{
  "name": "Active Water Saci Campaign Spreading Via WhatsApp Features Multi-Vector Persistence and Sophisticated C&C",
  "slug": "active-water-saci-campaign-spreading-via-whatsapp-features-multi-vector-persistence-and-sophisticated-cc",
  "description": "The Water Saci campaign has evolved, now utilizing an email-based command and control infrastructure and multi-vector persistence for resilience. The new attack chain employs script-based techniques, including VBS downloaders and PowerShell scripts, to hijack WhatsApp Web sessions and automate malware distribution. It features sophisticated remote control capabilities, allowing real-time management of infected machines as a coordinated botnet. The malware implements extensive anti-analysis measures and targets Portuguese-language systems. Its email-based C&C system uses IMAP connections to retrieve commands, complemented by an HTTP-based polling mechanism for ongoing communication. The campaign shares similarities with the Coyote banking trojan, suggesting possible links within the Brazilian cybercriminal ecosystem.",
  "published": "2025-10-27T14:20:48+00:00",
  "created_at": "2025-10-27T14:20:48+00:00",
  "modified_at": "2025-10-27T15:54:40+00:00",
  "created_at_opencti": "2025-10-27T14:20:48+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-10-27",
    "anti-analysis",
    "banking trojan",
    "coyote",
    "sorvepotel",
    "vbs"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "https://cld.pt/dl/download/ac23c304-aa9d-4d27-a845-272ec4de533d/sapotransfer-640a60194938b1/tadeu.ps1?download=true"
      },
      {
        "id": "",
        "name": "https://cld.pt/dl/download/0f58f6f3-e3bb-4cbd-a4fb-d9ddfd4e56bf/sapotransfer-640a2b919605fph/Orcamento%20para%20avalicaco%20.zip?download=true"
      },
      {
        "id": "",
        "name": "http://saborizerefeicoes34.online/"
      },
      {
        "id": "",
        "name": "http://motopartshonda.shop/"
      },
      {
        "id": "",
        "name": "http://motopartshonda.site/"
      },
      {
        "id": "",
        "name": "http://miportuarios.com/sisti/api.ps1"
      },
      {
        "id": "",
        "name": "http://casadoconector.online/"
      },
      {
        "id": "",
        "name": "http://aspeimoveis342235.online/"
      },
      {
        "id": "",
        "name": "http://albacosmeticos.online/"
      },
      {
        "id": "",
        "name": "http://saborizerefeicoes34.site/"
      },
      {
        "id": "",
        "name": "http://albacosmeticos.shop/"
      },
      {
        "id": "",
        "name": "wbdiamonds.com"
      },
      {
        "id": "",
        "name": "vinhomeshungyentheempires.com"
      },
      {
        "id": "",
        "name": "saborizerefeicoes34.site"
      },
      {
        "id": "",
        "name": "saborizerefeicoes34.online"
      },
      {
        "id": "",
        "name": "ricardasphotography.com"
      },
      {
        "id": "",
        "name": "motopartshonda.site"
      },
      {
        "id": "",
        "name": "motopartshonda.shop"
      },
      {
        "id": "",
        "name": "mazdafinancialsevrices.com"
      },
      {
        "id": "",
        "name": "miportuarios.com"
      },
      {
        "id": "",
        "name": "lefthandsuperstructures.com"
      },
      {
        "id": "",
        "name": "jornalistaaurelianoborgesmidia.com"
      },
      {
        "id": "",
        "name": "intelligentopennetworkingawards.com"
      },
      {
        "id": "",
        "name": "cursosgratiss.com.br"
      },
      {
        "id": "",
        "name": "casadoconector.online"
      },
      {
        "id": "",
        "name": "clhttradinglimited.com"
      },
      {
        "id": "",
        "name": "aspeimoveis342235.online"
      },
      {
        "id": "",
        "name": "albacosmeticos.online"
      },
      {
        "id": "",
        "name": "albacosmeticos.shop"
      },
      {
        "id": "",
        "name": "adoblesecuryt.com"
      },
      {
        "id": "",
        "name": "fe10ce5fede53d88f8d06fbf533e1d9416b1c423c556915313fe52e9fa70dcec"
      },
      {
        "id": "",
        "name": "b05f07e5709dc25ec544ff64dabf54682f15cc2d34d2367102a096232fb3822a"
      },
      {
        "id": "",
        "name": "536864994d1916fe45824abf0276796284c3d36c0dd98c62d5a55892623a5de0"
      },
      {
        "id": "",
        "name": "3ff9c9cc7cc65bef73bf75d222b8ba56728aeb4fc5e8882e82a4fab970dbe1c6"
      },
      {
        "id": "",
        "name": "341252a437e7535f9ea8707e41f0ff2a775eddb16190eeb9f0c0f524214e4f3d"
      },
      {
        "id": "",
        "name": "2c0dff7f8f724476dffd07b0f51ceaae9600073e927d3694d167664eec194b4d"
      },
      {
        "id": "",
        "name": "1fc9dc27a7a6da52b64592e3ef6f8135ef986fc829d647ee9c12f7cea8e84645"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:d62d4c66ee50e421",
        "name": "SORVEPOTEL",
        "slug": "sorvepotel"
      },
      {
        "id": "legacy:malware:d569bbaf8a4d62e6",
        "name": "Coyote",
        "slug": "coyote"
      }
    ],
    "intrusion_sets": [
      {
        "id": "76f81da7-e03f-4d99-880f-3a1a5df5a22d",
        "name": "Water Saci",
        "slug": "water-saci"
      }
    ],
    "attack_patterns": [
      {
        "id": "de38dd3a-41d7-4621-8a00-a32d7f0ff420",
        "name": "T1102.002"
      },
      {
        "id": "40f0d8e3-bcd7-4b97-a958-f55815698fc5",
        "name": "T1053.005"
      },
      {
        "id": "9e784d22-5a6c-4da6-968a-5fab2f019efd",
        "name": "T1059.005"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "8e0fea81-4d54-4e88-a7dd-3aa8b26558ed",
        "name": "T1113"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "eaff4611-3c78-4127-8745-726f77ed68ba",
        "name": "T1070.004"
      },
      {
        "id": "dc17cbbd-40d8-43cf-b3cf-50d1276db2c7",
        "name": "T1016"
      },
      {
        "id": "29398669-98ed-4766-9dac-f9632f7175ff",
        "name": "T1518"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1",
        "name": "T1057"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "5b7c66d1-0466-4ba7-af6f-eb82c2f9d05b",
        "name": "T1033"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Brazil"
      },
      {
        "id": "",
        "name": "Finance"
      }
    ]
  },
  "external_refs": [
    "https://www.trendmicro.com/en_us/research/25/j/active-water-saci-campaign-whatsapp-update.html",
    "https://otx.alienvault.com/pulse/68ff8dd035041c4143f2889b"
  ]
}