{ "id": "b25d7624-0c51-4d76-979a-9d28c85545a1", "created_at": "2026-04-06T00:20:05.981475Z", "updated_at": "2026-04-10T13:12:13.790097Z", "deleted_at": null, "sha1_hash": "18e01fbf329f5089cacb71e552b345fbe2e14216", "title": "Active Water Saci Campaign Spreading Via WhatsApp Features Multi-Vector Persistence and Sophisticated C\u0026C", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 100924, "plain_text": "Active Water Saci Campaign Spreading Via WhatsApp Features\r\nMulti-Vector Persistence and Sophisticated C\u0026C\r\nPublished: 2025-10-27 · Archived: 2026-04-05 12:35:41 UTC\r\nTrend Research analysis revealed suspicious file downloads initiated through WhatsApp Web, specifically files\r\nnamed Orcamento-2025*.zip.\r\nThe infection chain is initiated when a user downloads and extracts the ZIP archive, which includes an obfuscated\r\nVBS downloader named Orcamento.vbs. This VBS downloader issues a PowerShell command that carries out\r\nfileless execution via New-Object Net.WebClient to download and execute a PowerShell script\r\nnamed tadeu.ps1 directly in memory.\r\nThe downloaded PowerShell script is used to hijack WhatsApp Web sessions, harvest all contacts from the\r\nvictim's account, and automatically distribute malicious ZIP files to the said contacts while maintaining persistent\r\ncommand and control communication for large-scale social engineering campaigns.\r\ntadeu.ps1 a.k.a. whatsapp_automation_v6_robust.ps1\r\nThe malware begins its sophisticated attack by displaying a deceptive banner claiming to be \"WhatsApp\r\nAutomation v6.0\", immediately masking its malicious intent behind the guise of legitimate software. Investigation\r\nshows the consistent use of Portuguese, which suggest the threat actor’s focus on Brazil.\r\nUpon initialization, it generates a unique session identifier and establishes contact with its command-and-control\r\n(C\u0026C) infrastructure at hxxps://miportuarios[.]com/sisti/config[.]php to download operational parameters\r\nincluding target lists, message templates, and timing configurations.\r\nIf the C\u0026C server is unreachable, the malware seamlessly falls back to hardcoded default settings, ensuring the\r\nattack proceeds regardless of network conditions.\r\nIt creates a temporary workspace in C:\\temp, downloads the latest WhatsApp automation library (WA-JS) from\r\nGitHub, and retrieves a malicious ZIP payload and saves it as Bin.zip in C:\\temp.\r\nWhatsApp web browser hijacking\r\nSimilar to how the previous attack chain hijacks WhatsApp Web browser sessions, the malware checks the\r\ninstalled Chrome version and downloads the appropriate ChromeDriver for browser automation. It then installs\r\nthe Selenium PowerShell module, enabling automated browser tasks on the victim’s machine.\r\nAfter terminating any existing Chrome processes and clearing old sessions to ensure clean operation, the malware\r\ncopies the victim's legitimate Chrome profile data to its temporary workspace. This data includes cookies,\r\nauthentication tokens, and the saved browser session. This technique allows the malware to bypass WhatsApp\r\nWeb's authentication entirely, gaining immediate access to the victim's WhatsApp account without triggering\r\nsecurity alerts or requiring QR code scanning. \r\nhttps://www.trendmicro.com/en_us/research/25/j/active-water-saci-campaign-whatsapp-update.html\r\nPage 1 of 11\n\nWith the hijacked session in place, the malware launches Chrome with specific automation flags designed to\r\nevade detection and inject the WA-JS library for WhatsApp control. \r\nThe malware then systematically harvests all WhatsApp contacts using sophisticated JavaScript filtering to\r\nexclude specific number patterns while collecting names and phone numbers. The harvested contact list is\r\nimmediately exfiltrated to the C\u0026C server.\r\nRemote control mechanism\r\nThe malware implements a sophisticated remote C\u0026C system that allows attackers to pause, resume, and monitor\r\nthe malware's spreading campaign in real-time enabling coordinated control across infected machines, turning the\r\nmalware into a botnet tool capable of stopping and starting its activity based on attacker commands.