Discoveries Malware Uncategorized 

Blue Margay

SCILabs 0 Comments

Overview

The purpose of this post is to describe the TTPs of the threat group Blue Margay, as named by SCILabs, which targets users and organizations primarily from Brazil with the aim of committing banking fraud, with the capability of stealing banking credentials and, in some variants, also detect or attack cryptocurrency and payment platforms. Through an advanced technical arsenal that integrates the Silver Oryx Blade, Coyote, and Maverick banking trojans, the group has demonstrated critical capabilities for dynamic transaction monitoring and the interception of cryptocurrency platforms

The attribution of different malware variants to this threat group is based on the record of multiple technical similarities among its artifacts, notably the recurring use of the WatsonTCP library for communication with the command-and-control (C2) server, the use of Fody Costura to embed resources within binaries developed with .NET, and identical encryption and obfuscation routines based on AES and Base64 . In addition to using these development tools, these threats exhibit a linked infrastructure through the use of local X509 certificates to secure their SSL tunnels and maintain an identical victim profile, designed exclusively to target end-users in Brazil through environment validation and geofencing.

This adversary’s primary initial access vector is through phishing campaigns to distribute malware, impersonating a tax authority such as Brazil’s Ministério da Fazenda (Ministry of Finance). Additionally, phishing emails were observed that purport to originate from internal departments such as finance and HR, using pretexts such as a supposed salary bonus or sudden changes to vacation requests.

Another access vector is via WhatsApp Web messages from previously compromised contacts, containing a ZIP file with a malicious LNK file used as a dropper.

Based on its investigation, SCILabs observed that Blue Margay has been targeting Brazil with its campaigns since at least February 2024 using the Coyote banking trojan; however, based on the evidence provided in this report,  SCILabs determined with a high degree of confidence that the group is operating behind other threats of this type, such as Silver Oryx Blade and Maverick, which are developed with the assistance of artificial intelligence according to some open-sources.

Region of Operation

As a result of open-source intelligence gathering and the analysis of various malicious artifacts, SCILabs determined with a high degree of confidence that the primary target country for this threat group’s operations is Brazil, marked in red, while countries marked in yellow are potential targets for this threat actor.

Figure 1. Region of operation determined by SCILabs

Relevant Blue Margay Activity

The following image shows a timeline of some Blue Margay attacks based on events identified by SCILabs since August 2024, due to their media impact or magnitude.

Figure 2. Blue Margay campaign timeline

The attacks observed in the Blue Margay timeline are described below:

  • February 2024: A campaign involving the Coyote banking trojan was documented in open sources, targeting users in Brazil from over 60 banking institutions. This campaign featured the use of the Squirrel installer, the NodeJS application, and a .NET-based final payload, as well as AES encryption.

 

  • February 2024: SCILabs identified a campaign involving the Coyote banking trojan targeting Brazil; distributed via ZIP files disguised as PDF documents. These files contain an executable dropper compiled in C/C++, approximately 101 MB in size. This dropper uses Squirrel to install a malicious NuGet package named Kachalov-1.3.6-full.nupkg and deploys a loader written in Nim, which unpacks and executes a .NET stage in memory. Coyote employs obfuscation techniques such as AES and Base64 tables and uses DLL Side-Loading on a legitimate Google Chrome executable to execute its final stage.

 

  • August 2024: SCILabs identified a banking trojan campaign, called in-house as Silver Oryx Blade, targeting Brazil, initially detected in a malicious MSI file compressed in a ZIP archive. It employs the DLL Side-Loading technique to inject an obfuscated payload into memory. The trojan establishes persistence via a shortcut in the startup folder and communicates with its C2 servers using WatsonTCP. Silver Oryx Blade has been identified as monitoring the windows of nearly 50 Brazilian banking institutions and includes tools such as Json.NET and Fody Costura in its .NET/C++ artifact chain.

 

  • May 2025: An investigation regarding a new variant of the Coyote banking trojan was published. This variant spreads via the WhatsApp instant messaging software Web, using a ZIP attachment containing an embedded LNK file, downloading remote payloads, and a malicious Chrome extension that enabled worm-like propagation by forwarding the ZIP file to the victim’s WhatsApp contacts.

 

  • July 2025: Open-source reporting documented a variant of the Coyote banking trojan, describing the first confirmed case of a malicious Microsoft UI Automation (UIA) usage. This Coyote variant targeted users in Brazil and used UIA to extract credentials linked to 75 banking and cryptocurrency addresses, demonstrating a significant evolution from the initial variants.

