Water Saci

Water Saci is a financially motivated cybercrime threat actor primarily active in Brazil. It is also referred to as Augmented Marauder in the provided content. The group is known for banking-trojan campaigns that heavily abuse WhatsApp as a primary infection and propagation vector, including self-propagating worm activity via WhatsApp Web. Reported campaigns target Brazilian users and, in separate email-based activity, Spanish-speaking users across Latin America and Spain. Across the cited reporting, Water Saci uses layered social-engineering-driven infection chains involving formats such as HTA, ZIP, PDF, VBS, MSI, and AutoIt components to deliver banking malware. The group has been observed evolving from PowerShell-based propagation to Python-based automation, with reporting noting possible use of AI tools or code-translation assistance. WhatsApp propagation has included automation through Selenium, WPPConnect, and hijacked authenticated WhatsApp Web sessions, with contact harvesting, mass messaging, personalized lures, and worm-like spread. One campaign also abused Microsoft Outlook accounts on infected hosts to send phishing emails from trusted accounts. The actor has been linked in reporting to delivery or operation of multiple banking malware families and variants, including Maverick, TCLBANKER, Casbaneiro variants, Astaroth, and activity described as structurally similar to Casbaneiro/Metamorfo. Trend Micro attributes the Maverick campaign to Water Saci, and reporting describes SORVEPOTEL as a WhatsApp-propagating worm associated with this activity. Elastic assessed TCLBANKER as a major evolution of the Maverick ecosystem associated with Trend Micro's Water Saci cluster. Trend Micro also reported possible links between Water Saci and developers of the Coyote banking trojan, but stated this is not definitive. Observed capabilities in the associated malware include Brazilian Portuguese locale checks, anti-analysis and anti-VM controls, debugger and security-tool detection, ETW disabling, hook removal, persistence via scheduled tasks and registry changes, process hollowing into svchost.exe, browser and window monitoring for banking and cryptocurrency targets, keylogging, screenshot and screen-stream capture, clipboard manipulation, remote command execution, file and process management, and fake banking overlays for credential theft. Targeting described in the content includes Brazilian banks and financial platforms, as well as payment and cryptocurrency services; separate BlueVoyant reporting says the group targeted Spanish-speaking users across Latin America and Spain with judicial-summons-themed phishing that ultimately delivered Casbaneiro.