\r\nThe malware sends GET requests to miportuarios.com/sisti/config.php?chave=envio_ativo before every contact\r\nand during message delays, where the C\u0026C server responds with JSON data containing  {\"success\": true, \"data\":\r\n{\"valor\": \"true/false\"}}: if the valor field is \"false\" the malware immediately pauses all operations, but if \"true,\" it\r\ncontinues spreading, and includes a built-in fail-safe that defaults to continuing operations if the C\u0026C server\r\nbecomes unreachable.\r\nWhen the C\u0026C server instructs the malware to pause, it enters a continuous polling loop that checks the server\r\nstatus every 30 seconds while maintaining a verification counter for tracking, logging all pause/resume events\r\nback to the C\u0026C server, and immediately resuming the spreading of the campaign the moment the server sends a\r\n\"continue\" command, allowing attackers real-time operational control to coordinate timing across multiple\r\ninfected machines and respond instantly to detection threats.\r\nTo maintain robust and responsive control, the malware performs remote status checks at several key stages\r\nthroughout its lifecycle:\r\nDistribution initiation check. Before starting the campaign, the malware contacts the C\u0026C server to\r\ndetermine if distribution should begin.\r\nPer-contact verification. Prior to processing each contact, it verifies with the server for any remote pause\r\ncommands, giving attackers precise control over the spreading process.\r\nDelay interval monitoring. During wait times between sending messages, the malware repeatedly checks\r\nfor pause instructions, ensuring it can instantly suspend or resume operations as needed.\r\nCoordinated distribution management. These control points collectively allow attackers to manage the\r\ndistribution in real time, making the malware highly adaptable and coordinated.\r\nAutomated ZIP file distribution\r\nThe malware converts the downloaded ZIP file at C:\\temp\\Bin.zip into base64 encoding to enable transmission\r\nthrough WhatsApp's messaging system, then generates randomized filenames like \"Orcamento-202512345678.zip\" using the configurable prefix and 8-digit random numbers. \r\nThe malware iterates through every harvested contact, checking for remote pause commands before each contact,\r\nthen personalizes greeting messages by replacing template variables with time-based greetings and contact names.\r\nhttps://www.trendmicro.com/en_us/research/25/j/active-water-saci-campaign-whatsapp-update.html\r\nPage 2 of 11\n\nFor each contact, the malware injects JavaScript code into WhatsApp Web that converts base64 data back to\r\nbinary, creates File objects, and executes a three-step automated sequence: greeting message, malicious file, and\r\nclosing message.\r\nThe malware generates detailed campaign statistics and sends them back to the C\u0026C server, giving threat actors\r\ninsight into success rates, victim system profiles, and lists of successfully contacted targets. This intelligence\r\nallows attackers to accurately measure campaign performance, orchestrate actions across multiple infected\r\nmachines, and strategize future targeted attacks using the gathered data.\r\nSORVEPOTEL backdoor: Orcamento.vbs\r\nAnti-analysis mechanisms\r\nThe malware also does comprehensive security checks designed to prevent analysis and limit execution to\r\nintended targets. The language verification system ensures execution only on Portuguese-language systems.\r\nThe anti-analysis capabilities extend to debugger detection, actively scanning for common analysis tools such as\r\nollydbg.exe, idaq.exe, x32dbg.exe, x64dbg.exe, windbg.exe, processhacker.exe, and procmon.exe. If any of these\r\nchecks are satisfied, the malware employs a sophisticated self-destruct mechanism that creates a batch file to\r\ndelete itself and execute cleanup operations.\r\nBefore establishing persistence, the malware implements a WMI-based mutex mechanism to prevent multiple\r\ninstances from running simultaneously. This implementation uses WMI process enumeration rather than\r\ntraditional Windows mutex objects, querying for wscript.exe and cscript.exe processes and checking their\r\ncommand lines for the service name. If more than one instance is detected, the malware exits to prevent conflict.\r\nPersistence mechanisms\r\nThe malware implements a multi-vector persistence strategy that ensures survival across system reboots and user\r\nsessions. The auto-installation routine establishes a foothold through both registry modifications and scheduled\r\ntask creation using a dropped copy of itself named WinManagers.vbs saved in\r\nC:\\ProgramData\\WindowsManager\\.