 

  • October 2025: Open-source intelligence documented a massive campaign in Brazil involving a new banking trojan called Maverick, distributed via WhatsApp as a ZIP file containing a malicious LNK file. The investigation highlighted that the threat shared code similarities with Coyote, which monitored 26 Brazilian banks, 6 cryptocurrency services, and 1 payment platform, without specifying the names of the organizations.

 

Who might be affected?

Through constant monitoring in the region, SCILabs identified that Blue Margay’s primary target is end users of financial institutions in Brazil. It is distributed via phishing emails using various pretexts, such as alleged salary bonuses, PIX transfers, and tax notices, impersonating financial and human resources departments as well as the Brazilian Ministry of Finance.

How can it affect an organization?

Banking trojans operated by the Blue Margay threat group could steal information from financial institutions and users’ cryptocurrency platforms, including employees of these organizations. If an attack is successful within an organization, cybercriminals can leak or sell the stolen information on clandestine Dark Web forums or on the black market, jeopardizing the confidentiality, integrity, and availability of your information and causing reputational damage.

Threat Group’s Operational Model

Their operational model points to a banking fraud scheme, targeting end users primarily in Brazil. Initial access is gained through email phishing, using urgent and highly credible pretexts such as overdue invoices, deliveries, tax notices, salary bonuses, PIX transfers, and messages sent via WhatsApp containing compressed files. The group exploits both institutional trust (impersonating financial agencies or government ministries) and interpersonal trust (messages forwarded from compromised accounts) to fulfill their attacks.

Figure 3. Example of a phishing template for the Silver Oryx Blade and Coyote banking trojans

The malware operated by this threat group waits for the victim to open a banking app or website, and then activates various capabilities, such as enumeration of banking sites, fake authentication (login) or MFA windows , phishing overlays, keyloggers, screenshots, and screen locking. Additionally, in more recent variants, they use Microsoft UI Automation to inspect browser elements and detect banking or cryptocurrency portals. This pattern indicates an interest in capturing valid credentials, authentication data, and real-time transactional context, rather than simply exfiltrating files. The wide range of targets also reinforces this model:

Financial institutions
Binance Banco de Brasília Mercado Bitcoin
Banco do Brasil Banco Regional de Desenvolvimento do Extremo Sul Mercado Pago
Bradesco BTG Pactual Banco Mercantil do Brasil
Banco da Amazônia Caixa Econômica Federal Banco Santander Brasil
Banco Bmg Citibank Banco Rendimento
Banco BS2 Confesol Banco Safra
Banco Fibra Viacredi (Ailos) Sicoob
Banco PAN Cora Sociedade de Crédito Banco Sofisa
Banco Topázio Credisan Stone
Banco Banese Credisis Tribanco
Banco do Estado do Espírito Santo (Banestes) Banco Daycoval Unicred
Banpará Banco Original Uniprime
Banrisul Foxbit Sisprime de Brasil
BitcoinTrade Banco do Pará Banestes
Blockchain Sicredi Zeitbank
Banco do Nordeste do Brasil Itaú Unibanco  

Table 1. Financial institutions targeted by banking trojans operated by Blue Margay

Blue Margay attacks primarily have the following characteristics observed in some banking trojan variants like Maverick y Coyote:

  • Use of phishing and, in more recent variants, propagation via instant messaging from the infected victim’s account. Additionally, the usage of embedded links or compressed files (ZIP) that deliver artifacts such as MSI, EXE, or LNK. In several cases, these links redirect to cloud infrastructure or redirection services before downloading the ZIP.

 

  • Use of combined technologies such as Electron/Node.js, PowerShell, .NET, Nim, and shellcode, with multi-stage execution to hinder analysis and detection.

 

  • Use of installers or packagers to hide the initial stage, including Squirrel/NSI and MSI.

 

  • Use of DLL Side-Loading/DLL hijacking by leveraging legitimate binaries to load malicious components.

 

  • Local information-gathering capabilities, such as keylogging, screenshots, and clipboard data theft, to facilitate banking fraud and obtain authentication context.

 

  • Use of Microsoft UI Automation (UIA) to inspect browser interface elements (tabs, address bar) and identify banking or crypto portals even when the window title does not directly match.

 

  • Installation of malicious browser extensions in specific campaigns, deploying an extension for Google Chrome and Brave, loaded from %AppData% and forced via custom profiles to spread via WhatsApp Web.

 

  • Communication with C2 via sockets and specialized .NET libraries, including the use of WatsonTCP.

 

  • Use of encryption and obfuscation, particularly AES, Base64, and obfuscated JavaScript, for both strings and intermediate or final payloads.

 

  • Implementation of anti-analysis controls and environment validations, such as virtual machine verification, geofencing, or language/region validation to prioritize victims in Brazil.

