Malware

Maverick.Agent

Maverick.Agent is malware associated with a WhatsApp-propagated Windows campaign reported by Trend Micro and linked to the broader Sorvepotel activity primarily affecting Brazil. In this campaign, victims receive a WhatsApp message containing a ZIP archive with the Portuguese lure "baixa o zip no PC e abre," and Sorvepotel infects WhatsApp clients on Windows, hijacks WhatsApp Web sessions, and auto-forwards the malicious file to contacts and group chats. Trend Micro reported that Sorvepotel delivers additional payloads aimed at stealing banking information, including Maverick.StageTwo and Maverick.Agent. Maverick.Agent is described as capable of stealing credentials and displaying fake overlay windows that mimic legitimate banking or financial websites in order to trick users into disclosing sensitive information. Reported infections were heavily concentrated in Brazil, with 457 of 477 known infections there, and impacted government agencies, public service entities, and other sectors.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

govinfosecurityNews

Oct 9, 2025

Breach Roundup: Insurers Spend Big on Cybersecurity

Banking-focused payload capable of credential theft and presenting fake overlay pages to mimic banking sites for fraud.

bank info securityNews

Oct 9, 2025

Breach Roundup: Insurers Spend Big on Cybersecurity

Banking-focused payload capable of credential theft and presenting fake overlay pages to mimic banking sites for fraud.

the record mediaNews

Oct 6, 2025

New malware leverages WhatsApp to target Brazilian government and businesses

Maverick.Agent is a credential-stealing malware capable of displaying fake overlay windows that mimic legitimate financial websites to trick users into revealing sensitive information. It is delivered as a related payload in the Sorvepotel campaign.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.