{"id":1502,"date":"2026-06-01T23:17:37","date_gmt":"2026-06-01T23:17:37","guid":{"rendered":"https:\/\/blog.scilabs.mx\/en\/?p=1502"},"modified":"2026-06-02T23:27:36","modified_gmt":"2026-06-02T23:27:36","slug":"blue-margay","status":"publish","type":"post","link":"https:\/\/blog.scilabs.mx\/en\/2026\/06\/01\/blue-margay\/","title":{"rendered":"Blue Margay"},"content":{"rendered":"\n<div class=\"wp-block-columns alignwide is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<h1><a name=\"_Toc230264482\"><\/a>Overview<\/h1>\n<p>The purpose of this post is to describe the TTPs of the threat group <em>Blue Margay<\/em>, as named by SCILabs, which targets users and organizations primarily from Brazil with the aim of committing banking fraud, with the capability of stealing banking credentials and, in some variants, also detect or attack cryptocurrency and payment platforms. Through an advanced technical arsenal that integrates the <em>Silver Oryx Blade<\/em>, <em>Coyote<\/em>, and <em>Maverick <\/em>banking trojans, the group has demonstrated critical capabilities for dynamic transaction monitoring and the interception of cryptocurrency platforms<\/p>\n<p>The attribution of different malware variants to this threat group is based on the record of multiple technical similarities among its artifacts, notably the recurring use of the <a href=\"https:\/\/github.com\/dotnet\/WatsonTcp\">WatsonTCP<\/a> library for communication with the command-and-control (C2) server, the use of <a href=\"https:\/\/github.com\/Fody\/Costura\">Fody Costura<\/a> to embed resources within binaries developed with .NET, and identical encryption and obfuscation routines based on <a href=\"https:\/\/www.nist.gov\/publications\/advanced-encryption-standard-aes\">AES<\/a> and <a href=\"https:\/\/developer.mozilla.org\/es\/docs\/Glossary\/Base64\">Base64<\/a> . In addition to using these development tools, these threats exhibit a linked infrastructure through the use of local <a href=\"https:\/\/www.ssl.com\/es\/preguntas-frecuentes\/%C2%BFQu%C3%A9-es-un-certificado-x-509%3F\/\">X509 certificates<\/a> to secure their <a href=\"https:\/\/www.globalsign.com\/es\/centro-de-informacion-ssl\/que-es-ssl\">SSL tunnels<\/a> and maintain an identical victim profile, designed exclusively to target end-users in Brazil through environment validation and <a href=\"https:\/\/attack.mitre.org\/techniques\/T1627\/001\/\">geofencing<\/a>.<\/p>\n<p>This adversary\u2019s primary initial access vector is through phishing campaigns to distribute malware, impersonating a tax authority such as Brazil\u2019s Minist\u00e9rio da Fazenda (Ministry of Finance). Additionally, phishing emails were observed that purport to originate from internal departments such as finance and HR, using pretexts such as a supposed salary bonus or sudden changes to vacation requests.<\/p>\n<p>Another access vector is via WhatsApp Web messages from previously compromised contacts, containing a ZIP file with a malicious LNK file used as a dropper.<\/p>\n<p>Based on its investigation, SCILabs observed that <em>Blue Margay <\/em>has been targeting Brazil with its campaigns since at least February 2024 using the <em>Coyote<\/em> banking trojan; however, based on the evidence provided in this report, \u00a0SCILabs determined with a high degree of confidence that the group is operating behind other threats of this type, such as <em>Silver Oryx Blade <\/em>and <em>Maverick<\/em>, which are developed with the assistance of artificial intelligence according to some <a href=\"https:\/\/securelist.com\/maverick-banker-distributing-via-whatsapp\/117715\/\">open-sources<\/a>.<\/p>\n<h1><a name=\"_Toc230264483\"><\/a>Region of Operation<\/h1>\n<p>As a result of open-source intelligence gathering and the analysis of various malicious artifacts, SCILabs determined with a <strong>high <\/strong>degree of confidence that the primary target country for this threat group\u2019s operations is Brazil, marked in red, while countries marked in yellow are potential targets for this threat actor.<\/p>\n<p><a href=\"#_ftnref1\" name=\"_ftn1\"><\/a><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter  wp-image-1518\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig01.jpg\" alt=\"\" width=\"897\" height=\"1146\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 1. Region of operation determined by SCILabs<\/strong><\/p>\n<h1><a name=\"_Toc230264484\"><\/a>Relevant <em>Blue Margay <\/em>Activity<\/h1>\n<p>The following image shows a timeline of some <em>Blue Margay <\/em>attacks based on events identified by SCILabs since August 2024, due to their media impact or magnitude.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter  wp-image-1519\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig02.jpg\" alt=\"\" width=\"1025\" height=\"917\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 2. Blue Margay campaign timeline<\/strong><\/p>\n<p>The attacks observed in the <em>Blue Margay<\/em> timeline are described below:<\/p>\n<ul>\n<li><strong>February 2024<\/strong>: A campaign involving the <em>Coyote<\/em> banking trojan was documented in <a href=\"https:\/\/securelist.com\/coyote-multi-stage-banking-trojan\/111846\/\">open sources<\/a>, targeting users in Brazil from over 60 banking institutions. This campaign featured the use of the <a href=\"https:\/\/github.com\/Squirrel\/Squirrel.Windows\">Squirrel installer<\/a>, the <a href=\"https:\/\/nodejs.org\/en\">NodeJS application<\/a>, and a .NET-based final payload, as well as AES encryption.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>February 2024<\/strong>: SCILabs identified a campaign involving the <em>Coyote<\/em> banking trojan targeting Brazil; distributed via ZIP files disguised as PDF documents. These files contain an executable dropper compiled in C\/C++, approximately 101 MB in size. This dropper uses Squirrel to install a malicious NuGet package named Kachalov-1.3.6-full.nupkg and deploys a loader written in Nim, which unpacks and executes a .NET stage in memory. <em>Coyote <\/em>employs obfuscation techniques such as AES and Base64 tables and uses <a href=\"https:\/\/attack.mitre.org\/techniques\/T1574\/002\/\">DLL Side-Loading<\/a> on a legitimate Google Chrome executable to execute its final stage.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>August 2024<\/strong>: SCILabs identified a banking trojan campaign, called in-house as <em>Silver Oryx Blade, <\/em>targeting Brazil, initially detected in a malicious MSI file compressed in a ZIP archive. It employs the DLL Side-Loading technique to inject an obfuscated payload into memory. The trojan establishes persistence via a shortcut in the startup folder and communicates with its C2 servers using WatsonTCP. <em>Silver Oryx Blade <\/em>has been identified as monitoring the windows of nearly 50 Brazilian banking institutions and includes tools such as Json.NET and Fody Costura in its .NET\/C++ artifact chain.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>May 2025<\/strong>: An <a href=\"https:\/\/www.sidechannel.blog\/en\/coyote-a-stealthy-banking-trojan-targeting-dozens-of-brazilian-financial-institutions\/\">investigation<\/a> regarding a new variant of the <em>Coyote <\/em>banking trojan was published. This variant spreads via the <a href=\"https:\/\/www.whatsapp.com\/?lang=es\">WhatsApp<\/a> instant messaging software Web, using a ZIP attachment containing an embedded LNK file, downloading remote payloads, and a malicious Chrome extension that enabled <a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-endpoint\/malware\/worms-malware\">worm<\/a>-like propagation by forwarding the ZIP file to the victim\u2019s WhatsApp contacts.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>July 2025<\/strong>: Open-source reporting <a href=\"https:\/\/www.akamai.com\/blog\/security-research\/active-exploitation-coyote-malware-first-ui-automation-abuse-in-the-wild\">documented<\/a> a variant of the <em>Coyote <\/em>banking trojan, describing the first confirmed case of a malicious <a href=\"https:\/\/www.akamai.com\/blog\/security-research\/windows-ui-automation-attack-technique-evades-edr\">Microsoft UI Automation<\/a> (UIA) usage. This <em>Coyote<\/em> variant targeted users in Brazil and used UIA to extract credentials linked to 75 banking and cryptocurrency addresses, demonstrating a significant evolution from the initial variants.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>October 2025<\/strong>: Open-source intelligence <a href=\"https:\/\/securelist.com\/maverick-banker-distributing-via-whatsapp\/117715\/\">documented<\/a> a massive campaign in Brazil involving a new banking trojan called <em>Maverick<\/em>, distributed via WhatsApp as a ZIP file containing a malicious LNK file. The investigation highlighted that the threat shared code similarities with <em>Coyote<\/em>, which monitored 26 Brazilian banks, 6 cryptocurrency services, and 1 payment platform, without specifying the names of the organizations.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h1><a name=\"_Toc230264485\"><\/a>Who might be affected?<\/h1>\n<p>Through constant monitoring in the region, SCILabs identified that <em>Blue Margay\u2019s<\/em> primary target is end users of financial institutions in Brazil. It is distributed via phishing emails using various pretexts, such as alleged salary bonuses, PIX transfers, and tax notices, impersonating financial and human resources departments as well as the Brazilian Ministry of Finance.<\/p>\n<h1><a name=\"_Toc230264486\"><\/a>How can it affect an organization?<\/h1>\n<p>Banking trojans operated by the <em>Blue Margay <\/em>threat group could steal information from financial institutions and users\u2019 cryptocurrency platforms, including employees of these organizations. If an attack is successful within an organization, cybercriminals can leak or sell the stolen information on clandestine Dark Web forums or on the black market, jeopardizing the confidentiality, integrity, and availability of your information and causing reputational damage.<\/p>\n<h1><a name=\"_Toc230264487\"><\/a>Threat Group\u2019s Operational Model<\/h1>\n<p>Their operational model points to a banking fraud scheme, targeting end users primarily in Brazil. Initial access is gained through email phishing, using urgent and highly credible pretexts such as overdue invoices, deliveries, tax notices, salary bonuses, <a href=\"https:\/\/www.bcb.gov.br\/en\/financialstability\/pix_en\">PIX transfers<\/a>, and messages sent via <a href=\"https:\/\/www.whatsapp.com\/?lang=es\">WhatsApp<\/a> containing compressed files. The group exploits both institutional trust (impersonating financial agencies or government ministries) and interpersonal trust (messages forwarded from compromised accounts) to fulfill their attacks.