\r\nDual-channel communication architecture\r\nThe most sophisticated aspect of the backdoor is its email-based C\u0026C infrastructure. Rather than relying on\r\ntraditional HTTP-based communication, the malware leverages IMAP connections to terra.com.br email accounts\r\nusing hardcoded email credentials to connect to the email account and retrieve commands. \r\nThe email parsing system extracts multiple types of URLs from email content:\r\ndata: URLs for primary C\u0026C server endpoints\r\nbackup: URLs for failover C\u0026C infrastructure\r\nps: URLs for PowerShell payload delivery\r\nBesides the email stated in figure 27, it was also observed that the attackers used other emails with different\r\ndomains and passwords. \r\nhttps://www.trendmicro.com/en_us/research/25/j/active-water-saci-campaign-whatsapp-update.html\r\nPage 3 of 11\n\nApart from hardcoded email credentials, attackers also used other emails; monitoring also showed that they later\r\nincluded multi-factor authentication (MFA) to prevent unauthorized access to these accounts. However, this likely\r\nintroduced operational delays since each login required manual input of an authentication code, likely prompting\r\nthe deployment of new email accounts to streamline their activities.\r\nOnce the backdoor obtains C\u0026C server URLs from the email channel, it transitions to an aggressive HTTP-based\r\npolling system that forms the backbone of its remote access capabilities. Every five seconds, the malware sends\r\nHTTP POST requests to the extracted C\u0026C servers, querying for pending commands using the action parameter\r\nget_commands.\r\nWhen the backdoor receives a command, it utilizes the ProcessarComando() function to handle its execution. This\r\nfunction begins with an anti-duplicate mechanism, using timer-based tracking to ignore repeated commands\r\nwithin a 30-second window. If the command is unique, it parses the instruction to determine the action and any\r\nparameters. The malware then routes the command to the appropriate handler, enabling it to perform tasks such as\r\nsystem information collection, executing local or PowerShell commands, managing files and processes, taking\r\nscreenshots, or controlling system power states.\r\nOnce the malware establishes a foothold on the compromised system, it can receive and perform a wide range of\r\ninstructions sent by its C\u0026C server, such as the following:\r\nCommand Description\r\nINFO\r\nGathers comprehensive system information including OS version, CPU details,\r\ncomputer name, and current user.\r\nCMD\r\nExecutes Windows command prompt commands with hidden window and captures\r\noutput to temporary files.\r\nPOWERSHELL\r\nExecutes PowerShell commands with bypass execution policy and hidden window\r\nmode for advanced system operations.\r\nSCREENSHOT\r\nCaptures full desktop screenshot using PowerShell and Windows Forms, saves as\r\ntimestamped PNG file.\r\nTASKLIST\r\nEnumerates all running processes with PID, name, and memory usage via WMI\r\nqueries.\r\nKILL Terminates specified processes by name using WMI process termination methods.\r\nLIST_FILES\r\nPerforms directory enumeration showing files/folders with sizes, dates, and attributes\r\nup to 100 items.\r\nDOWNLOAD_FILE\r\nDownloads files from infected system using Base64 encoding with automatic\r\nchunking for large files.\r\nUPLOAD_FILE\r\nUploads files to infected system with automatic directory creation and Base64\r\ndecoding.\r\nhttps://www.trendmicro.com/en_us/research/25/j/active-water-saci-campaign-whatsapp-update.html\r\nPage 4 of 11\n\nUPLOAD_FILE\r\nUploads files from client to server using 30KB chunks with Base64 encoding for\r\nlarge file support.\r\nDELETE\r\nRemoves specified files or folders with force deletion capabilities to bypass\r\npermissions.\r\nRENAME\r\nRenames files and folders with parameter validation and error handling for file\r\nsystem operations.\r\nCOPY\r\nCopies files or folders to specified destinations with overwrite capabilities and\r\ndirectory creation.\r\nMOVE\r\nMoves files or folders between locations with automatic path resolution and error\r\nhandling.