Active Water Saci Campaign Spreading Via WhatsApp Features Multi-Vector Persistence and Sophisticated C&C

Oct. 27, 2025, 4:54 p.m.

Description

The Water Saci campaign has evolved, now utilizing an email-based command and control infrastructure and multi-vector persistence for resilience. The new attack chain employs script-based techniques, including VBS downloaders and PowerShell scripts, to hijack WhatsApp Web sessions and automate malware distribution. It features sophisticated remote control capabilities, allowing real-time management of infected machines as a coordinated botnet. The malware implements extensive anti-analysis measures and targets Portuguese-language systems. Its email-based C&C system uses IMAP connections to retrieve commands, complemented by an HTTP-based polling mechanism for ongoing communication. The campaign shares similarities with the Coyote banking trojan, suggesting possible links within the Brazilian cybercriminal ecosystem.

External References

https://www.trendmicro.com/en_us/research/25/j/active-water-saci-campaign-whatsapp-update.html
https://otx.alienvault.com/pulse/68ff8dd035041c4143f2889b
Tags
anti-analysis
banking trojan
vbs
sorvepotel
2025-10-27
coyote

Date

  • Created: Oct. 27, 2025, 3:20 p.m.
  • Published: Oct. 27, 2025, 3:20 p.m.
  • Modified: Oct. 27, 2025, 4:54 p.m.

Indicators

  • fe10ce5fede53d88f8d06fbf533e1d9416b1c423c556915313fe52e9fa70dcec
  • b05f07e5709dc25ec544ff64dabf54682f15cc2d34d2367102a096232fb3822a
  • 536864994d1916fe45824abf0276796284c3d36c0dd98c62d5a55892623a5de0
  • 3ff9c9cc7cc65bef73bf75d222b8ba56728aeb4fc5e8882e82a4fab970dbe1c6
  • 341252a437e7535f9ea8707e41f0ff2a775eddb16190eeb9f0c0f524214e4f3d
  • 2c0dff7f8f724476dffd07b0f51ceaae9600073e927d3694d167664eec194b4d
  • 1fc9dc27a7a6da52b64592e3ef6f8135ef986fc829d647ee9c12f7cea8e84645
  • https://cld.pt/dl/download/ac23c304-aa9d-4d27-a845-272ec4de533d/sapotransfer-640a60194938b1/tadeu.ps1?download=true
  • https://cld.pt/dl/download/0f58f6f3-e3bb-4cbd-a4fb-d9ddfd4e56bf/sapotransfer-640a2b919605fph/Orcamento%20para%20avalicaco%20.zip?download=true
  • http://saborizerefeicoes34.online/
  • http://motopartshonda.shop/
  • http://motopartshonda.site/
  • http://miportuarios.com/sisti/api.ps1
  • http://casadoconector.online/
  • http://aspeimoveis342235.online/
  • http://albacosmeticos.online/
  • http://saborizerefeicoes34.site/
  • http://albacosmeticos.shop/
  • wbdiamonds.com
  • vinhomeshungyentheempires.com
  • saborizerefeicoes34.site
  • saborizerefeicoes34.online
  • ricardasphotography.com
  • motopartshonda.site
  • motopartshonda.shop
  • mazdafinancialsevrices.com
  • miportuarios.com
  • lefthandsuperstructures.com
  • jornalistaaurelianoborgesmidia.com
  • intelligentopennetworkingawards.com
  • cursosgratiss.com.br
  • casadoconector.online
  • clhttradinglimited.com
  • aspeimoveis342235.online
  • albacosmeticos.online
  • albacosmeticos.shop
  • adoblesecuryt.com
Download all indicators here!

Attack Patterns

  • SORVEPOTEL
  • Coyote
  • Water Saci

Additional Informations

  • Finance
  • Brazil