The threat actor known as Water Saci is actively evolving its tactics, switching to sophisticated, highly layered infection chains that use HTML application (HTA) files and PDFs to propagate a worm that deploys a banking Trojan via WhatsApp in attacks targeting users in Brazil.
The latest wave is characterized by attackers moving from PowerShell to Python-based variants to spread malware on WhatsApp Web in a worm-like manner.
Trend Micro researchers Jeffrey Francis Bonabra, Sarah Pearl Camiling, Joe Soares, Byron Guerrera, Ian Kenefick, and Emmanuel Panopio said, “Their new multi-format attack chain and the potential use of artificial intelligence (AI) to convert propagation scripts from PowerShell to Python is a powerful tool for Water. “This is an example of the multi-layered approach that allowed Saci to circumvent traditional security controls, exploit user trust across multiple channels, and increase infection rates.”
In these attacks, users receive a message from a trusted contact on WhatsApp, which prompts them to manipulate a malicious PDF or HTA attachment to activate an infection chain and ultimately drop a banking Trojan that can collect sensitive data. The PDF lure instructs victims to update Adobe Reader by clicking on an embedded link.
Upon opening the HTA file, the user is tricked into running a Visual Basic script, which then runs a PowerShell command to retrieve the next stage payload from the remote server, the Trojan MSI installer, and a Python script that is responsible for spreading the malware via WhatsApp Web.
“This newly identified variant enables broader browser compatibility, object-oriented code structure, enhanced error handling, and faster automation of malware delivery via WhatsApp Web,” Trend Micro said. “These changes allow for faster propagation, greater resilience to failure, and easier maintenance and expansion.”
The MSI installer serves as a conduit for delivering banking Trojans using AutoIt scripts. The script also performs checks to ensure that only one instance of the Trojan is running at a given time. This is accomplished by checking for the existence of a marker file named “executed.dat.” If it does not exist, the script creates the file and notifies the attacker-controlled server (‘manoelimoveiscaioba'[.]com”).
Other AutoIt artifacts discovered by Trend Micro also go further by checking if the Windows system language is set to Portuguese (Brazil) and only scanning infected systems for banking-related activity if this condition is met. This includes checking folders related to major Brazilian banking applications such as Bradesco, Warsaw, Topaz OFD, Sicoob, Itaú, as well as security and anti-fraud modules.
It is worth noting that Latin American (LATAM)-focused banking Trojans like Casbaneiro (also known as Metamorfo and Ponteiro) have incorporated similar functionality since 2019. Additionally, the script analyzes the user’s Google Chrome browsing history to search for visits to banking websites. Specifically, it is a hard-coded list consisting of Santander, Banco do Brasil, Caixa Econômica Federation, Sicredi, and Bradesco.
The script then proceeds with another important reconnaissance step, including checking for installed antivirus and security software and gathering detailed system metadata. The main function of this malware is to monitor open windows, extract their titles, and compare them to a list of banks, payment platforms, exchanges, and crypto wallets.
If one of these windows contains a keyword related to the entity of interest, the script searches for the TDA file dropped by the installer, decrypts it, and injects it into the hollow “svchost.exe” process. The loader then searches for additional DMP files containing the banking Trojan.
“If the TDA file is present, the AutoIt script decrypts it and loads it into memory as an intermediate PE loader (stage 2),” Trend Micro explained. “However, if only a DMP file is found (and no TDA is present), the AutoIt script completely bypasses the intermediate loader and loads the banking Trojan directly into the AutoIt process memory, skipping the process hollowing step and executing it as a simpler two-stage infection.”
Persistence is achieved by constantly monitoring newly spawned “svchost.exe” processes. Once the process is finished, the malware launches anew and waits to reinject its payload the next time the victim opens a browser window of a Water Saci-targeted financial service.
The attack highlights a major change in tactics. The banking Trojan that was deployed is not Maverick, but a malware that exhibits structural and operational continuity with Casbaneiro. This evaluation is based on the AutoIt-based delivery and loader mechanisms employed, as well as window title monitoring, registry-based persistence, and IMAP-based fallback command-and-control (C2) mechanisms.