Analysis of Banking trojans Operated by Blue Margay

The following describes the banking trojan campaigns operated by Blue Margay, identified by SCILabs through open-source intelligence processes and the analysis of various malicious artifacts.

Silver Oryx Blade

In August 2024, SCILabs identified a new banking trojan through threat monitoring and hunting in LATAM, which it named Silver Oryx Blade. Among its key identified characteristics are the compromise of Minecraft servers as a malware repository and the combination of different programming languages during the infection chain.

Silver Oryx Blade is distributed through phishing campaigns impersonating Brazilian organizations such as PIX of the Central Bank of Brazil, the Brazilian Ministry of Finance, and the finance departments of Brazilian organizations.

Figure 4. Example of a phishing template using the pretext of a supposed PIX transfer

Because Blue Margay uses artifacts developed in-house in C#, C++, and NIM, as well as libraries such as Fody Costura, WatsonTCP, and JsonNET, and based on victimology, it can be attributed that Silver Oryx Blade is operated by this threat group.

The summary of the attack flow observed in this banking trojan is as follows.

  • The victim receives a phishing email using alleged salary bonuses, PIX transfers, and tax notices as pretexts, impersonating financial and human resources departments as well as Brazil’s Ministry of Finance.

 

  • The email has an URL attached that redirects the victim to a site that automatically downloads a ZIP file; this contains the trojan’s first dropper in MSI format.

 

  • When the MSI file is executed, the infection chain begins.

 

  • The MSI, which has embedded a DLL developed in .NET and with a base64-encoded payload, extracts the necessary artifacts for the trojan’s installation.

 

  • The trojan creates a directory in %PUBLIC% with a pseudo-random name in CamelCase format, based on a GUID (e.g., Bebfeeebfaea or Cewhcqvcwqqzjrvlzca). In this directory, it deploys a legitimate executable program vulnerable to DLL Side-Loading, which loads the trojan into memory, along with a loader developed in C++, an obfuscated payload, and legitimate Microsoft DLLs used during execution.

 

  • As a persistence mechanism, the trojan creates a shortcut in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup.

 

  • The trojan communicates with one of its configured command-and-control (C2) servers, if any are available.

 

  • Once the victim accesses sites of interest for the malware, the trojan begins stealing banking information, such as usernames and passwords, which are sent to the attacker’s C2 server.

After recovering and analyzing the Silver Oryx Blade trojan in its penultimate phase, SCILabs identified the use of the .NET WatsonTCP library with an X509 certificate protected by the password “f134f2a14df14c449b36ed67d6d73ff8” to communicate with its C2 server, with the following options:

  • MutuallyAuthenticate = true: Configures mutual authentication, also known as two-way authentication, for SSL communication. By default, in a standard SSL/TLS connection (such as when browsing the internet), only the client verifies that the server is who it claims to be. With MutuallyAuthenticate = true setting, the connection requires the server to verify the client and the client to verify the server. For this to work, the client must present a valid digital certificate during the SSL handshake process, and the server must be configured to accept it. With this functionality, attackers ensure that the C2 server only accepts connections from compromised devices that possess a specific certificate, which in this case would be the valid self-signed certificate.

 

  • AcceptInvalidCertificates = true: Allows the SSL/TLS connection to proceed even if the presented certificate cannot be validated by a trusted certificate authority (CA). In this case, by including a valid self-signed certificate.

Figure 5. Encrypted certificate information retrieved by SCILabs from Silver Oryx Blade

Figure 6. WatsonTcp with mutual authentication enabled and configured to accept an invalid certificate in Silver Oryx Blade

The following list contains the banks and financial institutions of interest to Silver Oryx Blade identified by SCILabs during the analysis, in which approximately 50 entities were identified, including fintechs such as Mercado Pago and Binance.

Financial institutions
BTG Pactual Banco da Amazônia Credisan
Banco BS2 Banco de Brasília Credisis
Banco Banese Banco do Brasil Foxbit
Banco Bmg Banco do Estado do Espírito Santo (Banestes) Itaú Unibanco
Banco Daycoval Banco do Nordeste do Brasil Mercado Bitcoin
Banco Fibra Banpará Mercado Pago
Banco Mercantil do Brasil Banrisul Sicredi
Banco Original Binance Sisprime de Brasil
Banco PAN BitcoinTrade Stone
Banco Regional de Desenvolvimento do Extremo Sul Blockchain Tribanco
Banco Rendimento Bradesco Unicred
Banco Safra Caixa Econômica Federal Viacredi (Ailos)
Banco Santander Brasil Citibank Zeitbank
Banco Sofisa Confesol  
Banco Topázio Cora Sociedade de Crédito  

Table 2. Banking institutions of interest to Silver Oryx Blade

During the analysis, the use of the Newtonsoft Json.NET Framework was identified for manipulating data transmitted to C2. This is possible because the operators of this trojan use Fody Costura, whose function is to embed (package) dependencies within the same main executable/assembly as resources and, at runtime, load those embedded DLL files from the executable’s resources when the Common Language Runtime (CLR) requests them. This Fody Costura add-in simplifies software distribution by creating a single-file application, eliminating the need to ship multiple DLL files alongside the executable.

