AI-Enhanced Python Malware Targets Brazilian Financial Institutions via WhatsApp
A threat campaign known as Water Saci has escalated its attacks on Brazilian financial institutions and cryptocurrency exchanges by deploying a new Python-based malware variant. This campaign leverages artificial intelligence (AI) to convert previous PowerShell propagation scripts into Python, resulting in broader browser compatibility, improved error handling, and faster automation of malware delivery through WhatsApp Web. The attackers use a highly layered attack chain involving multiple file formats such as HTA files, ZIP archives, and PDFs to evade detection and complicate analysis, with the ultimate goal of stealing sensitive data and monitoring user activity on compromised machines.
The campaign primarily targets enterprise users of WhatsApp in Brazil, exploiting social engineering tactics to deliver malicious payloads through convincing messages from trusted contacts. Researchers warn that the use of AI-driven code conversion and multi-format delivery methods marks a significant evolution in the threat landscape, making these attacks more sophisticated and harder to detect. While the campaign is currently concentrated in Brazil, there is concern it could expand to other Latin American countries as the techniques continue to evolve.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Trend Micro publicly discloses Water Saci campaign and mitigations
Trend Micro published research detailing the Water Saci campaign, its AI-enhanced Python variant, and its WhatsApp worm propagation in Brazil. The company also recommended mitigations such as disabling WhatsApp auto-downloads, restricting file transfers, and strengthening endpoint and application controls.
Researchers link Water Saci malware to Casbaneiro/Metamorfo lineage
Analysis of the banking trojan and delivery chain found strong structural ties to the Casbaneiro/Metamorfo malware family. The malware was described as capable of credential theft, banking activity fingerprinting, registry-based persistence, process hollowing, and IMAP-based command-and-control updates.
Campaign evolves from PowerShell to Python-based propagation
Researchers reported that Water Saci updated its malware propagation from a PowerShell-based approach to a Python variant, improving browser compatibility, automation, and evasion. The change was assessed as likely aided by AI or large language model tooling used to convert and enhance the codebase.
Water Saci operates WhatsApp-based banking trojan campaign in Brazil
A threat campaign attributed to Water Saci targeted Brazilian banking and cryptocurrency users using WhatsApp as a self-propagating infection channel. The operation used layered payloads including HTA, ZIP, PDF, MSI, and AutoIt components to deliver a banking trojan with persistence, anti-analysis, and remote-control capabilities.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Water Saci Campaign Uses LLMs to Convert Malware to Python, Spreads Banking Trojan Via WhatsApp Worm
securityonline.info
Open sourceAI Bolsters Python Variant of Brazilian WhatsApp Attacks
darkreading.com
Open sourceBrazil Hit by Banking Trojan Spread via WhatsApp Worm and RelayNFC NFC Relay Fraud
thehackernews.com
Open sourceUnraveling Water Saci's New Multi-Format, AI-Enhanced Attacks Propagated via WhatsApp
trendmicro.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Eternidade Stealer Banking Trojan Propagated via WhatsApp Worm in Brazil
Cybersecurity researchers have identified a new campaign targeting Brazilian users in which the Eternidade Stealer, a Delphi-based banking trojan, is distributed through a WhatsApp worm. The attack leverages social engineering and WhatsApp hijacking, with the threat actor deploying a Python script—marking a shift from previous PowerShell-based methods—to hijack WhatsApp Web sessions and spread malicious attachments. The campaign uses an obfuscated Visual Basic Script as the initial infection vector, which then drops a batch script responsible for delivering two payloads, including the Python-based worm. The malware utilizes the Internet Message Access Protocol (IMAP) to dynamically retrieve command-and-control (C2) addresses, allowing the attacker to update C2 infrastructure as needed. This activity is part of a broader trend in Brazil, where WhatsApp's ubiquity makes it a favored vector for distributing banking trojans and information stealers. The use of Delphi for malware development remains prevalent in Latin America due to its technical efficiency and regional familiarity. Researchers note that this campaign represents an evolution in tactics, building on previous attacks such as Water Saci, and highlights the increasing sophistication of social engineering and malware propagation techniques in the region's cybercrime ecosystem.
Mar 21, 2026
Surge in Advanced Python-Based Malware and Stealer Campaigns Targeting Multiple Platforms
A wave of sophisticated Python-based malware and stealer campaigns has been observed, leveraging advanced evasion techniques and targeting a wide range of platforms. Notable threats include a Python malware that hides within PNG-disguised RAR files and injects payloads into legitimate executables, as well as the Xillen Stealer v4, which employs polymorphic evasion to target over 100 browsers and 70 cryptocurrency wallets, including DevOps environments. Other campaigns involve the Eternidade Stealer, a Python WhatsApp worm using IMAP email for covert command and control and deploying overlays to target Brazilian banking users, and a multi-layer Python RAT distributed via PyPI typosquatting, which bypasses scanners using XOR encryption. Additionally, attackers are exploiting messaging platforms such as WhatsApp with sophisticated worms that hijack sessions and deploy banking trojans like Astaroth. Another campaign involves a trojanized VPN installer that delivers the NKNShell backdoor, utilizing P2P blockchain and MQTT protocols for covert C2 communications. These incidents highlight the increasing complexity and diversity of Python-based malware, the use of novel distribution and evasion tactics, and the growing risk to both individual users and enterprise environments across multiple vectors, including messaging apps, software supply chains, and browser extensions.
Mar 21, 2026
Self-Propagating SORVEPOTEL Malware Spreads via WhatsApp Targeting Brazilian Windows Users
A new malware campaign, identified as SORVEPOTEL, has been actively targeting Windows users in Brazil by exploiting the WhatsApp messaging platform as its primary infection vector. The campaign is engineered for rapid propagation rather than data theft or ransomware, focusing on widespread distribution through social engineering tactics. Attackers initiate the infection by sending convincing phishing messages from already compromised WhatsApp accounts, which increases the credibility of the malicious communication. These messages contain ZIP file attachments that masquerade as legitimate documents, such as receipts or health app files, and are specifically crafted to require opening on a desktop, indicating a focus on enterprise environments. Upon opening the ZIP file, victims are prompted to execute a Windows shortcut (LNK) file, which silently triggers the malware installation on the system. Once installed, SORVEPOTEL leverages active WhatsApp Web sessions to automatically send the same malicious ZIP file to all contacts and groups associated with the victim’s account, enabling rapid self-propagation. This automated spamming behavior often results in the infected WhatsApp accounts being banned due to excessive activity. Trend Micro telemetry indicates that out of 477 detected cases, 457 occurred in Brazil, highlighting a strong regional focus. The campaign has notably impacted government and public service organizations, but has also affected entities in manufacturing, technology, education, and construction sectors. While the primary goal appears to be mass distribution, there is concern that similar techniques have previously been used in Brazil to target financial data, raising the risk of future campaigns with more damaging objectives. Researchers have also observed that, in addition to WhatsApp, the attackers may use email as a secondary distribution channel, sending the same malicious ZIP files from seemingly legitimate email addresses. The use of social trust and automation in this campaign demonstrates a sophisticated approach to maximizing infection rates. There is currently no evidence that SORVEPOTEL exfiltrates data or encrypts files, but the potential for further exploitation remains. The campaign underscores the importance of user awareness regarding phishing tactics, especially those leveraging trusted communication platforms. Security teams are advised to monitor for suspicious WhatsApp Web activity and educate users about the risks of opening unsolicited attachments. The incident highlights the evolving threat landscape where messaging platforms are increasingly abused for malware propagation, particularly in regions with high platform adoption.
Mar 21, 2026