Active Water Saci Campaign Spreading Via WhatsApp Features Multi-Vector Persistence and Sophisticated C&C
In September 2022, Coyote emerged in Latin America through phishing campaigns, cleverly masking malicious ZIP archives as resume submissions. The infection chain followed a ZIP archive containing a LNK file, which executed an MSI installer, eventually dropping a DLL payload to establish remote access. By June 2023, Coyote shifted tactics, deploying the Squirrel ecosystem at the initial attack stage and distributing malware via spearphishing links rather than attachments. The use of NuGet packages in its second stage showcased an adaptable attack structure.
A major development appeared in February 2025, as Coyote expanded its propagation methods to include WhatsApp Web: an unusual vector for banking Trojans in the region at the time. Through automation of active WhatsApp sessions, the malware mass-delivered ZIP files to contacts. Code obfuscation leveraged Donut tooling, and malicious browser extensions began monitoring user activity in both Brave and Chrome browsers.
In September 2025, a self-propagating campaign surfaced that Trend Research identified as Water Saci with the malware SORVEPOTEL. The campaign highlighted by malicious ZIP files such as “RES-20250930_112057.zip”. The attack now utilized modular architecture, delivering distinct payloads for WhatsApp hijacking and .NET-based infostealer functionality. Notably, it featured sophisticated overlay windows that closely mimicked banking interfaces, dynamically adapting and seamlessly extracting sensitive credentials.
By October 2025, Trend Research found that the payload delivery techniques evolved further, relying on Visual Basic Script and PowerShell-based loaders instead of .NET binaries. This script-driven approach facilitated continued propagation and evasion of traditional security controls.
| Aspect | Coyote | SORVEPOTEL (September 2025) | SORVEPOTEL (October 2025) |
| Primary Infection Vector | Phishing emails (ZIP w/ LNK/MSI) and later, direct malicious links | Self-propagation via hijacked WhatsApp Web sessions, delivering ZIP files with LNK downloader | Self-propagation via hijacked WhatsApp Web sessions, delivering ZIP files with VBS downloader |
| Execution Chain | Abuse of Squirrel installer and NodeJS; use of advanced Nim and Donut-based loaders | Multi-stage PowerShell chain with reflective DLL loading and shellcode injection | PowerShell script via fileless execution |
| Persistence Methods | Registry keys: UserInitMprLogonScript and Software\Microsoft\Windows\CurrentVersion\Run | BAT script in Startup, registry modifications for autorun | Registry and scheduled task creation (WinManagers.vbs in ProgramData) |
| Evasion | DLL side-loading, binary padding/obfuscation, XOR encryption, sandbox and anti-analysis, captcha | Locale/region check, anti-debugging, detection of analysis tools, typosquatting domains | Language check (Portuguese), debugger detection (OllyDbg, IDA, x32/x64dbg, etc.), self-deletion |
| Payload Architecture | Monolithic .NET banking trojan with all functions integrated into a single payload | Modular design with two distinct payloads: a dedicated WhatsApp Propagation Module and a separate Banking Trojan Module | Full-featured backdoor that uses IMAP for C&C URL retrieval, has persistent polling (propagation pause/resume), detailed stat reporting, botnet capabilities |
| Banking Trojan Functionality | Monitors browser windows, keylogging, screen capture, and deploys fake overlay windows for credential theft | Geolocation checks, advanced browser monitoring, and deploys highly sophisticated and interactive overlay windows with transparency effects | No banking trojan functionality |
Table 2. A matrix that shows the similarities and evolution of Coyote and the SORVEPOTEL malware identified in the Water Saci campaign
Attackers who once relied on noisy, file-based banking Trojans have quietly moved toward low-artifact, browser-state abuse, and WhatsApp Web became the preferred delivery highway. The evolution can be read as three distinct waves: a noisy compiled-trojan phase, a hybrid automation phase with browser tooling, and a current script-first phase that weaponizes live WhatsApp sessions.
First Wave: Compiled Banking Trojan
Attackers initiated campaigns with phishing emails delivering ZIP archives containing LNK or EXE files. Execution chains typically involved LNK files launching PowerShell stagers, which deployed compiled .NET banking Trojan payloads. These Trojans utilized Donut-style in-memory loaders and DLL side-loading to inject malicious code into legitimate processes. Persistence was established through registry autorun entries and modifications to system startup folders. Evasion techniques included binary padding, obfuscation, and basic sandbox or anti-analysis checks.
Second Wave: Automation & Browser Tooling
Subsequent campaigns integrated automation, blending phishing with widespread distribution via web and messaging platforms. Delivered ZIP/LNK files triggered PowerShell or BAT scripts that launched .NET payloads incorporating browser automation frameworks like ChromeDriver and Selenium. Additional persistence mechanisms featured BAT scripts in startup folders and registry alterations. Attack chains added locale or region checking, anti-debugging routines, and typosquatting domains. Malware capabilities expanded to session hijacking, keylogging, automated account takeover, and dynamic phishing overlays, often mimicking legitimate user behaviors.
Third Wave: Script-Based Attack
Recent attacks leverage fileless chains via WhatsApp-distributed ZIPs containing obfuscated VBS scripts that run PowerShell payloads in memory. The malware installs browser automation, injects WA-JS into active sessions, and hijacks Chrome profiles to harvest contacts and spread malicious ZIPs. Persistence relies on WMI mutexes, scheduled tasks, ProgramData scripts, and registry changes. Evasion includes language checks, anti-debugging, self-deletion, and automation flags. C2 uses HTTP polling and IMAP/email fallback, enabling resilient communications and telemetry. Payloads provide full backdoor access and automated, personalized propagation.