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter  wp-image-1520\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig03.jpg\" alt=\"\" width=\"986\" height=\"435\" srcset=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig03.jpg 1068w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig03-300x132.jpg 300w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig03-1024x452.jpg 1024w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig03-768x339.jpg 768w\" sizes=\"auto, (max-width: 986px) 100vw, 986px\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 3. Example of a phishing template for the <em>Silver Oryx Blade<\/em> and <em>Coyote<\/em> banking trojans<\/strong><\/p>\n<p>The malware operated by this threat group waits for the victim to open a banking app or website, and then activates various capabilities, such as enumeration of banking sites, fake authentication (login) or <a href=\"https:\/\/www.ibm.com\/mx-es\/think\/topics\/multi-factor-authentication\">MFA<\/a> windows , phishing <a href=\"https:\/\/www.bancosantander.es\/glosario\/overlay\">overlays<\/a>, <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/security-101\/what-is-keylogger\">keyloggers<\/a>, screenshots, and screen locking. Additionally, in more recent <a href=\"https:\/\/www.akamai.com\/blog\/security-research\/active-exploitation-coyote-malware-first-ui-automation-abuse-in-the-wild\">variants<\/a>, they use <a href=\"https:\/\/learn.microsoft.com\/en-us\/dotnet\/framework\/ui-automation\/ui-automation-overview\">Microsoft UI Automation<\/a> to inspect browser elements and detect banking or cryptocurrency portals. This pattern indicates an interest in capturing valid credentials, authentication data, and real-time transactional context, rather than simply exfiltrating files. The wide range of targets also reinforces this model:<\/p>\n<p><a href=\"#_ftnref1\" name=\"_ftn1\"><\/a><\/p>\n<p><a href=\"#_ftnref1\" name=\"_ftn1\"><\/a><\/p>\n<p><a href=\"#_ftnref1\" name=\"_ftn1\"><\/a><\/p>\n<table style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"100%\">\n<tbody>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" colspan=\"3\" width=\"100%\"><strong>Financial institutions<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"36%\">Binance<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"42%\">Banco de Bras\u00edlia<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"21%\">Mercado Bitcoin<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"36%\">Banco do Brasil<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"42%\">Banco Regional de Desenvolvimento do Extremo Sul<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"21%\">Mercado Pago<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"36%\">Bradesco<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"42%\">BTG Pactual<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"21%\">Banco Mercantil do Brasil<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"36%\">Banco da Amaz\u00f4nia<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"42%\">Caixa Econ\u00f4mica Federal<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"21%\">Banco Santander Brasil<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"36%\">Banco Bmg<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"42%\">Citibank<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"21%\">Banco Rendimento<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"36%\">Banco BS2<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"42%\">Confesol<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"21%\">Banco Safra<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"36%\">Banco Fibra<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"42%\">Viacredi (Ailos)<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"21%\">Sicoob<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"36%\">Banco PAN<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"42%\">Cora Sociedade de Cr\u00e9dito<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"21%\">Banco Sofisa<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"36%\">Banco Top\u00e1zio<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"42%\">Credisan<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"21%\">Stone<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"36%\">Banco Banese<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"42%\">Credisis<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"21%\">Tribanco<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"36%\">Banco do Estado do Esp\u00edrito Santo (Banestes)<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"42%\">Banco Daycoval<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"21%\">Unicred<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"36%\">Banpar\u00e1<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"42%\">Banco Original<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"21%\">Uniprime<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"36%\">Banrisul<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"42%\">Foxbit<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"21%\">Sisprime de Brasil<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"36%\">BitcoinTrade<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"42%\">Banco do Par\u00e1<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"21%\">Banestes<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"36%\">Blockchain<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"42%\">Sicredi<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"21%\">Zeitbank<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"36%\">Banco do Nordeste do Brasil<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"42%\">Ita\u00fa Unibanco<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"21%\">\u00a0<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: center\"><strong>Table 1. Financial institutions targeted by banking trojans operated by Blue Margay<\/strong><\/p>\n<p><em>Blue Margay <\/em>attacks primarily have the following characteristics observed in some banking trojan variants like <a href=\"https:\/\/securelist.com\/maverick-banker-distributing-via-whatsapp\/117715\/\"><em>Maverick<\/em><\/a> y <a href=\"https:\/\/www.sidechannel.blog\/en\/coyote-a-stealthy-banking-trojan-targeting-dozens-of-brazilian-financial-institutions\/\"><em>Coyote<\/em><\/a>:<\/p>\n<ul>\n<li>Use of phishing and, in more recent variants, propagation via instant messaging from the infected victim\u2019s account. Additionally, the usage of embedded links or compressed files (ZIP) that deliver artifacts such as MSI, EXE, or LNK. In several cases, these links redirect to cloud infrastructure or redirection services before downloading the ZIP.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>Use of combined technologies such as Electron\/Node.js, PowerShell, .NET, <a href=\"https:\/\/nim-lang.org\/\">Nim<\/a>, and shellcode, with multi-stage execution to hinder analysis and detection.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>Use of installers or packagers to hide the initial stage, including Squirrel\/NSI and MSI.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>Use of DLL Side-Loading\/DLL hijacking by leveraging legitimate binaries to load malicious components.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>Local information-gathering capabilities, such as keylogging, screenshots, and clipboard data theft, to facilitate banking fraud and obtain authentication context.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>Use of <a href=\"https:\/\/learn.microsoft.com\/en-us\/dotnet\/framework\/ui-automation\/ui-automation-overview\">Microsoft UI Automation<\/a> (UIA) to inspect browser interface elements (tabs, address bar) and identify banking or crypto portals even when the window title does not directly match.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>Installation of malicious browser extensions in specific campaigns, deploying an extension for Google Chrome and Brave, loaded from <em>%AppData% <\/em>and forced via custom profiles to spread via WhatsApp Web.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>Communication with C2 via sockets and specialized .NET libraries, including the use of WatsonTCP.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>Use of encryption and obfuscation, particularly AES, Base64, and obfuscated JavaScript, for both strings and intermediate or final payloads.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>Implementation of anti-analysis controls and environment validations, such as virtual machine verification, geofencing, or language\/region validation to prioritize victims in Brazil.<\/li>\n<\/ul>\n<h1><a name=\"_Toc230264488\"><\/a>Analysis of Banking trojans Operated by <em>Blue Margay<\/em><\/h1>\n<p>The following describes the banking trojan campaigns operated by <em>Blue Margay<\/em>, identified by SCILabs through open-source intelligence processes and the analysis of various malicious artifacts.<\/p>\n<p><strong><em>Silver Oryx Blade<\/em><\/strong><\/p>\n<p><a href=\"#_ftnref1\" name=\"_ftn1\"><\/a><\/p>\n<p>In August 2024, SCILabs identified a new banking trojan through threat monitoring and hunting in LATAM, which it named <a href=\"https:\/\/blog.scilabs.mx\/silver-oryx-blade-nuevo-troyano-bancario-observado-en-agosto-de-2024\/\"><em>Silver Oryx Blade<\/em><\/a>. Among its key identified characteristics are the compromise of Minecraft servers as a malware repository and the combination of different programming languages during the infection chain.<\/p>\n<p><em>Silver Oryx Blade<\/em> is distributed through phishing campaigns impersonating Brazilian organizations such as PIX of the Central Bank of Brazil, the Brazilian Ministry of Finance, and the finance departments of Brazilian organizations.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-1521\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig04.jpg\" alt=\"\" width=\"636\" height=\"528\" srcset=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig04.jpg 636w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig04-300x249.jpg 300w\" sizes=\"auto, (max-width: 636px) 100vw, 636px\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 4. Example of a phishing template using the pretext of a supposed PIX transfer<\/strong><\/p>\n<p>Because <em>Blue Margay <\/em>uses artifacts developed in-house in C#, C++, and NIM, as well as libraries such as Fody Costura, WatsonTCP, and JsonNET, and based on victimology, it can be attributed that <em>Silver Oryx Blade <\/em>is operated by this threat group.<\/p>\n<p>The summary of the attack flow observed in this banking trojan is as follows.