 Figure 7. Fody Costura implementation identified in the Silver Oryx Blade variant

 Figure 8. Attack flowchart observed in the August 2024 Silver Oryx Blade campaign

Observed TTPs aligned with the MITRE® ATT&CK framework

Table 3. Observed TTPs aligned with the MITRE® ATT&CK framework

Coyote

Coyote is a banking trojan primarily targeting users in Brazil, designed to facilitate financial fraud by stealing credentials and manipulating banking sessions in real time. Public research describe it as a multi-stage threat in its infection process, which includes the use of Squirrel-type installers, NodeJS/Electron components, and .NET payloads. Coyote remains dormant until it detects access to target institutions, at which point it activates capabilities such as phishing overlays, screen capture, and keylogging to obtain sensitive data. Furthermore, later variants have incorporated more advanced techniques, such as the abuse of Windows UI Automation , reinforcing its relevance as a constantly evolving banking trojan in the Brazilian ecosystem.

Coyote attacks primarily have the following characteristics:

  • ZIP as dropper/LNK as dropper (using a one-liner PowerShell script ) that generates a random 5-character process for file downloads.

 

  • ZIP file named as a PDF/LNK file named as a PDF.

 

  • .exe installer that appears to be a PDF file.

 

  • Installer compiled in C++.

 

  • Installer larger than

 

  • Software installation screen when the program is launched.

 

  • Installing

 

  • Artifacts in the Windows %LocalAppData% path.

 

  • NuGet package (Loader).

 

  • AES encryption to obfuscate code.

 

  • The decoded code is in Base64.

 

  • DLL Side-Loading (using a legitimate Chrome executable).

 

  • Uses the path C:\Users\<username>\Documents\Images

 

  • Persistence in registry keys HKCU\Environment\UserInitMprLogonScript (script execution at login) and HCKU\Software\Microsoft\Windows\CurrentVersion\Run

 

  • Monitors the Google Chrome browser for banking sites to steal financial information.

 

  • C2 with specific communication commands.

 

  • Fileless (malware without files) with multiple stages in the infection process.

In February 2025, SCILabs observed that the payload injected into memory has the following objectives:

  • Using Donut, it decrypts, downloads, and executes the final payload of the Coyote banking trojan.

 

  • It establishes persistence via a registry key with a name similar to uvnyjjfz, with random characters and length, located in the path HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run.

 

  • It collects and sends information about the infected computer (hostname, operating system, installed antivirus, etc.) to the campaign operators’ C2 server.

 

  • It executes the PowerShell command stored in the registry to establish persistence, with the aim of downloading and executing the final payload of the Coyote banking trojan.

Finally, the Coyote banking trojan begins monitoring active browser windows in search of more than 1,000 sites of interest, including Brazilian banking and other sites, among which are those shown in the following table.

Instituciones financieras
BTG Pactual Banco da Amazônia Cora Sociedade de Crédito
Banco BS2 Banco de Brasília Credisan
Banco Banese Banco do Brasil Credisis
Banco Bmg Banco do Estado do Espírito Santo (Banestes) Foxbit
Banco Daycoval Banco do Nordeste do Brasil Itaú Unibanco
Banco Fibra Banco do Pará Mercado Bitcoin
Banco Mercantil do Brasil Banestes Mercado Pago
Banco Original Banrisul Sicredi
Banco PAN Binance Sisprime de Brasil
Banco Regional de Desenvolvimento do Extremo Sul BitcoinTrade Stone
Banco Rendimento Blockchain Tribanco
Banco Safra Bradesco Unicred
Banco Santander Brasil Caixa Econômica Federal Uniprime
Banco Sofisa Citibank Viacredi (Ailos)
Banco Topázio Confesol Zeitbank

Table 4. Financial institutions of interest to Coyote

Once the trojan identifies a site of interest, it initiates communication with the command-and-control server, waiting to receive commands that are encoded based on the length of the received string.