These evolving attack waves illustrate the rapid innovation and increasing sophistication of the malware targeting Brazil’s financial and messaging platforms. While the Water Saci and Coyote campaigns share notable technical overlaps and approaches that highly suggest the two are linked, it remains to be seen if they are definitively operated by the same threat actor. Ongoing monitoring and analysis are essential as attackers adapt their methods, and Trend Research continues to investigate these connections for a deeper understanding of the threat landscape.
Conclusion
Trend Research’s continuous monitoring of Water Saci’s active campaign shows that the threat actors behind it are aggressive both in quantity and quality. While the initial investigation of the Water Saci campaign showed how fast the malware’s self-propagation facilities are, the new attack chain demonstrates a significant evolution in adversarial capabilities.
Our analysis shows that threat actors behind Water Saci leverage an email-based C&C infrastructure utilizing IMAP connections to terra[.]com[.]br accounts, rather than traditional HTTP-based communication channels. This methodology, coupled with a multi-vector persistence strategy, ensures the malware’s resilience across system reboots and diverse user environments.
The attack chain also features checks to evade detection, analysis, and restrict execution to designated targets, further enhancing operational stealth. The malware also enables attackers to collect detailed campaign statistics, which facilitates actionable intelligence on success rates, victim profiles, and targeted outreach. This potentially enables the threat actors to more strategically plan and measure performance.
Most notably, the remote C&C system offers advanced control, permitting threat actors to pause, resume, and oversee the campaign in real time, effectively transforming the infected endpoints into a coordinated botnet for dynamic operations.
Apart from the sophisticated tactics and techniques employed by the attackers, the success of this campaign in Brazil can also be attributed to the high adoption of the instant messaging platform leveraged by the cybercriminals in the country. It is critical that companies follow defense recommendations to secure their enterprises and enhance their detection capabilities to proactively mitigate such sophisticated threats.
Trend Research also recommends that enterprises review their policies and educate employees to prevent being victimized by banking Trojans that rely on social engineering to propagate.
The abuse of the instant messaging platform with a campaign that exhibits the modular architecture revealed in the Water Saci investigation suggests the high possibility of additional payloads being used and propagated. Constant vigilance is imperative for enterprises to stay on top of these evolving threats.
Defense recommendations
To minimize the risks associated with the Water Saci campaign, Trend recommends several practical initial defense items:
- Disable Auto-Downloads on WhatsApp. Turn off automatic downloads of media and documents in WhatsApp settings to reduce accidental exposure to malicious files.
- Control File Transfers on Personal Apps. Use endpoint security or firewall policies to block or restrict file transfers through personal applications like WhatsApp, Telegram, or WeTransfer on company-managed devices. If your organization supports BYOD, enforce strict app whitelisting or containerization to protect sensitive environments.
- Enhance User Awareness. The victimology of the Water Saci campaign suggests that attackers are targeting enterprises. Organizations are recommended to provide regular security training to help employees recognize the dangers of downloading files via messaging platforms. Advise users to avoid clicking on unexpected attachments or suspicious links, even when they come from known contacts, and promote the use of secure, approved channels for transferring business documents.
- Enhance Email and Communication Security Controls. Restrict access to personal email and messaging apps on corporate devices. Use web and email gateways with URL filtering to block known malicious C2 and phishing domains.
- Enforce Multi-Factor Authentication (MFA) and Session Hygiene. Require MFA for all cloud and web services to prevent session hijacking. Advise users to log out after using messaging apps and regularly clear browser cookies and tokens.
- Deploy Advanced Endpoint Security Solutions. Use Trend Micro endpoint security platforms (such as Apex One or Vision One) to detect and block suspicious script-based attacks, fileless malware, and automation abuse. Enable behavioral monitoring to catch unauthorized VBS/PowerShell execution, browser profile alterations, and lateral movement attempts related to WhatsApp and similar threats.
Implementing these recommendations will help organizations and individuals better defend against malware threats delivered through messaging applications.
Proactive security with Trend Vision One™
Trend Vision One™ is the only AI-powered enterprise cybersecurity platform that centralizes cyber risk exposure management and security operations, delivering robust layered protection across on-premises, hybrid, and multi-cloud environments.
The following sections contain Trend Vision One insights, reports, and queries mentioned in the previous blog with additional information from this report.
Trend Vision One ™ Threat Intelligence
To stay ahead of evolving threats, Trend customers can access Trend Vision One™ Threat Insights which provides the latest insights from Trend ™ Research on emerging threats and threat actors.
Trend Vision One Threat Insights
Trend Vision One Intelligence Reports (IOC Sweeping)
Hunting Queries
Trend Vision One Search App
Trend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.
- Detect suspicious ZIP file creation that matches WhatsApp-related campaign names (Orcamento*.zip, Bin.zip) and deployment of VBS files for persistence.
- eventSubId:101 AND (objectFilePath:Orcamento.zip OR objectFilePath:*Bin.zip OR objectFilePath:*WinManagers.vbs)
Indicators of Compromise (IoCs)
Indicators of Compromise can be found here.
Read More HERE