<\/p>\n<ul>\n<li>The victim receives a phishing email using alleged salary bonuses, PIX transfers, and tax notices as pretexts, impersonating financial and human resources departments as well as Brazil\u2019s Ministry of Finance.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>The email has an URL attached that redirects the victim to a site that automatically downloads a ZIP file; this contains the trojan\u2019s first dropper in MSI format.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>When the MSI file is executed, the infection chain begins.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>The MSI, which has embedded a DLL developed in .NET and with a base64-encoded payload, extracts the necessary artifacts for the trojan\u2019s installation.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>The trojan creates a directory in <em>%PUBLIC% <\/em>with a pseudo-random name in CamelCase format, based on a GUID (e.g., Bebfeeebfaea or Cewhcqvcwqqzjrvlzca). In this directory, it deploys a legitimate executable program vulnerable to <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/abusing-dll-misconfigurations\">DLL Side-Loading<\/a>, which loads the trojan into memory, along with a loader developed in C++, an obfuscated payload, and legitimate Microsoft DLLs used during execution.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>As a persistence mechanism, the trojan creates a shortcut in <em>%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup<\/em>.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>The trojan communicates with one of its configured command-and-control (C2) servers, if any are available.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>Once the victim accesses sites of interest for the malware, the trojan begins stealing banking information, such as usernames and passwords, which are sent to the attacker\u2019s C2 server.<\/li>\n<\/ul>\n<p>After recovering and analyzing the <em>Silver Oryx Blade <\/em>trojan in its penultimate phase, SCILabs identified the use of the .NET WatsonTCP library with an X509 certificate protected by the password \u201cf134f2a14df14c449b36ed67d6d73ff8\u201d to communicate with its C2 server, with the following options:<\/p>\n<ul>\n<li><strong><a href=\"https:\/\/github.com\/dotnet\/WatsonTcp#:~:text=client%2ESettings%2E-,MutuallyAuthenticate\">MutuallyAuthenticate<\/a> = true<\/strong>: Configures <a href=\"https:\/\/www.cloudflare.com\/learning\/access-management\/what-is-mutual-authentication\/\">mutual authentication<\/a>, also known as two-way authentication, for SSL communication. By default, in a standard SSL\/TLS connection (such as when browsing the internet), only the client verifies that the server is who it claims to be. With MutuallyAuthenticate = true setting, the connection requires the server to verify the client and the client to verify the server. For this to work, the client must present a valid digital certificate during the <a href=\"https:\/\/www.ibm.com\/docs\/en\/ibm-mq\/9.3.x?topic=tls-overview-ssltls-handshake\">SSL handshake process<\/a>, and the server must be configured to accept it. With this functionality, attackers ensure that the C2 server only accepts connections from compromised devices that possess a specific certificate, which in this case would be the valid self-signed certificate.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong><a href=\"https:\/\/github.com\/dotnet\/WatsonTcp#:~:text=client%2ESettings%2E-,AcceptInvalidCertificates\">AcceptInvalidCertificates<\/a> = true<\/strong>: Allows the SSL\/TLS connection to proceed even if the presented certificate cannot be validated by a trusted certificate authority (CA). In this case, by including a valid self-signed certificate.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter  wp-image-1522\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig05.jpg\" alt=\"\" width=\"682\" height=\"867\" srcset=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig05.jpg 746w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig05-236x300.jpg 236w\" sizes=\"auto, (max-width: 682px) 100vw, 682px\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 5. Encrypted certificate information retrieved by SCILabs from <em>Silver Oryx Blade<\/em><\/strong><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter  wp-image-1523\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig06.jpg\" alt=\"\" width=\"1137\" height=\"332\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 6. WatsonTcp with mutual authentication enabled and configured to accept an invalid certificate in <em>Silver Oryx Blade<\/em><\/strong><\/p>\n<p>The following list contains the banks and financial institutions of interest to <em>Silver Oryx Blade <\/em>identified by SCILabs during the analysis, in which approximately 50 entities were identified, including fintechs such as Mercado Pago and Binance.<\/p>\n<p><a href=\"#_ftnref1\" name=\"_ftn1\"><\/a><\/p>\n<table style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"547\">\n<tbody>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" colspan=\"3\" width=\"100%\"><strong>Financial institutions<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"235\">BTG Pactual<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"141\">Banco da Amaz\u00f4nia<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"171\">Credisan<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"235\">Banco BS2<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"141\">Banco de Bras\u00edlia<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"171\">Credisis<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"235\">Banco Banese<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"141\">Banco do Brasil<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"171\">Foxbit<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"235\">Banco Bmg<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"141\">Banco do Estado do Esp\u00edrito Santo (Banestes)<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"171\">Ita\u00fa Unibanco<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"235\">Banco Daycoval<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"141\">Banco do Nordeste do Brasil<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"171\">Mercado Bitcoin<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"235\">Banco Fibra<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"141\">Banpar\u00e1<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"171\">Mercado Pago<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"235\">Banco Mercantil do Brasil<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"141\">Banrisul<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"171\">Sicredi<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"235\">Banco Original<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"141\">Binance<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"171\">Sisprime de Brasil<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"235\">Banco PAN<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"141\">BitcoinTrade<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"171\">Stone<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"235\">Banco Regional de Desenvolvimento do Extremo Sul<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"141\">Blockchain<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"171\">Tribanco<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"235\">Banco Rendimento<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"141\">Bradesco<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"171\">Unicred<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"235\">Banco Safra<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"141\">Caixa Econ\u00f4mica Federal<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"171\">Viacredi (Ailos)<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"235\">Banco Santander Brasil<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"141\">Citibank<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"171\">Zeitbank<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"235\">Banco Sofisa<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"141\">Confesol<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"171\">\u00a0<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"235\">Banco Top\u00e1zio<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"141\">Cora Sociedade de Cr\u00e9dito<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"171\">\u00a0<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: center\"><strong>Table 2. Banking institutions of interest to <em>Silver Oryx Blade<\/em><\/strong><\/p>\n<p>During the analysis, the use of the <a href=\"https:\/\/www.newtonsoft.com\/json\">Newtonsoft<\/a> Json.NET Framework was identified for manipulating data transmitted to C2. This is possible because the operators of this trojan use <a href=\"https:\/\/github.com\/Fody\/Costura\">Fody Costura<\/a>, whose function is to embed (package) dependencies within the same main executable\/assembly as resources and, at runtime, load those embedded DLL files from the executable\u2019s resources when the Common Language Runtime (<a href=\"https:\/\/learn.microsoft.com\/es-es\/dotnet\/standard\/clr\">CLR<\/a>) requests them. This Fody Costura add-in simplifies software distribution by creating a single-file application, eliminating the need to ship multiple DLL files alongside the executable.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter  wp-image-1524\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig07.jpg\" alt=\"\" width=\"693\" height=\"394\" \/><\/p>\n<p><a href=\"#_ftnref1\" name=\"_ftn1\"><\/a><a href=\"#_ftnref3\" name=\"_ftn3\"><\/a><\/p>\n<p style=\"text-align: center\"><strong>\u00a0Figure 7. Fody Costura implementation identified in the <em>Silver Oryx Blade <\/em>variant<\/strong><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter  wp-image-1525\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig08.jpg\" alt=\"\" width=\"1130\" height=\"644\" \/><\/p>\n<p style=\"text-align: center\"><strong>\u00a0Figure 8. Attack flowchart observed in the August 2024 <em>Silver Oryx Blade <\/em>campaign<\/strong><\/p>\n<p><strong>Observed TTPs aligned with the MITRE\u00ae ATT&amp;CK framework<\/strong><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-1543\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/TTPSilverOryxBlade.jpg\" alt=\"\" width=\"1096\" height=\"693\" srcset=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/TTPSilverOryxBlade.jpg 1096w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/TTPSilverOryxBlade-300x190.jpg 300w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/TTPSilverOryxBlade-1024x647.jpg 1024w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/TTPSilverOryxBlade-768x486.jpg 768w\" sizes=\"auto, (max-width: 1096px) 100vw, 1096px\" \/><\/p>\n<p style=\"text-align: center\"><strong>Table 3. Observed TTPs aligned with the MITRE\u00ae ATT&amp;CK framework<\/strong><\/p>\n<p><strong><em>Coyote<\/em><\/strong><\/p>\n<p><em>Coyote <\/em>is a banking trojan primarily targeting users in Brazil, designed to facilitate financial fraud by stealing credentials and manipulating banking sessions in real time. <a href=\"https:\/\/www.sidechannel.blog\/en\/coyote-a-stealthy-banking-trojan-targeting-dozens-of-brazilian-financial-institutions\/\">Public<\/a> <a href=\"https:\/\/securelist.com\/coyote-multi-stage-banking-trojan\/111846\/\">research<\/a> <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/coyote-banking-trojan-a-stealthy-attack-via-lnk-files\">describe<\/a> <a href=\"https:\/\/www.ecucert.gob.ec\/wp-content\/uploads\/2025\/02\/Al-2025-007-Malware-Coyote.pdf\">it<\/a> as a multi-stage threat in its infection process, which includes the use of Squirrel-type installers, NodeJS\/Electron components, and .NET payloads. <em>Coyote<\/em> remains dormant until it detects access to target institutions, at which point it activates capabilities such as phishing overlays, screen capture, and keylogging to obtain sensitive data. Furthermore, later <a href=\"https:\/\/www.akamai.com\/blog\/security-research\/active-exploitation-Coyote-malware-first-ui-automation-abuse-in-the-wild\">variants<\/a> have incorporated more advanced techniques, such as the abuse of <a href=\"https:\/\/learn.microsoft.com\/en-us\/dotnet\/framework\/ui-automation\/ui-automation-overview\">Windows UI Automation<\/a> , reinforcing its relevance as a constantly evolving banking trojan in the Brazilian ecosystem.<\/p>\n<p><a href=\"#_ftnref5\" name=\"_ftn5\"><\/a><\/p>\n<p><em>Coyote<\/em> attacks primarily have the following characteristics:<\/p>\n<ul>\n<li>ZIP as dropper\/LNK as dropper (using a <a href=\"https:\/\/learn.microsoft.com\/en-us\/powershell\/scripting\/learn\/ps101\/04-pipelines?view=powershell-7.6#one-liners\">one-liner PowerShell<\/a> script ) that generates a random 5-character process for file downloads.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>ZIP file named as a PDF\/LNK file named as a PDF.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>.exe installer that appears to be a PDF file.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>Installer compiled in C++.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>Installer larger than<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>Software installation screen when the program is launched.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>Installing<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>Artifacts in the Windows <em>%LocalAppData%<\/em> path<em>.<\/em><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>NuGet package (Loader).<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>AES encryption to obfuscate code.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>The decoded code is in Base64.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>DLL Side-Loading (using a legitimate Chrome executable).<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>Uses the path <em>C:\\Users\\&lt;username&gt;\\Documents\\Images<\/em><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>Persistence in registry keys <em>HKCU\\Environment\\UserInitMprLogonScript <\/em>(script execution at login) and <em>HCKU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run<\/em><\/li>\n<\/ul>\n<p><em>\u00a0<\/em><\/p>\n<ul>\n<li>Monitors the Google Chrome browser for banking sites to steal financial information.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>C2 with specific communication <a href=\"https:\/\/www.ecucert.gob.ec\/wp-content\/uploads\/2025\/02\/Al-2025-007-Malware-Coyote.pdf\">commands<\/a>.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li><a href=\"https:\/\/www.checkpoint.com\/es\/cyber-hub\/threat-prevention\/what-is-malware\/what-is-fileless-malware\/\">Fileless<\/a> (malware without files) with multiple stages in the infection process.<\/li>\n<\/ul>\n<p>In February 2025, SCILabs observed that the payload injected into memory has the following objectives:<\/p>\n<ul>\n<li>Using <a href=\"https:\/\/github.com\/TheWover\/donut\">Donut<\/a>, it decrypts, downloads, and executes the final payload of the <em>Coyote<\/em> banking trojan.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>It establishes persistence via a registry key with a name similar to uvnyjjfz, with random characters and length, located in the path <em>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\ CurrentVersion\\Run<\/em>.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>It collects and sends information about the infected computer (hostname, operating system, installed antivirus, etc.) to the campaign operators\u2019 C2 server.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>It executes the PowerShell command stored in the registry to establish persistence, with the aim of downloading and executing the final payload of the <em>Coyote<\/em> banking trojan.<\/li>\n<\/ul>\n<p>Finally, the <em>Coyote<\/em> banking trojan begins monitoring active browser windows in search of more than 1,000 sites of interest, including Brazilian banking and other sites, among which are those shown in the following table.<\/p>\n<table style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"100%\">\n<thead>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" colspan=\"3\" width=\"100%\"><strong>Instituciones financieras<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"37%\">BTG Pactual<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"39%\">Banco da Amaz\u00f4nia<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"22%\">Cora Sociedade de Cr\u00e9dito<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"37%\">Banco BS2<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"39%\">Banco de Bras\u00edlia<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"22%\">Credisan<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"37%\">Banco Banese<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"39%\">Banco do Brasil<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"22%\">Credisis<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"37%\">Banco Bmg<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"39%\">Banco do Estado do Esp\u00edrito Santo (Banestes)<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"22%\">Foxbit<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"37%\">Banco Daycoval<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"39%\">Banco do Nordeste do Brasil<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"22%\">Ita\u00fa Unibanco<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"37%\">Banco Fibra<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"39%\">Banco do Par\u00e1<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"22%\">Mercado Bitcoin<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"37%\">Banco Mercantil do Brasil<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"39%\">Banestes<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"22%\">Mercado Pago<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"37%\">Banco Original<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"39%\">Banrisul<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"22%\">Sicredi<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"37%\">Banco PAN<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"39%\">Binance<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"22%\">Sisprime de Brasil<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"37%\">Banco Regional de Desenvolvimento do Extremo Sul<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"39%\">BitcoinTrade<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"22%\">Stone<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"37%\">Banco Rendimento<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"39%\">Blockchain<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"22%\">Tribanco<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"37%\">Banco Safra<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"39%\">Bradesco<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"22%\">Unicred<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"37%\">Banco Santander Brasil<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"39%\">Caixa Econ\u00f4mica Federal<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"22%\">Uniprime<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"37%\">Banco Sofisa<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"39%\">Citibank<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"22%\">Viacredi (Ailos)<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"37%\">Banco Top\u00e1zio<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"39%\">Confesol<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"22%\">Zeitbank<\/td>\n<\/tr>\n<\/thead>\n<\/table>\n<p><a href=\"#_ftnref3\" name=\"_ftn3\"><\/a><\/p>\n<p style=\"text-align: center\"><strong>Table 4. Financial institutions of interest to <em>Coyote<\/em><\/strong><\/p>\n<p>Once the trojan identifies a site of interest, it initiates communication with the command-and-control server, waiting to receive commands that are encoded based on the length of the received string.<\/p>\n<p>While preparing this report, SCILabs analyzed a sample of the <em>Coyote<\/em> banking trojan, identifying the implementation of the WatsonTCP library with SSL tunnels that imports an X509 certificate, protected by the password \u201cb4b54f7ea7c14e28bf1ceb93e1b05cb1\u201d.<\/p>\n<p>Additionally, to communicate with its C2 server, it configures the following options:<\/p>\n<ul>\n<li><strong>MutuallyAuthenticate = true<\/strong>: Configures <a href=\"https:\/\/www.cloudflare.com\/learning\/access-management\/what-is-mutual-authentication\/\">mutual authentication<\/a>, also known as bidirectional authentication. The connection requires the server to verify the client and the client to verify the server. The client must present a valid digital certificate during the SSL handshake, and the server must be configured to accept it. With this functionality, attackers ensure that the C2 server only accepts connections from compromised devices that possess a specific certificate, which in this case would be self-signed.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>AcceptInvalidCertificates = true<\/strong>: In WatsonTcp, this allows the SSL\/TLS connection to proceed even if the presented certificate cannot be validated by a trusted certificate authority (CA).<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter  wp-image-1526\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig09.jpg\" alt=\"\" width=\"1064\" height=\"316\" srcset=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig09-300x90.jpg 300w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig09-768x229.jpg 768w\" sizes=\"auto, (max-width: 1064px) 100vw, 1064px\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 9. WatsonTcp with mutual authentication enabled and accepting an invalid certificate in <em>Coyote<\/em><\/strong><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter  wp-image-1527\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig10.jpg\" alt=\"\" width=\"1064\" height=\"157\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 10. PFX-type certificate imported from the password-protected executable resources of <em>Coyote<\/em><\/strong><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-1528\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig11.jpg\" alt=\"\" width=\"432\" height=\"549\" srcset=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig11.jpg 432w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig11-236x300.jpg 236w\" sizes=\"auto, (max-width: 432px) 100vw, 432px\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 11. Encrypted certificate information retrieved by SCILabs used by <em>Coyote<\/em><\/strong><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-1529\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig12.jpg\" alt=\"\" width=\"796\" height=\"220\" srcset=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig12.jpg 796w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig12-300x83.jpg 300w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig12-768x212.jpg 768w\" sizes=\"auto, (max-width: 796px) 100vw, 796px\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 12. AcceptInvalidCertificates and MutuallyAuthenticate values set to true<\/strong><\/p>\n<p>Additionally, SCILabs identified in <a href=\"https:\/\/www.kaspersky.com\/about\/press-releases\/coyote-ugly-kaspersky-unveils-banking-trojan-targeting-over-60-institutions\">open sources<\/a> that a <em>Coyote<\/em> campaign implements mutual authentication to establish communication with its C2 server.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter  wp-image-1530\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig13.jpg\" alt=\"\" width=\"1064\" height=\"164\" srcset=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig13.jpg 1670w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig13-300x46.jpg 300w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig13-1024x158.jpg 1024w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig13-768x119.jpg 768w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig13-1536x237.jpg 1536w\" sizes=\"auto, (max-width: 1064px) 100vw, 1064px\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 13. Excerpt from public sources showing the use of mutual authentication in the <em>Coyote<\/em> variant<\/strong><\/p>\n<p><em>Coyote <\/em>uses <a href=\"https:\/\/github.com\/fody\/costura\">Fody Costura<\/a>, which embeds dependencies within the main executable\/assembly as resources and, at runtime, loads those embedded DLL files when the Common Language Runtime (<a href=\"https:\/\/learn.microsoft.com\/es-es\/dotnet\/standard\/clr\">CLR<\/a>) requests them. In the case of the <em>Coyote<\/em> variant, Fody Costura packages <a href=\"https:\/\/www.newtonsoft.com\/json\">Newtonsoft<\/a> and WatsonTcp. This Fody Costura add-in facilitates software distribution by creating a single-file application, eliminating the need to send multiple DLL files along with the executable.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter  wp-image-1531\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig14.jpg\" alt=\"\" width=\"1021\" height=\"555\" srcset=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig14.jpg 1302w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig14-300x163.jpg 300w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig14-1024x557.jpg 1024w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig14-768x418.jpg 768w\" sizes=\"auto, (max-width: 1021px) 100vw, 1021px\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 14. Fody Costura identifies in the <em>Coyote<\/em> variant<\/strong><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter  wp-image-1532\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig15.jpg\" alt=\"\" width=\"1134\" height=\"684\" srcset=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig15.jpg 1385w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig15-300x181.jpg 300w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig15-1024x618.jpg 1024w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig15-768x464.jpg 768w\" sizes=\"auto, (max-width: 1134px) 100vw, 1134px\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 15. Identified attack flow of the <em>Coyote<\/em> banking trojan<\/strong><\/p>\n<p><strong>Observed TTPs aligned with the MITRE\u00ae ATT&amp;CK framework<\/strong><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-1544\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/TTPCoyote.jpg\" alt=\"\" width=\"898\" height=\"720\" srcset=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/TTPCoyote.jpg 898w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/TTPCoyote-300x241.jpg 300w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/TTPCoyote-768x616.jpg 768w\" sizes=\"auto, (max-width: 898px) 100vw, 898px\" \/><\/p>\n<p style=\"text-align: center\"><strong>Table 5. Observed TTPs aligned with the MITRE\u00ae ATT&amp;CK framework<\/strong><\/p>\n<p><strong><em>Maverick<\/em><\/strong><\/p>\n<p>In November 2025, through open-source monitoring, SCILabs tracked an <a href=\"https:\/\/www.cyberproof.com\/blog\/Maverick-and-Coyote-analyzing-the-link-between-two-evolving-brazilian-banking-\">investigation<\/a> stemming from an incident in which a suspicious download of a ZIP-type compressed file was initially detected from WhatsApp Web (web[.]whatsapp[.]com). Based on that investigation, several artifacts were linked to a campaign targeting Brazilian users, concluding that the file downloaded from <em>Maverick <\/em>bore significant similarities to previously reported <em>Coyote<\/em> campaigns. In the analysis, the full infection chain was not observed, as some subsequent files were not delivered by the C2 at the time of the investigation; therefore, its correlation with <em>Coyote <\/em>is based on the recovered samples, the IoCs (Indicators of Compromise), and comparison with previous public investigations.<\/p>\n<p>Some specific characteristics of the Maverick banking trojan are listed below:<\/p>\n<ul>\n<li><strong>WhatsApp Web as the primary vector<\/strong>: It is distributed on a massive scale via WhatsApp messages containing malicious ZIP files.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>Worm-like propagation<\/strong>: Once the system is infected, it uses Selenium and WPPConnect to hijack the active WhatsApp Web session and automatically forward the malicious file to all the victim\u2019s contacts.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>LNK as a dropper with complex obfuscation<\/strong>: The ZIP file contains a shortcut (LNK) that executes highly obfuscated PowerShell commands using split tokens, multiple &#8220;FOR&#8221; loops, and UTF-16LE encoding to reconstruct the download URL.<\/li>\n<\/ul>\n<p><strong>\u00a0<\/strong><\/p>\n<ul>\n<li><strong>Fileless Execution (entirely in memory)<\/strong>: The infection chain is designed to be memory-resident, loading .NET assemblies and shellcodes without leaving large persistent artifacts on disk.<\/li>\n<\/ul>\n<p><strong>\u00a0<\/strong><\/p>\n<ul>\n<li><strong>Strict geofencing (Brazil)<\/strong>: Before installing, it performs exhaustive checks on the time zone (UTC-5 to UTC-2), system language (pt-BR), region, and date format to ensure the victim is in Brazil.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>Persistence via lightweight batch files<\/strong>: Instead of installing the full trojan, it creates a .bat file in the startup folder (e.g., HealthApp-*.bat) that re-downloads the initial loader from the C2 server after each reboot.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>AI-assisted development<\/strong>: It has been documented that the attackers used AI to assist in writing the code, particularly for certificate decryption logic and general agent functions.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>Network infrastructure with WatsonTCP<\/strong>: It uses the .NET WatsonTCP library to establish stable SSL\/TLS communication tunnels with its command-and-control (C2) server.<\/li>\n<\/ul>\n<p><strong>\u00a0<\/strong><\/p>\n<ul>\n<li><strong>Protection with local X509 certificates<\/strong>: Communications are secured using password-protected local digital certificates to enable mutual authentication and evade traffic inspection.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>Use of overlays<\/strong>: It can display fraudulent phishing windows over legitimate bank pages to capture credentials and MFA codes.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>Advanced remote control capabilities<\/strong>: Includes functions for taking screenshots, keylogging, mouse control, screen locking, and terminating system processes.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>Configuration encryption (AES\/GZIP)<\/strong>: Lists of financial target URLs are stored compressed with GZIP and encrypted with AES-256 in Base64 format to hide their targets during static analysis<\/li>\n<\/ul>\n<p>Among its key capabilities, <em>Maverick <\/em>includes WhatsApp Web automation via <a href=\"https:\/\/wppconnect.io\/docs\/\">WPPConnect<\/a> and <a href=\"https:\/\/www.selenium.dev\/\">Selenium<\/a>, allowing it to forward malicious messages from compromised accounts and expand the campaign\u2019s reach. At the same time, the banking component can fully control the infected device, taking screenshots, enabling keylogging, controlling the mouse, locking the screen upon detecting access to a banking site, and displaying overlay phishing windows to capture credentials. Once active, it monitors the victim\u2019s access to 26 Brazilian banks, 6 cryptocurrency platforms, and 1 payment platform not explicitly mentioned in the <a href=\"https:\/\/securelist.com\/maverick-banker-distributing-via-whatsapp\/117715\/\">report<\/a>.<\/p>\n<p><a href=\"#_ftnref2\" name=\"_ftn2\"><\/a><\/p>\n<table style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"100%\">\n<thead>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" colspan=\"3\" width=\"100%\"><strong>Financial institutions<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"113\">BTG Pactual<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"122\">Banco da Amaz\u00f4nia<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"157\">Credisan<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"113\">Banco BS2<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"122\">Banco de Bras\u00edlia<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"157\">Credisis<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"113\">Banco Banese<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"122\">Banco do Brasil<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"157\">Foxbit<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"113\">Banco Bmg<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"122\">Banco do Estado do Esp\u00edrito Santo (Banestes)<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"157\">Ita\u00fa Unibanco<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"113\">Banco Daycoval<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"122\">Banco do Nordeste do Brasil<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"157\">Mercado Bitcoin<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"113\">Banco Fibra<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"122\">Banco do Par\u00e1<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"157\">Sicoob<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"113\">Banco Mercantil do Brasil<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"122\">Banestes<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"157\">Sicredi<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"113\">Banco Original<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"122\">Banrisul<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"157\">Sisprime de Brasil<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"113\">Banco PAN<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"122\">Binance<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"157\">Stone<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"113\">Banco Regional de Desenvolvimento do Extremo Sul<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"122\">BitcoinTrade<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"157\">Tribanco<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"113\">Banco Rendimento<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"122\">Blockchain<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"157\">Unicred<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"113\">Banco Safra<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"122\">Bradesco<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"157\">Uniprime<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"113\">Banco Santander Brasil<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"122\">Caixa Econ\u00f4mica Federal<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"157\">Viacredi (Ailos)<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"113\">Banco Sofisa<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"122\">Citibank<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"157\">Zeitbank<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"113\">Banco Top\u00e1zio<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"122\">Confesol<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"157\">\u00a0<\/td>\n<\/tr>\n<\/thead>\n<\/table>\n<p style=\"text-align: center\"><strong>Table 6. Financial institutions targeted by <em>Maverick<\/em> identified in <a href=\"https:\/\/www.cyberproof.com\/blog\/maverick-and-coyote-analyzing-the-link-between-two-evolving-brazilian-banking-trojans\/\">open sources<\/a><\/strong><\/p>\n<p>Another notable feature is that <em>Maverick <\/em>validates if the victim is located in Brazil, checking the time zone, language, region, and date format, with the aim of limiting its execution to that country only. Additionally, it uses Windows UI Automation to extract the title of the active tab in the browser and compare it with a list of targeted financial institutions, stored as a Base64-encoded string, compressed with GZIP, and encrypted with AES-256.<\/p>\n<p>It is important to mention one of <em>Maverick\u2019s<\/em> key features, according to <a href=\"https:\/\/securelist.com\/maverick-banker-distributing-via-whatsapp\/117715\/\">public sources<\/a>, the implementation of artificial intelligence (AI) in the code-writing process, specifically in decrypting the local <a href=\"https:\/\/www.ssl.com\/es\/preguntas-frecuentes\/%C2%BFQu%C3%A9-es-un-certificado-x-509%3F\/\">X509 certificate<\/a> to secure the banking trojan\u2019s communication with its C2 server. This certificate is exported with encryption using a hardcoded password (Maverick2025!) to decrypt it.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter  wp-image-1533\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig16.jpg\" alt=\"\" width=\"1180\" height=\"187\" srcset=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig16.jpg 1212w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig16-300x48.jpg 300w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig16-1024x162.jpg 1024w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig16-768x122.jpg 768w\" sizes=\"auto, (max-width: 1180px) 100vw, 1180px\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 16. Open-source image of <em>Maverick <\/em>in the process of loading the encrypted X509 certificate<\/strong><\/p>\n<p>For this report, in the same sample of a <em>Maverick<\/em> variant analyzed by SCILabs, text strings associated with AI-generated code were also identified, as shown in the following image.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter  wp-image-1534\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig17.jpg\" alt=\"\" width=\"996\" height=\"656\" srcset=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig17.jpg 1200w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig17-300x198.jpg 300w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig17-1024x674.jpg 1024w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig17-768x506.jpg 768w\" sizes=\"auto, (max-width: 996px) 100vw, 996px\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 17. Text strings associated with AI-generated code identified by SCILabs in a <em>Maverick<\/em> variant<\/strong><\/p>\n<p>In the same <a href=\"https:\/\/securelist.com\/maverick-banker-distributing-via-whatsapp\/117715\/\"><em>Maverick<\/em> sample<\/a><em>\u00a0<\/em>analyzed by SCILabs while preparing this report, the use of the WatsonTCP library with SSL tunnels was identified, along with an X.509 certificate whose password is &#8220;Maverick2025!&#8221; to establish communication with its C2 server. However, in this sample, mutual authentication is disabled and does not accept an invalid certificate, due to the following options set by <em>Maverick<\/em>:<\/p>\n<ul>\n<li><strong>MutuallyAuthenticate = false<\/strong>: Disables mutual authentication\u00b9 or so-called bidirectional authentication. Only the server authenticates to the client, but the client does not need to present a digital certificate during the SSL handshake process (<a href=\"https:\/\/techcommunity.microsoft.com\/blog\/iis-support-blog\/from-hello-to-secure-the-ssltls-handshake-explained-like-a-conversation\/4413208\">SSL handshake<\/a>). In the context of the analyzed code, although a certificate is loaded into _trustedServerCertificate, it is not used to identify itself to the C2 server, but rather to validate the server via <a href=\"https:\/\/www.ssl.com\/blogs\/what-is-certificate-pinning\/\">certificate pinning<\/a>.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>AcceptInvalidCertificates = false<\/strong>: WatsonTcp rejects any certificate that cannot be validated. However, this does not mean that it relies on a trusted public CA, but rather that validation is performed via certificate pinning: the client has the exact C2 server certificate embedded (loaded from Base64 with a password in _trustedServerCertificate), and it only accepts that specific certificate, rejecting any other, even if it is technically valid (signed by another trusted certificate authority). This prevents Man-in-the-Middle (MitM) attacks and ensures that the compromised client can only communicate with the legitimate C2 server controlled by the threat group.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter  wp-image-1535\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig18.jpg\" alt=\"\" width=\"1065\" height=\"451\" srcset=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig18.jpg 1574w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig18-300x127.jpg 300w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig18-1024x433.jpg 1024w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig18-768x325.jpg 768w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig18-1536x650.jpg 1536w\" sizes=\"auto, (max-width: 1065px) 100vw, 1065px\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 18 . Implementation of WatsonTcp and X509 certificate in <em>Maverick<\/em> variant<\/strong><\/p>\n<p>The X509 public certificate was not obtained from the sample used by the <em>Maverick<\/em> variant.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter  wp-image-1536\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig19.jpg\" alt=\"\" width=\"1043\" height=\"482\" srcset=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig19.jpg 1502w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig19-300x139.jpg 300w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig19-1024x474.jpg 1024w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig19-768x355.jpg 768w\" sizes=\"auto, (max-width: 1043px) 100vw, 1043px\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 19. Implementation of Fody Costura in the <em>Maverick<\/em> variant<\/strong><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter  wp-image-1537\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig20.jpg\" alt=\"\" width=\"1058\" height=\"621\" srcset=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig20.jpg 1632w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig20-300x176.jpg 300w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig20-1024x601.jpg 1024w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig20-768x451.jpg 768w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig20-1536x902.jpg 1536w\" sizes=\"auto, (max-width: 1058px) 100vw, 1058px\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 20. Flowchart of the attack observed in the current <em>Maverick<\/em> campaign<\/strong><\/p>\n<p><strong>Observed TTPs aligned with the MITRE\u00ae ATT&amp;CK framework<\/strong><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-1545\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/TTPMaverick.jpg\" alt=\"\" width=\"802\" height=\"720\" srcset=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/TTPMaverick.jpg 802w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/TTPMaverick-300x269.jpg 300w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/TTPMaverick-768x689.jpg 768w\" sizes=\"auto, (max-width: 802px) 100vw, 802px\" \/><\/p>\n<p style=\"text-align: center\"><strong>Table 7. Observed TTPs aligned with the MITRE\u00ae ATT&amp;CK framework<\/strong><\/p>\n<h1><a name=\"_Toc230264489\"><\/a>Comparison of the different variants of banking trojans operated by <em>Blue Margay<\/em><\/h1>\n<p>The following table shows a comparison of the observed technical characteristics of the <em>Silver Oryx Blade<\/em>, <em>Coyote, <\/em>and <em>Maverick <\/em>banking trojan variants. However, it is important to note that the characteristics in the first four rows show the highest degree of similarity among the three banking trojans, ranging from the use of languages such as .NET and C++ to the implementation of Fody Costura, WatsonTCP, Newtonsoft Json.NET, and password-protected X509 certificates.