Once launched, the Trojan performs “aggressive” anti-virtualization checks to evade analysis and detection, and gathers host information through Windows Management Instrumentation (WMI) queries. Modify the registry to set persistence and establish a connection with the C2 server (‘serversistemasatu'[.]com”) to submit the collected details and receive backdoor commands that allow remote control over the infected system.
The Trojan scans the title of active windows to determine whether a user is interacting with a banking or cryptocurrency platform, as well as forcefully closing multiple browsers and forcing victims to reopen banking sites under “attacker-controlled conditions.” Some of the supported features of this Trojan are listed below.
Send system information Enable keyboard capture Start/stop screen capture Change screen resolution Simulate mouse movements and clicks Perform file operations Upload/download files Enumerate windows and create fake bank overlays to capture credentials and transaction data
The second aspect of this campaign uses a Python script, an enhanced version of the PowerShell predecessor model, to enable the delivery of malware to all contacts via a WhatsApp web session using the Selenium browser automation tool.
Given the functional similarities between the two versions and the inclusion of emojis in the console output, there is “compelling” evidence to suggest that Water Saci may have used large-scale language models (LLMs) or code translation tools to port the propagation scripts from PowerShell to Python.
“The Water Saci campaign exemplifies a new era of cyberthreats in Brazil, where attackers exploit the credibility and reach of popular messaging platforms such as WhatsApp to orchestrate large-scale self-propagating malware campaigns,” Trend Micro said.
“By weaponizing familiar communication channels and employing sophisticated social engineering, attackers are able to quickly compromise victims, evade traditional defenses, and maintain persistent banking Trojan infections. This campaign demonstrates how legitimate platforms can be transformed into powerful vectors for malware distribution and highlights the sophistication of cybercriminal activity in the region.”
Brazil targeted by new RelayNFC Android malware
The development comes as Brazilian bank users are also being targeted by a previously undocumented Android malware called RelayNFC, designed to perform near-field communication (NFC) relay attacks and siphon contactless payment data. This campaign has been running since early November 2025.
“RelayNFC implements a fully real-time APDU relay channel that allows attackers to complete transactions as if the victim’s card was physically present,” Cyble said in his analysis. “This malware is built using React Native and Herme bytecode, which complicates static analysis and helps evade detection.”
This attack is primarily spread via phishing and uses decoy Portuguese-language sites (e.g. “maisseguraca”).[.]site”) to trick users into installing malware under the pretext of protecting their payment cards. The ultimate goal of the campaign is to obtain the victim’s card details and pass them on to the attacker, who can then use the stolen data to perform fraudulent transactions.
Similar to other NFC relay malware families such as SuperCard X and PhantomCard, RelayNFC acts as a reader designed to collect card data by instructing victims to tap a payment card on their device. Once the card data is read, the malware will prompt you for a 4-digit or 6-digit PIN. The captured information is sent to the attacker’s server through a WebSocket connection.
“When an attacker initiates a transaction from a POS emulator device, the C&C server sends a specially crafted message of the type ‘apdu’ to the infected phone,” Cyble said. “This message contains a unique request ID, a session ID, and an APDU command encoded as a hexadecimal string.”
“Upon receiving this instruction, RelayNFC parses the packet, extracts the APDU data, and forwards it directly to the victim device’s NFC subsystem, effectively acting as a remote interface to the physical payment card.”
The cybersecurity firm said its investigation also uncovered another phishing site (“test.ikotech”)[.]online”) is distributing APK files that partially implement Host Card Emulation (HCE), indicating that threat actors are experimenting with various NFC relay techniques.
Because HCE allows Android devices to emulate payment cards, this mechanism allows a victim’s card interactions to be transmitted between a legitimate payment-of-sale (PoS) terminal and an attacker-controlled device, thereby facilitating real-time NFC relay attacks. This feature is rated as under development because the APK file does not register the HCE service in the package manifest file.
“The RelayNFC campaign highlights the rapid evolution of NFC relay malware specifically targeting payment systems in Brazil,” the company said. “By combining phishing-driven distribution, React Native-based obfuscation, and real-time APDU relaying over WebSockets, attackers have created a highly effective mechanism for remote EMV transaction fraud.”
Source link