While preparing this report, SCILabs analyzed a sample of the Coyote banking trojan, identifying the implementation of the WatsonTCP library with SSL tunnels that imports an X509 certificate, protected by the password “b4b54f7ea7c14e28bf1ceb93e1b05cb1”.

Additionally, to communicate with its C2 server, it configures the following options:

  • MutuallyAuthenticate = true: Configures mutual authentication, also known as bidirectional authentication. The connection requires the server to verify the client and the client to verify the server. The client must present a valid digital certificate during the SSL handshake, and the server must be configured to accept it. With this functionality, attackers ensure that the C2 server only accepts connections from compromised devices that possess a specific certificate, which in this case would be self-signed.

 

  • AcceptInvalidCertificates = true: In WatsonTcp, this allows the SSL/TLS connection to proceed even if the presented certificate cannot be validated by a trusted certificate authority (CA).

Figure 9. WatsonTcp with mutual authentication enabled and accepting an invalid certificate in Coyote

Figure 10. PFX-type certificate imported from the password-protected executable resources of Coyote

Figure 11. Encrypted certificate information retrieved by SCILabs used by Coyote

Figure 12. AcceptInvalidCertificates and MutuallyAuthenticate values set to true

Additionally, SCILabs identified in open sources that a Coyote campaign implements mutual authentication to establish communication with its C2 server.

Figure 13. Excerpt from public sources showing the use of mutual authentication in the Coyote variant

Coyote uses Fody Costura, which embeds dependencies within the main executable/assembly as resources and, at runtime, loads those embedded DLL files when the Common Language Runtime (CLR) requests them. In the case of the Coyote variant, Fody Costura packages Newtonsoft and WatsonTcp. This Fody Costura add-in facilitates software distribution by creating a single-file application, eliminating the need to send multiple DLL files along with the executable.

Figure 14. Fody Costura identifies in the Coyote variant

Figure 15. Identified attack flow of the Coyote banking trojan

Observed TTPs aligned with the MITRE® ATT&CK framework

Table 5. Observed TTPs aligned with the MITRE® ATT&CK framework

Maverick

In November 2025, through open-source monitoring, SCILabs tracked an investigation stemming from an incident in which a suspicious download of a ZIP-type compressed file was initially detected from WhatsApp Web (web[.]whatsapp[.]com). Based on that investigation, several artifacts were linked to a campaign targeting Brazilian users, concluding that the file downloaded from Maverick bore significant similarities to previously reported Coyote campaigns. In the analysis, the full infection chain was not observed, as some subsequent files were not delivered by the C2 at the time of the investigation; therefore, its correlation with Coyote is based on the recovered samples, the IoCs (Indicators of Compromise), and comparison with previous public investigations.

Some specific characteristics of the Maverick banking trojan are listed below:

  • WhatsApp Web as the primary vector: It is distributed on a massive scale via WhatsApp messages containing malicious ZIP files.

 

  • Worm-like propagation: Once the system is infected, it uses Selenium and WPPConnect to hijack the active WhatsApp Web session and automatically forward the malicious file to all the victim’s contacts.

 

  • LNK as a dropper with complex obfuscation: The ZIP file contains a shortcut (LNK) that executes highly obfuscated PowerShell commands using split tokens, multiple “FOR” loops, and UTF-16LE encoding to reconstruct the download URL.

 

  • Fileless Execution (entirely in memory): The infection chain is designed to be memory-resident, loading .NET assemblies and shellcodes without leaving large persistent artifacts on disk.

 

  • Strict geofencing (Brazil): Before installing, it performs exhaustive checks on the time zone (UTC-5 to UTC-2), system language (pt-BR), region, and date format to ensure the victim is in Brazil.

 

  • Persistence via lightweight batch files: Instead of installing the full trojan, it creates a .bat file in the startup folder (e.g., HealthApp-*.bat) that re-downloads the initial loader from the C2 server after each reboot.

 

  • AI-assisted development: It has been documented that the attackers used AI to assist in writing the code, particularly for certificate decryption logic and general agent functions.

 

  • Network infrastructure with WatsonTCP: It uses the .NET WatsonTCP library to establish stable SSL/TLS communication tunnels with its command-and-control (C2) server.

 

  • Protection with local X509 certificates: Communications are secured using password-protected local digital certificates to enable mutual authentication and evade traffic inspection.

 

  • Use of overlays: It can display fraudulent phishing windows over legitimate bank pages to capture credentials and MFA codes.

 

  • Advanced remote control capabilities: Includes functions for taking screenshots, keylogging, mouse control, screen locking, and terminating system processes.