<\/p>\n<table style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"100%\">\n<tbody>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\"><strong>\u00a0<\/strong><\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\"><strong><em>Silver Oryx Blade<\/em><\/strong><\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\"><strong><em>Coyote<\/em><\/strong><\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\"><strong><em>Maverick<\/em><\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\"><strong>Programming languages<\/strong><\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\">.NET C# and C++<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\">.NET C#, C++ and NIM<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\">.NET C# and C++<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\"><strong>Tools and libraries<\/strong><\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\">Fody Costura, WatsonTCP, Json.NET de Newtonsoft<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\">Fody Costura, WatsonTCP, Json.NET de Newtonsoft, Squirrel, NuGet, Electron app<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\">Fody Costura, WatsonTCP, Json.NET de Newtonsoft<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\"><strong>Certificate<\/strong><\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\">X509 with password<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\">X509 with password<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\">X509 with password<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\"><strong>Obfuscation and encryption method<\/strong><\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\">Base64 and string removal \/ AES<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\">Base64 and string removal \/ AES<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\">AES<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\"><strong>Payload format<\/strong><\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\">Plain text files \/ Base64 string in memory<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\">PE<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\">PE<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\"><strong>Loading and injection methods<\/strong><\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\"><a href=\"https:\/\/attack.mitre.org\/techniques\/T1574\/002\/\">DLL Side-Loading<\/a><\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\"><a href=\"https:\/\/attack.mitre.org\/techniques\/T1574\/002\/\">DLL Side-Loading<\/a> y <a href=\"https:\/\/learn.microsoft.com\/es-es\/dotnet\/standard\/clr\">CLR<\/a> <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/memoryapi\/nf-memoryapi-virtualallocex\">VirtualAllocEx<\/a> <a href=\"https:\/\/learn.microsoft.com\/es-es\/windows\/win32\/api\/memoryapi\/nf-memoryapi-writeprocessmemory\">WriteProcessMemory<\/a><\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\"><a href=\"https:\/\/attack.mitre.org\/techniques\/T1574\/002\/\">DLL Side-Loading<\/a><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\"><strong>Persistence method<\/strong><\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\">Shortcut in the Windows startup folder: \u00a0 <em>%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ + EACefSubProcess\u00aa.lnk<\/em><\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\"><em>HKCU\\Environment\\UserInitMprLogonScript<\/em> <em>HKCU\\ \\Software\\Microsoft\\Windows\\CurrentVersion\\Run<\/em><\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\">Shortcut in the Windows Startup folder: \u00a0 <em>%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ + \u201cHealthApp-\u201d + GUID + \u201c.bat\u201d<\/em><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\"><strong>Installation window<\/strong><\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\">No installation window<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\">Custom<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\">No installation window<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\"><strong>Trojan size<\/strong><\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\">Less than 2 MB<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\">Over 100 MB in some campaigns<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\">Less than 2MB<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\"><strong>C2<\/strong><\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\">Multiple domains in a single campaign<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\">Multiple domains in a single campaign<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\">Multiple domains in a single campaign<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\"><strong>Noteworthy technique<\/strong><\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\">Using GUIDs to generate directories with unique names<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\">Windows UI Automation<\/td>\n<td style=\"text-align: center;border: 1px solid black;padding: 8px\" width=\"161\">WhatsApp web for propagation<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: center\"><strong>Table 8. Comparative table of Silver Oryx Blade, Coyote, and Maverick variants<\/strong><\/p>\n<p>Within the decompiled code observed for these three threats, SCILabs identified critical technical similarities such as the use of the \u201cAcceptInvalidCertificates\u201d property, which allows the malware to accept the use of its own local or self-signed X509 digital certificates for traffic encryption, and the implementation of the \u201cMutuallyAuthenticate\u201d property to secure SSL channels through mutual authentication between the agent and the server. These technical similarities in the communication protection logic, along with the use of password-protected certificates, reinforce the hypothesis that this malware ecosystem targeting Brazil is operated and developed by the same threat group.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-1538\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig21.jpg\" alt=\"\" width=\"927\" height=\"1052\" srcset=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig21.jpg 927w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig21-264x300.jpg 264w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig21-902x1024.jpg 902w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig21-768x872.jpg 768w\" sizes=\"auto, (max-width: 927px) 100vw, 927px\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 21. Process of loading the encrypted X509 certificate in <em>Silver Oryx Blade<\/em>, <em>Coyote, <\/em>and <em>Maverick<\/em><\/strong><\/p>\n<p>The <em>Silver Oryx Blade<\/em>, <em>Coyote, <\/em>and <em>Maverick <\/em>banking trojans use the Fody Costura plugin as an advanced packaging technique to embed .NET dependencies and other resources directly within the main binary. The consistent use of this technology across all three threats, along with shared libraries such as Json.NET, represents a significant technical overlap that reinforces the hypothesis that these campaigns are operated by the same threat group.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-1539\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig22.jpg\" alt=\"\" width=\"550\" height=\"1067\" srcset=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig22.jpg 550w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig22-155x300.jpg 155w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig22-528x1024.jpg 528w\" sizes=\"auto, (max-width: 550px) 100vw, 550px\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 22. Implementation of Fody Costura in the <em>Silver Oryx Blade<\/em>, <em>Coyote, <\/em>and <em>Maverick <\/em>variants<\/strong><\/p>\n<p>Common characteristics between <em>Silver Oryx Blade <\/em>and <em>Coyote<\/em>:<\/p>\n<ul>\n<li><strong>Victims<\/strong>: Both trojans are designed exclusively to target Brazil\u2019s financial ecosystem, monitoring victims\u2019 access to local banking institutions and cryptocurrency services.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>Shared Libraries and Tools<\/strong>: Both threats use the WatsonTCP library to communicate with their command-and-control (C2) servers. They also use the Json.NET (Newtonsoft) framework for data manipulation and Fody Costura to embed .NET resources.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>Text String Obfuscation Method<\/strong>: In <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/coyote-banking-trojan-a-stealthy-attack-via-lnk-files\">open sources<\/a> identified a variant of the <em>Coyote<\/em> banking trojan that exhibits an obfuscation technique like that observed by SCILabs in the <em>Silver Oryx Blade <\/em>banking trojan.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>Use of <\/strong><strong>AES Encryption<\/strong>: Both <em>Coyote <\/em>and <em>Silver Oryx Blade <\/em>apply AES encryption to protect specific text strings, banking URLs, or the final payload within their infection payload.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>Programming Languages<\/strong>: Both malware samples are developed using a combination of C# (.NET) and C++ at different stages.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>Linked Infrastructure<\/strong>: It has been detected that the domain <em>milkdavaca[.]com<\/em>, used in <em>Silver Oryx Blade <\/em>campaigns, shares the same SSL certificate and registrar as the known <em>Coyote<\/em> infrastructure.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>Loading Techniques<\/strong>: Both employ the DLL Side-Loading technique to evade detection, using legitimate binaries to load malicious components into memory.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li><strong>Application Monitoring<\/strong>: Both actively monitor browser windows to identify when the user accesses one of approximately 50 financial sites of interest.