Cybersecurity researchers uncover malware targeting Brazilian users via WhatsApp Web

Cybersecurity firms CyberProof, Trend Micro, Sophos, and Kaspersky believe Maverick attacks WhatsApp web users by combining Visual Basic Script and PowerShell with browser automation to hijack accounts and send malicious ZIP archives to contacts. CyberProof’s SOC team investigated an incident where a suspicious file was downloaded through WhatsApp’s web interface. The file was a ZIP archive named NEW-20251001_152441-PED_561BCF01.zip. They recovered hashes SHA1 aa29bc5cf8eaf5435a981025a73665b16abb294e and SHA256 949be42310b64320421d5fd6c41f83809e8333825fb936f25530a125664221de. When victims execute a shortcut (LNK) inside the archive, it deobfuscates code to build and run either cmd or PowerShell, and the commands contact an attacker server to fetch the first stage payload. Maverick malware loader hidden through classic obfuscation According to a blog post published last Monday by the CyberProof research team, the loader has split tokens combined with Base64 and UTF‑16LE encoded PowerShell. It checks for reverse‑engineering tools, and if analysts are present, the loader self‑terminates. Otherwise, it downloads a worm called...

https://www.cryptopolitan.com/maverick-malware-takes-over-whatsapp-web/