Unraveling Water Saci's New Multi-Format, AI-Enhanced Attacks Propagated via WhatsApp
Essential information
- Published
- 02/12/2025 14:44
- Modified
- 21/12/2025 18:21
- Tags
- 2025-12-02 ai-enhanced anti-sandbox backdoor banking trojan brazil casbaneiro metamorfo multi-format attacks powershell python whatsapp
- Related entities
- 18 observables, 1 intrusion sets (apt), 18 techniques (mitre), 2 malware, 5 others
Description
The Water Saci campaign in Brazil is using advanced techniques to deliver banking trojans through WhatsApp. The attack chain involves various file formats and scripting languages, designed to bypass detection and increase analysis complexity. Attackers have transitioned from PowerShell to Python for their propagation routine, suggesting an accelerated development pipeline. Evidence indicates the possible use of AI tools like LLMs to convert malware scripts. The campaign showcases multi-format malware delivery, aggressive anti-sandbox measures, and extensive backdoor capabilities. The malware targets Brazilian banking applications and cryptocurrency platforms, using sophisticated techniques for persistence and evasion.