\r\nFILE_INFO\r\nRetrieves detailed metadata including file size, creation date, modification date, and\r\nattributes.\r\nSEARCH\r\nSearches for files matching specified patterns across directory trees with recursive\r\ntraversal.\r\nCREATE_FOLDER\r\nCreates new directories with full path validation and automatic parent directory\r\ncreation.\r\nREBOOT\r\nInitiates immediate system restart with 30-second delay using Windows shutdown\r\ncommand with force flag.\r\nSHUTDOWN\r\nPowers down the system completely with 30-second delay using shutdown command\r\nwith force parameters.\r\nUPDATE\r\nDownloads and installs updated malware version from specified URL using batch file\r\nreplacement method.\r\nCHECK_EMAIL\r\nManually triggers immediate email check for new C\u0026C URLs and infrastructure\r\nupdates.\r\nTable 1. Instructions sent by the malware’s C\u0026C server and their corresponding functions\r\nOnce a command has been executed, the backdoor prepares the results for transmission back to the command and\r\ncontrol (C\u0026C) server using the EnviarResultado() function. This step includes sanitizing the output, removing\r\nunwanted control characters, and compressing whitespace. If the result exceeds the size limit, it is truncated before\r\nbeing URL-encoded. The data is then sent via an HTTP POST request, ensuring that attackers receive concise and\r\norganized feedback for each command issued.\r\nWater Saci evolution and possible links to Coyote\r\nhttps://www.trendmicro.com/en_us/research/25/j/active-water-saci-campaign-whatsapp-update.html\r\nPage 5 of 11\n\nWater Saci shares similarities to Coote a stealthy banking trojan that spread which was first identified in 2024 and\r\nwas later observed to propagate via WhatsApp in early 2025.\r\nWater Saci and Coyote both exploit social engineering to reach Brazilian victims, and both campaign’s tactics\r\nhave evolved in parallel significantly: from compiled .NET banking trojans delivered via email and ZIP files, they\r\nevolved to use sophisticated, script-driven automation that hijacks browser sessions and leverages WhatsApp\r\nWeb.\r\nThe infection methods and ongoing tactical evolution, along with the region-focused targeting indicate that Water\r\nSaci is likely linked to Coyote, and both campaigns operate within the same Brazilian cybercriminal ecosystem.\r\nLinking the Water Saci campaign to Coyote reveals a bigger picture that exhibits a significant shift in the banking\r\ntrojan's propagation methods. Threat actors have transitioned from relying on traditional payloads to exploiting\r\nlegitimate browser profiles and messaging platforms for stealthy, scalable attacks.\r\nIn September 2022, Coyote emerged in Latin America through phishing campaigns, cleverly masking malicious\r\nZIP archives as resume submissions. The infection chain followed a ZIP archive containing a LNK file, which\r\nexecuted an MSI installer, eventually dropping a DLL payload to establish remote access. By June 2023, Coyote\r\nshifted tactics, deploying the Squirrel ecosystem at the initial attack stage and distributing malware via\r\nspearphishing links rather than attachments. The use of NuGet packages in its second stage showcased an\r\nadaptable attack structure.\r\nA major development appeared in February 2025, as Coyote expanded its propagation methods to include\r\nWhatsApp Web: an unusual vector for banking Trojans in the region at the time. Through automation of active\r\nWhatsApp sessions, the malware mass-delivered ZIP files to contacts. Code obfuscation leveraged Donut tooling,\r\nand malicious browser extensions began monitoring user activity in both Brave and Chrome browsers.\r\nIn September 2025, a self-propagating campaign surfaced that Trend Research identified as Water Saci with the\r\nmalware SORVEPOTEL. The campaign highlighted by malicious ZIP files such as \"RES-20250930_112057.zip\".\r\nThe attack now utilized modular architecture, delivering distinct payloads for WhatsApp hijacking and .NET-based infostealer functionality. Notably, it featured sophisticated overlay windows that closely mimicked banking\r\ninterfaces, dynamically adapting and seamlessly extracting sensitive credentials.\r\nBy October 2025, Trend Research found that the payload delivery techniques evolved further, relying on Visual\r\nBasic Script and PowerShell-based loaders instead of .NET binaries. This script-driven approach facilitated\r\ncontinued propagation and evasion of traditional security controls.