 

  • Configuration encryption (AES/GZIP): Lists of financial target URLs are stored compressed with GZIP and encrypted with AES-256 in Base64 format to hide their targets during static analysis

Among its key capabilities, Maverick includes WhatsApp Web automation via WPPConnect and Selenium, allowing it to forward malicious messages from compromised accounts and expand the campaign’s reach. At the same time, the banking component can fully control the infected device, taking screenshots, enabling keylogging, controlling the mouse, locking the screen upon detecting access to a banking site, and displaying overlay phishing windows to capture credentials. Once active, it monitors the victim’s access to 26 Brazilian banks, 6 cryptocurrency platforms, and 1 payment platform not explicitly mentioned in the report.

Financial institutions
BTG Pactual Banco da Amazônia Credisan
Banco BS2 Banco de Brasília Credisis
Banco Banese Banco do Brasil Foxbit
Banco Bmg Banco do Estado do Espírito Santo (Banestes) Itaú Unibanco
Banco Daycoval Banco do Nordeste do Brasil Mercado Bitcoin
Banco Fibra Banco do Pará Sicoob
Banco Mercantil do Brasil Banestes Sicredi
Banco Original Banrisul Sisprime de Brasil
Banco PAN Binance Stone
Banco Regional de Desenvolvimento do Extremo Sul BitcoinTrade Tribanco
Banco Rendimento Blockchain Unicred
Banco Safra Bradesco Uniprime
Banco Santander Brasil Caixa Econômica Federal Viacredi (Ailos)
Banco Sofisa Citibank Zeitbank
Banco Topázio Confesol  

Table 6. Financial institutions targeted by Maverick identified in open sources

Another notable feature is that Maverick validates if the victim is located in Brazil, checking the time zone, language, region, and date format, with the aim of limiting its execution to that country only. Additionally, it uses Windows UI Automation to extract the title of the active tab in the browser and compare it with a list of targeted financial institutions, stored as a Base64-encoded string, compressed with GZIP, and encrypted with AES-256.

It is important to mention one of Maverick’s key features, according to public sources, the implementation of artificial intelligence (AI) in the code-writing process, specifically in decrypting the local X509 certificate to secure the banking trojan’s communication with its C2 server. This certificate is exported with encryption using a hardcoded password (Maverick2025!) to decrypt it.

Figure 16. Open-source image of Maverick in the process of loading the encrypted X509 certificate

For this report, in the same sample of a Maverick variant analyzed by SCILabs, text strings associated with AI-generated code were also identified, as shown in the following image.

Figure 17. Text strings associated with AI-generated code identified by SCILabs in a Maverick variant

In the same Maverick sample analyzed by SCILabs while preparing this report, the use of the WatsonTCP library with SSL tunnels was identified, along with an X.509 certificate whose password is “Maverick2025!” to establish communication with its C2 server. However, in this sample, mutual authentication is disabled and does not accept an invalid certificate, due to the following options set by Maverick:

  • MutuallyAuthenticate = false: Disables mutual authentication¹ or so-called bidirectional authentication. Only the server authenticates to the client, but the client does not need to present a digital certificate during the SSL handshake process (SSL handshake). In the context of the analyzed code, although a certificate is loaded into _trustedServerCertificate, it is not used to identify itself to the C2 server, but rather to validate the server via certificate pinning.

 

  • AcceptInvalidCertificates = false: WatsonTcp rejects any certificate that cannot be validated. However, this does not mean that it relies on a trusted public CA, but rather that validation is performed via certificate pinning: the client has the exact C2 server certificate embedded (loaded from Base64 with a password in _trustedServerCertificate), and it only accepts that specific certificate, rejecting any other, even if it is technically valid (signed by another trusted certificate authority). This prevents Man-in-the-Middle (MitM) attacks and ensures that the compromised client can only communicate with the legitimate C2 server controlled by the threat group.

Figure 18 . Implementation of WatsonTcp and X509 certificate in Maverick variant

The X509 public certificate was not obtained from the sample used by the Maverick variant.

Figure 19. Implementation of Fody Costura in the Maverick variant

Figure 20. Flowchart of the attack observed in the current Maverick campaign

Observed TTPs aligned with the MITRE® ATT&CK framework

Table 7. Observed TTPs aligned with the MITRE® ATT&CK framework

Comparison of the different variants of banking trojans operated by Blue Margay

The following table shows a comparison of the observed technical characteristics of the Silver Oryx Blade, Coyote, and Maverick banking trojan variants. However, it is important to note that the characteristics in the first four rows show the highest degree of similarity among the three banking trojans, ranging from the use of languages such as .NET and C++ to the implementation of Fody Costura, WatsonTCP, Newtonsoft Json.NET, and password-protected X509 certificates.

