Comprehensive Threat Exposure Management Platform
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
The Water Saci malware campaign represents a rapidly evolving financial threat targeting Brazilian users through WhatsApp and WhatsApp Web platforms. This Water Saci attack campaign deploys the SORVEPOTEL backdoor malware using sophisticated multi-stage scripted loaders to steal banking credentials and cryptocurrency information. Water Saci malware spreads through malicious files delivered via WhatsApp messaging, disguised as invoices, receipts, or business communications. The WhatsApp malware campaign conducts system reconnaissance, injects malicious code into legitimate Windows processes, and propagates worm-style by hijacking victims’ WhatsApp Web sessions. The latest Water Saci wave shows significant evolution from October attacks, shifting from MSI and PowerShell loaders to more evasive Python-based delivery mechanisms. This Water Saci threat represents a highly adaptive banking trojan combining social engineering tactics, stealth capabilities, and automated financial credential theft targeting Brazilian finance and banking sectors.
The Water Saci campaign is a financially motivated malware operation primarily targeting users in Brazil through WhatsApp and WhatsApp Web messaging platforms. Water Saci malware spreads when victims receive malicious files such as ZIP archives, PDF documents, or HTA files disguised as legitimate invoices, receipts, or business communications. Once opened, these Water Saci malicious files execute a multi-stage script chain that downloads additional malware components and installs the SORVEPOTEL backdoor payload, a banking trojan specifically built to steal financial information and maintain persistent remote access to infected Windows systems. The Water Saci attack specifically targets Brazilian finance, banking, and cryptocurrency sectors with precision-engineered social engineering tactics.
The Water Saci attack chain is notable for its sophisticated multi-format delivery mechanisms and heavy obfuscation layers. The WhatsApp malware uses layered scripts following an HTA to script to downloader to automation loader sequence designed to evade security detection and avoid dropping easily-scannable executable files. The SORVEPOTEL payload conducts comprehensive reconnaissance on victim systems, checking for banking activity patterns, browser history, and installed security products. When Water Saci malware detects sensitive financial activity, it injects malicious code into legitimate Windows processes to hide its presence and intercept credentials, session data, and financial information from Brazilian banking platforms.
One of the most dangerous aspects of Water Saci malware is its worm-like propagation capability that enables rapid spread across WhatsApp networks. After successful infection, the Water Saci campaign hijacks the victim’s WhatsApp Web session and automatically forwards identical malicious files to all contacts and groups in the victim’s messaging lists. This WhatsApp malware propagation technique exploits trust relationships to spread rapidly throughout social and business networks. Combined with anti-sandbox checks and stealthy persistence mechanisms implemented in the SORVEPOTEL backdoor, the Water Saci campaign is both fast-moving and difficult for security researchers to analyze in controlled environments.
Compared to the October Water Saci attack wave, the current campaign shows clear technical evolution and sophistication improvements. Earlier Water Saci attacks relied primarily on MSI installers and PowerShell-based loaders, making the infection chain more traditional and easier for security products to detect. The current Water Saci wave replaces these components with Python-based scripts, more diverse file formats including HTA files, improved automation capabilities, and more sophisticated obfuscation techniques. This shift suggests rapid development by Water Saci operators, possibly aided by automated code-conversion tools or artificial intelligence, resulting in a more flexible, evasive, and scalable WhatsApp malware infection method.
Water Saci represents a modern hybrid banking trojan combining social engineering, automation, and stealth capabilities. By abusing the widely trusted WhatsApp messaging platform, using multi-stage scripting to hide malicious activity, and adapting quickly between campaign waves, the operators behind Water Saci malware continue to refine a highly effective financial-theft ecosystem. The SORVEPOTEL backdoor demonstrates advanced capabilities for targeting Brazilian banking systems, cryptocurrency platforms, and financial institutions. The Water Saci campaign’s ability to evolve rapidly and leverage trusted communication platforms makes it a persistent threat to Brazilian finance and banking sectors.
