Water Saci

Water Saci is a malware campaign targeting Brazilian financial institutions and cryptocurrency exchanges, primarily in Brazil, with reporting indicating potential expansion to other Latin American countries. The campaign uses self-propagating malware delivered through WhatsApp, including WhatsApp Desktop and WhatsApp Web workflows, and has evolved from simpler phishing activity into layered social-engineering-driven delivery using malicious ZIP files, HTA files, MSI installers, and lures such as Adobe Reader updates, fake government programs, delivery notifications, and fraudulent investment groups.

Reporting states the operators used large language models to convert malware from PowerShell to Python, producing a Python-based variant with broader browser compatibility, improved automation, batch messaging, better error handling, and enhanced evasion intended to bypass pattern-based detection and complicate analysis. The campaign is associated with a banking trojan referred to in the content as Sorvepotel, and related reporting also describes a Delphi-based stealer/banking trojan called Eternidade Stealer distributed through WhatsApp hijacking and social engineering in a closely aligned Brazilian-focused campaign.

Observed behavior includes a WhatsApp-propagating worm that steals contact lists from WhatsApp Web, exfiltrates contact data to command-and-control infrastructure, and sends personalized malicious messages and attachments to victims' contacts to continue propagation. The broader infection chain described in the content includes an obfuscated VBScript dropping a batch file, installation of Python dependencies, execution of the WhatsApp worm, and download of an MSI installer that deploys additional components. Later-stage malware performs host profiling, security-product discovery, anti-analysis checks, persistence, active-window and process monitoring, and focuses on Brazilian banking portals, payment services, and cryptocurrency platforms. Reported targets and monitored brands/platforms include Bradesco, BTG Pactual, Caixa Econômica Federal, Banco do Brasil, Binance, Coinbase, MetaMask, and Trust Wallet.

High-confidence indicators and infrastructure mentioned in the content include the WhatsApp worm SHA-256 6168d63fad22a4e5e45547ca6116ef68bb5173e17e25fd1714f7cc1e4f7b41e1; registry marker HKEY_CURRENT_USER\Software\MeuApp with value Inicio; fallback domain domimoveis1[.]com.br; exfiltration endpoint hxxps://itrexmssl[.]com/jasmin/altor/receptor[.]php; related domains varegjopeaks[.]com, centrogauchodabahia123[.]com, itrexmssl[.]com, alentodolcevitad[.]com, miportuarios[.]com, mazdafinancialsevrices[.]com, adilsonralfadvocaciad[.]com, domimoveis1[.]com[.]br, and serverseistemasatu[.]com; and related IPs 103.84.176[.]107, 104.21.48[.]41, 162.120.71[.]56, 185.169.234[.]139, 83.229.17[.]71, 140.99.164[.]172, and 174.138.187[.]2.