\r\nAspect Coyote\r\nSORVEPOTEL\r\n(September\r\n2025)\r\nSORVEPOTEL\r\n(October 2025)\r\nPrimary\r\nInfection\r\nVector\r\nPhishing emails (ZIP w/ LNK/MSI) and later,\r\ndirect malicious links\r\nSelf-propagation\r\nvia hijacked\r\nWhatsApp Web\r\nsessions,\r\ndelivering ZIP\r\nSelf-propagation\r\nvia hijacked\r\nWhatsApp Web\r\nsessions,\r\ndelivering ZIP\r\nhttps://www.trendmicro.com/en_us/research/25/j/active-water-saci-campaign-whatsapp-update.html\r\nPage 6 of 11\n\nfiles with LNK\r\ndownloader\r\nfiles with VBS\r\ndownloader\r\nExecution\r\nChain\r\nAbuse of Squirrel installer and NodeJS; use of\r\nadvanced Nim and Donut-based loaders\r\nMulti-stage\r\nPowerShell\r\nchain with\r\nreflective DLL\r\nloading and\r\nshellcode\r\ninjection\r\nPowerShell script\r\nvia fileless\r\nexecution\r\nPersistence\r\nMethods\r\nRegistry keys: UserInitMprLogonScript and\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Run\r\nBAT script in\r\nStartup, registry\r\nmodifications\r\nfor autorun\r\nRegistry and\r\nscheduled task\r\ncreation\r\n(WinManagers.vbs\r\nin ProgramData)\r\nEvasion\r\nDLL side-loading, binary padding/obfuscation,\r\nXOR encryption, sandbox and anti-analysis,\r\ncaptcha\r\nLocale/region\r\ncheck, anti-debugging,\r\ndetection of\r\nanalysis tools,\r\ntyposquatting\r\ndomains\r\nLanguage check\r\n(Portuguese),\r\ndebugger\r\ndetection\r\n(OllyDbg, IDA,\r\nx32/x64dbg, etc.),\r\nself-deletion\r\nPayload\r\nArchitecture\r\nMonolithic .NET banking trojan with all functions\r\nintegrated into a single payload\r\nModular design\r\nwith two distinct\r\npayloads: a\r\ndedicated\r\nWhatsApp\r\nPropagation\r\nModule and a\r\nseparate\r\nBanking Trojan\r\nModule\r\nFull-featured\r\nbackdoor that uses\r\nIMAP for C\u0026C\r\nURL retrieval, has\r\npersistent polling\r\n(propagation\r\npause/resume),\r\ndetailed stat\r\nreporting, botnet\r\ncapabilities\r\nBanking\r\nTrojan\r\nFunctionality\r\nMonitors browser windows, keylogging, screen\r\ncapture, and deploys fake overlay windows for\r\ncredential theft\r\nGeolocation\r\nchecks,\r\nadvanced\r\nbrowser\r\nmonitoring, and\r\ndeploys highly\r\nsophisticated\r\nand interactive\r\nNo banking trojan\r\nfunctionality\r\nhttps://www.trendmicro.com/en_us/research/25/j/active-water-saci-campaign-whatsapp-update.html\r\nPage 7 of 11\n\noverlay\r\nwindows with\r\ntransparency\r\neffects\r\nTable 2. A matrix that shows the similarities and evolution of Coyote and the SORVEPOTEL malware identified\r\nin the Water Saci campaign\r\nAttackers who once relied on noisy, file-based banking Trojans have quietly moved toward low-artifact, browser-state abuse, and WhatsApp Web became the preferred delivery highway. The evolution can be read as three\r\ndistinct waves: a noisy compiled-trojan phase, a hybrid automation phase with browser tooling, and a current\r\nscript-first phase that weaponizes live WhatsApp sessions.\r\nFirst wave: Compiled banking Trojan\r\nAttackers initiated campaigns with phishing emails delivering ZIP archives containing LNK or EXE files.\r\nExecution chains typically involved LNK files launching PowerShell stagers, which deployed compiled .NET\r\nbanking Trojan payloads. These Trojans utilized Donut-style in-memory loaders and DLL side-loading to inject\r\nmalicious code into legitimate processes. Persistence was established through registry autorun entries and\r\nmodifications to system startup folders. Evasion techniques included binary padding, obfuscation, and basic\r\nsandbox or anti-analysis checks.\r\nSecond wave: Automation and browser tooling\r\nSubsequent campaigns integrated automation, blending phishing with widespread distribution via web and\r\nmessaging platforms. Delivered ZIP/LNK files triggered PowerShell or BAT scripts that launched .NET payloads\r\nincorporating browser automation frameworks like ChromeDriver and Selenium. Additional persistence\r\nmechanisms featured BAT scripts in startup folders and registry alterations. Attack chains added locale or region\r\nchecking, anti-debugging routines, and typosquatting domains. Malware capabilities expanded to session\r\nhijacking, keylogging, automated account takeover, and dynamic phishing overlays, often mimicking legitimate\r\nuser behaviors.