resulted in the delivery of a banking trojan payload, but the few Selenium cases likely resulted in WhatsApp web session hijacking and self-propagation (see Figure 4). Sophos researchers are working to independently determine whether Maverick is an evolution of Coyote.
Figure 4. Infection chain delivering Selenium payload. (Source: Sophos)
CTU™ researchers recommend that organizations educate employees about the risks of opening suspicious attachments sent via social media and instant messaging platforms, even if received from known contacts. Prompt response to detections of suspicious PowerShell execution can contain infections in early stages of the kill chain.
The threat indicators in Table 1 can be used to detect activity related to this threat. The domains may contain malicious content, so consider the risks before opening them in a browser.
| Indicator | Type | Context |
| expansiveuser . com | Domain
name |
C2 server used in WhatsApp worm campaign |
| zapgrande . com | Domain
name |
C2 server used in WhatsApp worm campaign |
| sorvetenopote . com | Domain
name |
C2 server used in WhatsApp worm campaign |
Table 1. Indicators for this threat.
Sophos MDR (Managed Detection and Response) case creating detections relating to this threat are detailed in Table 2.
| Name | Description |
| WIN-EXE-PRC-POWERSHELL-WITH-BASE64-START-1 | Detects suspicious PowerShell process with command line with start of
suspicious Base64 encoded commands |
| WIN-EXE-PRC-POWERSHELL-WITH-BASE64-START-1-SUSP-PARENT | Detects suspicious PowerShell process with command line with start of
suspicious Base64 encoded commands spawning from a suspicious parent |
| WIN-PRI-EXE-SUSP-7ZIP-SUBPROCESS-1 | Identifies suspicious processes spawning from 7zip, including cmd.exe and powershell.exe, that could indicate the attempted exploitation of CVE-2022-29072 |
Table 2: Sophos MDR detections covering this threat
References:
