Active Water Saci Campaign Spreading Via WhatsApp Features Multi-Vector Persistence and Sophisticated C&C

The Water Saci campaign has evolved, now utilizing an email-based command and control infrastructure and multi-vector persistence for resilience. The new attack chain employs script-based techniques, including VBS downloaders and PowerShell scripts, to hijack WhatsApp Web sessions and automate malware distribution. It features sophisticated remote control capabilities, allowing real-time management of infected machines as a coordinated botnet. The malware implements extensive anti-analysis measures and targets Portuguese-language systems. Its email-based C&C system uses IMAP connections to retrieve commands, complemented by an HTTP-based polling mechanism for ongoing communication. The campaign shares similarities with the Coyote banking trojan, suggesting possible links within the Brazilian cybercriminal ecosystem.

Pulse ID: 68ff8dd035041c4143f2889b
Pulse Link: https://otx.alienvault.com/pulse/68ff8dd035041c4143f2889b
Pulse Author: AlienVault
Created: 2025-10-27 15:20:48

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Bank #BankingTrojan #Brazil #CandC #Coyote #CyberSecurity #Email #HTTP #InfoSec #Mac #Malware #OTX #OpenThreatExchange #PowerShell #Trojan #VBS #WhatsApp #bot #botnet #AlienVault