\r\nThird wave: Script-based attack\r\nRecent attacks leverage fileless chains via WhatsApp-distributed ZIPs containing obfuscated VBS scripts that run\r\nPowerShell payloads in memory. The malware installs browser automation, injects WA-JS into active sessions,\r\nand hijacks Chrome profiles to harvest contacts and spread malicious ZIPs. Persistence relies on WMI mutexes,\r\nscheduled tasks, ProgramData scripts, and registry changes. Evasion includes language checks, anti-debugging,\r\nself-deletion, and automation flags. C2 uses HTTP polling and IMAP/email fallback, enabling resilient\r\ncommunications and telemetry. Payloads provide full backdoor access and automated, personalized propagation.\r\nThese evolving attack waves illustrate the rapid innovation and increasing sophistication of the malware targeting\r\nBrazil’s financial and messaging platforms. While the Water Saci and Coyote campaigns share notable technical\r\noverlaps and approaches that highly suggest the two are linked, it remains to be seen if they are definitively\r\nhttps://www.trendmicro.com/en_us/research/25/j/active-water-saci-campaign-whatsapp-update.html\r\nPage 8 of 11\n\noperated by the same threat actor. Ongoing monitoring and analysis are essential as attackers adapt their methods,\r\nand Trend Research continues to investigate these connections for a deeper understanding of the threat landscape.\r\nConclusion\r\nTrend Research’s continuous monitoring of Water Saci’s active campaign shows that the threat actors behind it are\r\naggressive both in quantity and quality. While the initial investigation of the Water Saci campaign showed how\r\nfast the malware’s self-propagation facilities are, the new attack chain demonstrates a significant evolution in\r\nadversarial capabilities.\r\nOur analysis shows that threat actors behind Water Saci leverage an email-based C\u0026C infrastructure utilizing\r\nIMAP connections to terra[.]com[.]br accounts, rather than traditional HTTP-based communication channels.\r\nThis methodology, coupled with a multi-vector persistence strategy, ensures the malware’s resilience across\r\nsystem reboots and diverse user environments.\r\nThe attack chain also features checks to evade detection, analysis, and restrict execution to designated targets,\r\nfurther enhancing operational stealth. The malware also enables attackers to collect detailed campaign statistics,\r\nwhich facilitates actionable intelligence on success rates, victim profiles, and targeted outreach. This potentially\r\nenables the threat actors to more strategically plan and measure performance.\r\nMost notably, the remote C\u0026C system offers advanced control, permitting threat actors to pause, resume, and\r\noversee the campaign in real time, effectively transforming the infected endpoints into a coordinated botnet for\r\ndynamic operations.\r\nApart from the sophisticated tactics and techniques employed by the attackers, the success of this campaign in\r\nBrazil can also be attributed to the high adoption of the instant messaging platform leveraged by the\r\ncybercriminals in the country. It is critical that companies follow defense recommendations to secure their\r\nenterprises and enhance their detection capabilities to proactively mitigate such sophisticated threats.\r\nTrend Research also recommends that enterprises review their policies and educate employees to prevent being\r\nvictimized by banking Trojans that rely on social engineering to propagate.\r\nThe abuse of the instant messaging platform with a campaign that exhibits the modular architecture revealed in the\r\nWater Saci investigation suggests the high possibility of additional payloads being used and propagated. Constant\r\nvigilance is imperative for enterprises to stay on top of these evolving threats.\r\nDefense recommendations\r\nTo minimize the risks associated with the Water Saci campaign, Trend recommends several practical initial\r\ndefense items:\r\nDisable Auto-Downloads on WhatsApp. Turn off automatic downloads of media and documents in\r\nWhatsApp settings to reduce accidental exposure to malicious files.\r\nControl File Transfers on Personal Apps. Use endpoint security or firewall policies to block or restrict\r\nfile transfers through personal applications like WhatsApp, Telegram, or WeTransfer on company-managed\r\nhttps://www.trendmicro.com/en_us/research/25/j/active-water-saci-campaign-whatsapp-update.html\r\nPage 9 of 11\n\ndevices. If your organization supports BYOD, enforce strict app whitelisting or containerization to protect\r\nsensitive environments.