  Silver Oryx Blade Coyote Maverick
Programming languages .NET C# and C++ .NET C#, C++ and NIM .NET C# and C++
Tools and libraries Fody Costura, WatsonTCP, Json.NET de Newtonsoft Fody Costura, WatsonTCP, Json.NET de Newtonsoft, Squirrel, NuGet, Electron app Fody Costura, WatsonTCP, Json.NET de Newtonsoft
Certificate X509 with password X509 with password X509 with password
Obfuscation and encryption method Base64 and string removal / AES Base64 and string removal / AES AES
Payload format Plain text files / Base64 string in memory PE PE
Loading and injection methods DLL Side-Loading DLL Side-Loading y CLR VirtualAllocEx WriteProcessMemory DLL Side-Loading
Persistence method Shortcut in the Windows startup folder:   %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ + EACefSubProcessª.lnk HKCU\Environment\UserInitMprLogonScript HKCU\ \Software\Microsoft\Windows\CurrentVersion\Run Shortcut in the Windows Startup folder:   %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ + “HealthApp-” + GUID + “.bat”
Installation window No installation window Custom No installation window
Trojan size Less than 2 MB Over 100 MB in some campaigns Less than 2MB
C2 Multiple domains in a single campaign Multiple domains in a single campaign Multiple domains in a single campaign
Noteworthy technique Using GUIDs to generate directories with unique names Windows UI Automation WhatsApp web for propagation

Table 8. Comparative table of Silver Oryx Blade, Coyote, and Maverick variants

Within the decompiled code observed for these three threats, SCILabs identified critical technical similarities such as the use of the “AcceptInvalidCertificates” property, which allows the malware to accept the use of its own local or self-signed X509 digital certificates for traffic encryption, and the implementation of the “MutuallyAuthenticate” property to secure SSL channels through mutual authentication between the agent and the server. These technical similarities in the communication protection logic, along with the use of password-protected certificates, reinforce the hypothesis that this malware ecosystem targeting Brazil is operated and developed by the same threat group.

Figure 21. Process of loading the encrypted X509 certificate in Silver Oryx Blade, Coyote, and Maverick

The Silver Oryx Blade, Coyote, and Maverick banking trojans use the Fody Costura plugin as an advanced packaging technique to embed .NET dependencies and other resources directly within the main binary. The consistent use of this technology across all three threats, along with shared libraries such as Json.NET, represents a significant technical overlap that reinforces the hypothesis that these campaigns are operated by the same threat group.

Figure 22. Implementation of Fody Costura in the Silver Oryx Blade, Coyote, and Maverick variants

Common characteristics between Silver Oryx Blade and Coyote:

  • Victims: Both trojans are designed exclusively to target Brazil’s financial ecosystem, monitoring victims’ access to local banking institutions and cryptocurrency services.

 

  • Shared Libraries and Tools: Both threats use the WatsonTCP library to communicate with their command-and-control (C2) servers. They also use the Json.NET (Newtonsoft) framework for data manipulation and Fody Costura to embed .NET resources.

 

  • Text String Obfuscation Method: In open sources identified a variant of the Coyote banking trojan that exhibits an obfuscation technique like that observed by SCILabs in the Silver Oryx Blade banking trojan.

 

  • Use of AES Encryption: Both Coyote and Silver Oryx Blade apply AES encryption to protect specific text strings, banking URLs, or the final payload within their infection payload.

 

  • Programming Languages: Both malware samples are developed using a combination of C# (.NET) and C++ at different stages.

 

  • Linked Infrastructure: It has been detected that the domain milkdavaca[.]com, used in Silver Oryx Blade campaigns, shares the same SSL certificate and registrar as the known Coyote infrastructure.

 

  • Loading Techniques: Both employ the DLL Side-Loading technique to evade detection, using legitimate binaries to load malicious components into memory.

 

  • Application Monitoring: Both actively monitor browser windows to identify when the user accesses one of approximately 50 financial sites of interest.

Silver Oryx Blade Coyote Text String Obfuscation Method

In the Silver Oryx Blade sample analyzed by SCILabs, a deobfuscation method is used on the decompiled code from the DLL injected into memory. This deobfuscation method involves decoding a hardcoded text string in the recovered banking trojan code using Base64 and then removing all instances of a second short string, acting as a padding, consisting of 10 random characters—a mix of numbers and lowercase and uppercase letters—such as “jwQqSoXE4u”.