Strengthen User Awareness and Training: Warn users to exercise caution with any file received over WhatsApp or WhatsApp Web platforms, even if the message appears to come from a known contact. Emphasize that ZIP archives, PDF files, HTA documents, LNK shortcuts, or other unexpected attachments should never be opened without verification. Encourage employees to verify suspicious WhatsApp messages via secondary communication channels such as phone calls, SMS, or email to prevent Water Saci malware infections.
Implement Stricter Controls on Script Execution: Restrict or disable execution of HTA, VBS, PowerShell, and Python scripts for regular users whenever possible to prevent Water Saci attack chains. Enforce PowerShell Constrained Language Mode and block high-risk file types at endpoint or email/web gateway levels including ZIP, ISO, HTA, and MSI files. Deploy application allowlisting solutions such as AppLocker or Windows Defender Application Control to limit unauthorized scripts and prevent SORVEPOTEL backdoor execution.
Harden Endpoints and Browsers: Ensure Windows systems are fully patched and that reputable endpoint protection such as EDR or next-generation antivirus is enabled. Block or alert on suspicious process behavior such as process hollowing, script spawning, or non-browser processes making network calls. Configure browsers to block unauthorized extensions and clear session cookies after high-risk activity to prevent Water Saci WhatsApp Web session hijacking.
Monitor Messaging Platforms and Automate Detection: Raise monitoring on WhatsApp Web usage within corporate environments, especially for large bursts of outbound ZIP or PDF file transfers that may indicate Water Saci worm propagation. Set alerts for unusual automation patterns such as browser automation tools or repetitive outbound messaging traffic. If feasible, isolate messaging applications in sandboxed browser profiles or dedicated virtual containers to limit Water Saci malware spread.
Protect Financial Transactions and Sensitive Accounts: Encourage the use of two-factor authentication or hardware tokens for banking systems and internal financial platforms. Require financial users or high-privilege staff to operate from hardened, secured workstations. Monitor for access to Brazilian banking sites or finance platforms initiated from unusual or newly installed processes that may indicate SORVEPOTEL backdoor activity.
SHA256 Hashes: 12f2e7e997480a3ea3150614664d6de4e6e229dacd6e8ff0ed74cd22207e753d, 15e8f315901ea12639665f1adb9d18a9ace1074a33d70e47ad43203eb8ebfba4, 2d95769a016b397333ba90fdc2f668f883c64774a2c0aaaf6b2d942bebaee9e0, 495697717be4a80c9db9fe2dbb40c57d4811ffe5ebceb9375666066b3dda73c3, 5db59a8a8c2ca54615a6079fa9035d2886c1ec2270ee508efbb0ff98c98b90be, and numerous additional file hashes associated with Water Saci malware campaign samples.
SHA1 Hash: a1c88a022e55d73a2894ddfb8b7bf5381d9f13dd
MD5 Hash: 5bcb9f187320893d1b1c36fa0c18e094
Domains: centrogauchodabahia123[.]com, storeshomeestusfluworkss[.]online
URLs: hxxp[:]//centrogauchodabahia123[.]com/altor/installer[.]msi, hxxp[:]//centrogauchodabahia123[.]com/altor/whatsz[.]py
Water Saci malware campaign demonstrates tactics spanning the complete attack lifecycle including Resource Development using Artificial Intelligence (T1588.007), Initial Access via Spearphishing Attachment (T1566.001), Execution through Command and Scripting Interpreter including Visual Basic (T1059.005), PowerShell (T1059.001), Python (T1059.006), and AutoHotKey/AutoIT (T1059.010), Persistence via Boot or Logon Autostart Execution and Registry Run Keys (T1547, T1547.001), Defense Evasion using Reflective Code Loading (T1620), Process Injection and Process Hollowing (T1055, T1055.012), Masquerading (T1036), Obfuscated Files (T1027), and Virtualization/Sandbox Evasion (T1497). Additional techniques include Discovery of System Information (T1082), Browser Bookmarks (T1217), System Language (T1614.001), Security Software (T1518.001), Collection through Input Capture and Web Portal Capture (T1056, T1056.003), Screen Capture (T1113), Lateral Movement (TA0008), Command and Control through Application Layer Protocol and Encrypted Channel (T1071, T1573), and Exfiltration Over C2 Channel (T1041).
Get through updates and upcoming events, and more directly in your inbox