<\/li>\n<\/ul>\n<p><strong><em>Silver Oryx Blade <\/em><\/strong><strong>&#8211; <em>Coyote <\/em>Text String Obfuscation Method<\/strong><\/p>\n<p>In the <em>Silver Oryx Blade <\/em>sample analyzed by SCILabs, a deobfuscation method is used on the decompiled code from the DLL injected into memory. This deobfuscation method involves decoding a hardcoded text string in the recovered banking trojan code using Base64 and then removing all instances of a second short string, acting as a <a href=\"https:\/\/attack.mitre.org\/techniques\/T1027\/001\/\">padding<\/a>, consisting of 10 random characters\u2014a mix of numbers and lowercase and uppercase letters\u2014such as &#8220;jwQqSoXE4u&#8221;.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter  wp-image-1540\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig23.jpg\" alt=\"\" width=\"1103\" height=\"298\" srcset=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig23.jpg 1686w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig23-300x81.jpg 300w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig23-1024x277.jpg 1024w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig23-768x208.jpg 768w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig23-1536x415.jpg 1536w\" sizes=\"auto, (max-width: 1103px) 100vw, 1103px\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 23. Obfuscated strings in a variant of the <em>Silver Oryx Blade <\/em>banking trojan<\/strong><\/p>\n<p>In <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/coyote-banking-trojan-a-stealthy-attack-via-lnk-files\">open sources<\/a> SCILabs identified a variant of the <em>Coyote<\/em> banking trojan, which exhibits an obfuscation technique like that observed by SCILabs in the <em>Silver Oryx Blade <\/em>banking trojan. This technique consists of a Base64-encoded string that, when attempted to be decoded directly, would result in an error or a nonsensical output. The program then uses the &#8220;Replace&#8221; function to remove a random fixed string (e.g., &#8220;8sECYQTgBU&#8221;), which has been repeatedly inserted into the Base64 text as noise. Once the noise or junk string is removed, the banking trojan applies standard decoding (Base64 to UTF-8) to obtain the plaintext string.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter  wp-image-1541\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig24.jpg\" alt=\"\" width=\"1020\" height=\"493\" srcset=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig24.jpg 1428w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig24-300x145.jpg 300w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig24-1024x495.jpg 1024w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig24-768x371.jpg 768w\" sizes=\"auto, (max-width: 1020px) 100vw, 1020px\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 24. Obfuscated strings in <em>Coyote\u2014<\/em>a similar technique observed by SCILabs in <em>Silver Oryx Blade<\/em><\/strong><\/p>\n<p>Based on the above, SCILabs concludes that the <em>Silver Oryx Blade<\/em>, <em>Coyote, <\/em>and <em>Maverick <\/em>trojans exhibit technical convergence, as they share a .NET development framework and the recurring use of the WatsonTCP library for their communications with the command-and-control (C2) server. This infrastructure is reinforced using local X509 certificates embedded in the various <em>Blue Margay <\/em>malware variants and the shared use of Fody Costura technology to package resources and dependencies directly into the binary. Additionally, the systematic use of AES encryption, Base64 obfuscation, the Json.NET framework, and targeting victims in Brazil via fileless execution confirm a high degree of code and tactic reuse among the three banking trojans.<\/p>\n<h1><a name=\"_Toc230264490\"><\/a><em>Blue Margay <\/em>Diamond Model<\/h1>\n<p>The following diamond model was developed based on malware analysis and open-source intelligence processes.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter  wp-image-1542\" src=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig25.jpg\" alt=\"\" width=\"994\" height=\"545\" srcset=\"https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig25.jpg 2551w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig25-300x164.jpg 300w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig25-1024x561.jpg 1024w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig25-768x421.jpg 768w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig25-1536x842.jpg 1536w, https:\/\/blog.scilabs.mx\/en\/wp-content\/uploads\/sites\/3\/2026\/06\/Fig25-2048x1122.jpg 2048w\" sizes=\"auto, (max-width: 994px) 100vw, 994px\" \/><\/p>\n<p style=\"text-align: center\"><strong>Figure 25. <em>Blue Margay<\/em> diamond model<\/strong><\/p>\n<h1><a name=\"_Toc230264491\"><\/a>Conclusion<\/h1>\n<p>According to SCILabs telemetry, the landscape of banking trojans in Brazil has undergone a sustained transformation in recent years, being the emergence of <em>Coyote<\/em>, <em>Silver Oryx Blade<\/em>, and <em>Maverick<\/em> threats a demonstration of significant technical convergence and a constant evolution toward stealth.<\/p>\n<p>SCILabs states the danger lies in the pioneering use of advanced technologies to evade traditional security solutions. While <em>Coyote <\/em>stands out as the first malware identified to abuse the Microsoft UI Automation (UIA) framework to extract credentials directly from browser tabs, <em>Maverick <\/em>raises the threat level through an entirely in-memory operation and the potential use of artificial intelligence to assist in writing its code, specifically in the decryption logic. The worm-like nature via WhatsApp Web, observed in the most recent variants of <em>Maverick <\/em>and <em>Coyote<\/em>, allows for faster propagation that not only facilitates the theft of funds but also erodes users\u2019 digital trust.<\/p>\n<p>For users in Brazil, the potential impact of these three banking trojans could be significant, even for the cybersecurity of the Brazilian financial market, as they actively monitor dozens of banking apps and cryptocurrency services.<\/p>\n<p>Given their history of code refactoring and continuous improvement of tactics, it is highly likely that these banking trojans will continue to evolve, integrating even more complex evasion methods and potentially expanding their reach to other Latin American countries.<\/p>\n<p>SCILabs will continue to monitor this threat with the aim of recovering samples from this family of trojans that will allow for a better understanding of this malware, in order to keep organizations and users updated on changes to its TTPs, new IoCs, or relevant information that could be vital to avoiding becoming a victim of this campaign.<\/p>\n<p>Finally, SCILabs believes it is vital to follow the recommendations below to detect malicious activity related to this campaign early and avoid becoming a victim.<\/p>\n<p><a href=\"#_ftnref1\" name=\"_ftn1\"><\/a><\/p>\n<h1><a name=\"_Toc230264492\"><\/a>Specific Recommendations for <em>Blue Margay<\/em><\/h1>\n<ul>\n<li>Add the IoCs shared in this document to your security solutions to reduce the likelihood of infection by this variant.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>Restrict or block the use of WhatsApp Web on devices that have access to sensitive financial systems or critical corporate information.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>Deploy EDR\/NGAV solutions with behavioral analysis capabilities to detect the reflective loading of .NET binaries and the execution of shellcode in memory (such as that generated by Donut tool).<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>Implement strict PowerShell execution policies, blocking the use of obfuscated commands, Base64, and the IEX method (DownloadString). Additionally, conduct threat hunting activities targeting these same types of techniques within your infrastructure.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>Monitor for the creation of files with the filename pattern HealthApp-*.bat in the Windows Startup folder and registry keys such as <em>HKCU\\Environment\\UserInitMprLogonScript.<\/em><\/li>\n<\/ul>\n<p><strong>\u00a0<\/strong><\/p>\n<ul>\n<li>Strengthen multi-factor authentication (MFA) for all access to banking portals and financial services, as these trojans are designed to steal static credentials through phishing overlays.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>Keep the operating system up to date with the latest security patches to reduce the likelihood of an attacker exploiting vulnerabilities in Windows operating systems.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ul>\n<li>Train staff, especially in accounting and finance departments, on the dangers of downloading ZIP files containing shortcuts (LNK) received via instant messaging or emails impersonating government entities.<\/li>\n<\/ul>\n<h1>\u00a0<a name=\"_Toc230264493\"><\/a>Indicators of Compromise<\/h1>\n<p>The following indicators were obtained through malware analysis and have a <strong>high <\/strong>level of confidence.<\/p>\n<p><strong>SHA256<\/strong><\/p>\n<p>EB615C093E9B52ED409F426764857E6E42AA85E02ADEF59D6F1457DCBB90BB40<\/p>\n<p>77C552981A57576C12EB0E0BF186424925C70F13AFB5D93D20D28D4DF5FE1A89<\/p>\n<p>56D6D649061458B8524A133ED6DB63C33F4E0A425A64AD927E248286FEA0F677<\/p>\n<p>4469CF139AE0E268B22E6409CF6BBBE807CEE29CBE24C2C40AE42B171FA87788<\/p>\n<p><strong>\u00a0<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p><strong>\u00a0<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n\n\n\n<details class=\"wp-block-details alignwide is-layout-flow wp-block-details-is-layout-flow\"><summary><\/summary>\n<p><\/p>\n<\/details>\n<\/div><\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Overview The purpose of this post is to describe the TTPs of the threat group Blue Margay, as named by<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[35,4,1],"tags":[],"class_list":["post-1502","post","type-post","status-publish","format-standard","hentry","category-discoveries","category-malware","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts\/1502","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/comments?post=1502"}],"version-history":[{"count":13,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts\/1502\/revisions"}],"predecessor-version":[{"id":1548,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts\/1502\/revisions\/1548"}],"wp:attachment":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/media?parent=1502"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/categories?post=1502"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/tags?post=1502"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}