216.73.217.22

Active Water Saci Campaign Spreading Via WhatsApp Features Multi-Vector Persistence and Sophisticated C&C

· Published 27/10/2025 15:20 · Modified 27/10/2025 16:54

Export JSON

Essential information

Published
27/10/2025 15:20
Modified
27/10/2025 16:54
Tags
2025-10-27 anti-analysis banking trojan coyote sorvepotel vbs
Related entities
37 observables, 1 intrusion sets (apt), 18 techniques (mitre), 2 malware, 2 others

Description

The Water Saci campaign has evolved, now utilizing an email-based command and control infrastructure and multi-vector persistence for resilience. The new attack chain employs script-based techniques, including downloaders and PowerShell scripts, to hijack WhatsApp Web sessions and automate malware distribution. It features sophisticated remote control capabilities, allowing real-time management of infected machines as a coordinated botnet. The malware implements extensive measures and targets Portuguese-language systems. Its email-based C&C system uses IMAP connections to retrieve commands, complemented by an HTTP-based polling mechanism for ongoing communication. The campaign shares similarities with the , suggesting possible links within the Brazilian cybercriminal ecosystem.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Observables (37)

  • https://cld.pt/dl/download/ac23c304-aa9d-4d27-a845-272ec4de533d/sapotransfer-640a60194938b1/tadeu.ps1?download=true
  • https://cld.pt/dl/download/0f58f6f3-e3bb-4cbd-a4fb-d9ddfd4e56bf/sapotransfer-640a2b919605fph/Orcamento%20para%20avalicaco%20.zip?download=true
  • http://saborizerefeicoes34.online/
  • http://motopartshonda.shop/
  • http://motopartshonda.site/
  • http://miportuarios.com/sisti/api.ps1
  • http://casadoconector.online/
  • http://aspeimoveis342235.online/
  • http://albacosmeticos.online/
  • http://saborizerefeicoes34.site/
  • http://albacosmeticos.shop/
  • wbdiamonds.com
  • vinhomeshungyentheempires.com
  • saborizerefeicoes34.site
  • saborizerefeicoes34.online
  • ricardasphotography.com
  • motopartshonda.site
  • motopartshonda.shop
  • mazdafinancialsevrices.com
  • miportuarios.com
  • lefthandsuperstructures.com
  • jornalistaaurelianoborgesmidia.com
  • intelligentopennetworkingawards.com
  • cursosgratiss.com.br
  • casadoconector.online
  • clhttradinglimited.com
  • aspeimoveis342235.online
  • albacosmeticos.online
  • albacosmeticos.shop
  • adoblesecuryt.com
  • fe10ce5fede53d88f8d06fbf533e1d9416b1c423c556915313fe52e9fa70dcec
  • b05f07e5709dc25ec544ff64dabf54682f15cc2d34d2367102a096232fb3822a
  • 536864994d1916fe45824abf0276796284c3d36c0dd98c62d5a55892623a5de0
  • 3ff9c9cc7cc65bef73bf75d222b8ba56728aeb4fc5e8882e82a4fab970dbe1c6
  • 341252a437e7535f9ea8707e41f0ff2a775eddb16190eeb9f0c0f524214e4f3d
  • 2c0dff7f8f724476dffd07b0f51ceaae9600073e927d3694d167664eec194b4d
  • 1fc9dc27a7a6da52b64592e3ef6f8135ef986fc829d647ee9c12f7cea8e84645

Intrusion sets (APT) (1)

  • Water Saci
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 17:54 · Modified 21/12/2025 17:54

Techniques (MITRE) (18)

Malware (2)

  • SORVEPOTEL
    Family
    Published 06/05/2026 19:35 · Modified 06/05/2026 19:35
  • Coyote
    Family
    Published 12/11/2025 09:45 · Modified 12/11/2025 09:45

Others (2)

  • Brazil
  • Finance

External references