\r\nEnhance User Awareness. The victimology of the Water Saci campaign suggests that attackers are\r\ntargeting enterprises. Organizations are recommended to provide regular security training to help\r\nemployees recognize the dangers of downloading files via messaging platforms. Advise users to avoid\r\nclicking on unexpected attachments or suspicious links, even when they come from known contacts, and\r\npromote the use of secure, approved channels for transferring business documents. \r\nEnhance Email and Communication Security Controls. Restrict access to personal email and messaging\r\napps on corporate devices. Use web and email gateways with URL filtering to block known malicious C2\r\nand phishing domains.\r\nEnforce Multi-Factor Authentication (MFA) and Session Hygiene. Require MFA for all cloud and web\r\nservices to prevent session hijacking. Advise users to log out after using messaging apps and regularly\r\nclear browser cookies and tokens.\r\nDeploy Advanced Endpoint Security Solutions. Use Trend Micro endpoint security platforms (such as\r\nApex One or Vision One) to detect and block suspicious script-based attacks, fileless malware, and\r\nautomation abuse. Enable behavioral monitoring to catch unauthorized VBS/PowerShell execution,\r\nbrowser profile alterations, and lateral movement attempts related to WhatsApp and similar threats.\r\nImplementing these recommendations will help organizations and individuals better defend against malware\r\nthreats delivered through messaging applications.\r\nProactive security with Trend Vision One™\r\nTrend Vision One™ is the only AI-powered enterprise cybersecurity platform that centralizes cyber risk exposure\r\nmanagement and security operations, delivering robust layered protection across on-premises, hybrid, and multi-cloud environments.\r\nThe following sections contain Trend Vision One insights, reports, and queries mentioned in the previous blog\r\nwith additional information from this report. \r\nTrend Vision One ™ Threat Intelligence \r\nTo stay ahead of evolving threats, Trend customers can access Trend Vision One™ Threat Insights which provides\r\nthe latest insights from Trend ™ Research on emerging threats and threat actors.  \r\nTrend Vision One Threat Insights \r\nThreat Actors: Water Saci\r\nEmerging Threats:  Evolving WhatsApp Script-Based Attack Chain Leveraging VBS and PowerShell\r\nTrend Vision One Intelligence Reports (IOC Sweeping) \r\nEvolving WhatsApp Script-Based Attack Chain Leveraging VBS and PowerShell\r\nHunting Queries \r\nhttps://www.trendmicro.com/en_us/research/25/j/active-water-saci-campaign-whatsapp-update.html\r\nPage 10 of 11\n\nTrend Vision One Search App \r\nTrend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this\r\nblog post with data in their environment.\r\nDetect suspicious ZIP file creation that matches WhatsApp-related campaign names (Orcamento*.zip,\r\nBin.zip) and deployment of VBS files for persistence.\r\neventSubId:101 AND (objectFilePath:Orcamento.zip OR objectFilePath:*Bin.zip OR\r\nobjectFilePath:*WinManagers.vbs)\r\nIndicators of Compromise (IoCs)\r\nIndicators of Compromise can be found here.\r\nSource: https://www.trendmicro.com/en_us/research/25/j/active-water-saci-campaign-whatsapp-update.html\r\nhttps://www.trendmicro.com/en_us/research/25/j/active-water-saci-campaign-whatsapp-update.html\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://www.trendmicro.com/en_us/research/25/j/active-water-saci-campaign-whatsapp-update.html" ], "report_names": [ "active-water-saci-campaign-whatsapp-update.html" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "d11b4ce0-97fd-4f61-8186-40e8c390d5d3", "created_at": "2026-01-18T02:00:03.069539Z", "updated_at": "2026-04-10T02:00:03.908186Z", "deleted_at": null, "main_name": "Water Saci", "aliases": [], "source_name": "MISPGALAXY:Water Saci", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434805, "ts_updated_at": 1775826733, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/18e01fbf329f5089cacb71e552b345fbe2e14216.pdf", "text": "https://archive.orkl.eu/18e01fbf329f5089cacb71e552b345fbe2e14216.txt", "img": "https://archive.orkl.eu/18e01fbf329f5089cacb71e552b345fbe2e14216.jpg" } }