Figure 23. Obfuscated strings in a variant of the Silver Oryx Blade banking trojan

In open sources SCILabs identified a variant of the Coyote banking trojan, which exhibits an obfuscation technique like that observed by SCILabs in the Silver Oryx Blade banking trojan. This technique consists of a Base64-encoded string that, when attempted to be decoded directly, would result in an error or a nonsensical output. The program then uses the “Replace” function to remove a random fixed string (e.g., “8sECYQTgBU”), which has been repeatedly inserted into the Base64 text as noise. Once the noise or junk string is removed, the banking trojan applies standard decoding (Base64 to UTF-8) to obtain the plaintext string.

Figure 24. Obfuscated strings in Coyote—a similar technique observed by SCILabs in Silver Oryx Blade

Based on the above, SCILabs concludes that the Silver Oryx Blade, Coyote, and Maverick trojans exhibit technical convergence, as they share a .NET development framework and the recurring use of the WatsonTCP library for their communications with the command-and-control (C2) server. This infrastructure is reinforced using local X509 certificates embedded in the various Blue Margay malware variants and the shared use of Fody Costura technology to package resources and dependencies directly into the binary. Additionally, the systematic use of AES encryption, Base64 obfuscation, the Json.NET framework, and targeting victims in Brazil via fileless execution confirm a high degree of code and tactic reuse among the three banking trojans.

Blue Margay Diamond Model

The following diamond model was developed based on malware analysis and open-source intelligence processes.

Figure 25. Blue Margay diamond model

Conclusion

According to SCILabs telemetry, the landscape of banking trojans in Brazil has undergone a sustained transformation in recent years, being the emergence of Coyote, Silver Oryx Blade, and Maverick threats a demonstration of significant technical convergence and a constant evolution toward stealth.

SCILabs states the danger lies in the pioneering use of advanced technologies to evade traditional security solutions. While Coyote stands out as the first malware identified to abuse the Microsoft UI Automation (UIA) framework to extract credentials directly from browser tabs, Maverick raises the threat level through an entirely in-memory operation and the potential use of artificial intelligence to assist in writing its code, specifically in the decryption logic. The worm-like nature via WhatsApp Web, observed in the most recent variants of Maverick and Coyote, allows for faster propagation that not only facilitates the theft of funds but also erodes users’ digital trust.

For users in Brazil, the potential impact of these three banking trojans could be significant, even for the cybersecurity of the Brazilian financial market, as they actively monitor dozens of banking apps and cryptocurrency services.

Given their history of code refactoring and continuous improvement of tactics, it is highly likely that these banking trojans will continue to evolve, integrating even more complex evasion methods and potentially expanding their reach to other Latin American countries.

SCILabs will continue to monitor this threat with the aim of recovering samples from this family of trojans that will allow for a better understanding of this malware, in order to keep organizations and users updated on changes to its TTPs, new IoCs, or relevant information that could be vital to avoiding becoming a victim of this campaign.

Finally, SCILabs believes it is vital to follow the recommendations below to detect malicious activity related to this campaign early and avoid becoming a victim.

Specific Recommendations for Blue Margay

  • Add the IoCs shared in this document to your security solutions to reduce the likelihood of infection by this variant.

 

  • Restrict or block the use of WhatsApp Web on devices that have access to sensitive financial systems or critical corporate information.

 

  • Deploy EDR/NGAV solutions with behavioral analysis capabilities to detect the reflective loading of .NET binaries and the execution of shellcode in memory (such as that generated by Donut tool).

 

  • Implement strict PowerShell execution policies, blocking the use of obfuscated commands, Base64, and the IEX method (DownloadString). Additionally, conduct threat hunting activities targeting these same types of techniques within your infrastructure.

 

  • Monitor for the creation of files with the filename pattern HealthApp-*.bat in the Windows Startup folder and registry keys such as HKCU\Environment\UserInitMprLogonScript.

 

  • Strengthen multi-factor authentication (MFA) for all access to banking portals and financial services, as these trojans are designed to steal static credentials through phishing overlays.

 

  • Keep the operating system up to date with the latest security patches to reduce the likelihood of an attacker exploiting vulnerabilities in Windows operating systems.

 

  • Train staff, especially in accounting and finance departments, on the dangers of downloading ZIP files containing shortcuts (LNK) received via instant messaging or emails impersonating government entities.

 Indicators of Compromise

The following indicators were obtained through malware analysis and have a high level of confidence.

SHA256

EB615C093E9B52ED409F426764857E6E42AA85E02ADEF59D6F1457DCBB90BB40

77C552981A57576C12EB0E0BF186424925C70F13AFB5D93D20D28D4DF5FE1A89

56D6D649061458B8524A133ED6DB63C33F4E0A425A64AD927E248286FEA0F677

4469CF139AE0E268B22E6409CF6BBBE807CEE29CBE24C2C40AE42B171FA87788

 

 

 

 

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *