The menace actor generally known as Water Saci is actively evolving its ways, switching to a classy, extremely layered an infection chain that makes use of HTML Software (HTA) information and PDFs to propagate through WhatsApp a worm that deploys a banking trojan in assaults concentrating on customers in Brazil.
The newest wave is characterised by the attackers shifting from PowerShell to a Python-based variant that spreads the malware in a worm-like method over WhatsApp Net.
“Their new multi-format assault chain and attainable use of synthetic intelligence (AI) to transform propagation scripts from PowerShell to Python exemplifies a layered strategy that has enabled Water Saci to bypass typical safety controls, exploit person belief throughout a number of channels, and ramp up their an infection charges,” Development Micro researchers Jeffrey Francis Bonaobra, Sarah Pearl Camiling, Joe Soares, Byron Gelera, Ian Kenefick, and Emmanuel Panopio stated.
In these assaults, customers obtain messages from trusted contacts on WhatsApp, urging them to work together with malicious PDF or HTA attachments and activate the an infection chain and finally drop a banking trojan that may harvest delicate information. The PDF lure instructs victims to replace Adobe Reader by clicking on an embedded hyperlink.
Customers who obtain HTA information are deceived into executing a Visible Primary Script instantly upon opening, which then runs PowerShell instructions to fetch next-stage payloads from a distant server, an MSI installer for the trojan and a Python script that is accountable for spreading the malware through WhatsApp Net.
“This newly noticed variant permits for broader browser compatibility, object-oriented code construction, enhanced error dealing with, and quicker automation of malware supply by way of WhatsApp Net,” Development Micro stated. “Collectively, these modifications make propagation quicker, extra resilient to failure, and simpler to keep up or prolong.”
The MSI installer, for its half, serves as a conduit for delivering the banking trojan utilizing an AutoIt script. The script additionally runs checks to make sure that just one occasion of the trojan is working at any given level of time. It accomplishes this by verifying the presence of a marker file named “executed.dat.” If it doesn’t exist, the script creates the file and notifies an attacker-controlled server (“manoelimoveiscaioba[.]com”).
Different AutoIt artifacts uncovered by Development Micro have additionally been discovered to confirm whether or not the Home windows system language is ready to Portuguese (Brazil), continuing additional to scan the contaminated system for banking-related exercise provided that this standards is met. This consists of checking for folders associated to main Brazilian banking functions, safety, and anti-fraud modules, resembling Bradesco, Warsaw, Topaz OFD, Sicoob, and Itaú.
It is price noting Latin America (LATAM)-focused banking trojans like Casbaneiro (aka Metamorfo and Ponteiro) have included comparable options way back to 2019. Moreover, the script analyzes the person’s Google Chrome looking historical past to look visits to banking web sites, particularly a hard-coded listing comprising Santander, Banco do Brasil, Caixa Econômica Federal, Sicredi, and Bradesco.
The script then proceeds to a different important reconnaissance step that includes checking for put in antivirus and safety software program, in addition to harvesting detailed system metadata. The primary performance of the malware is to watch open home windows and extract their window titles to match them in opposition to a listing of banks, fee platforms, exchanges, and cryptocurrency wallets.
If any of those home windows comprise key phrases associated to focused entities, the script appears to be like for a TDA file dropped by the installer and decrypts and injects it right into a hollowed “svchost.exe” course of, following which the loader searches for an extra DMP file containing the banking trojan.
“If a TDA file is current, the AutoIt script decrypts and hundreds it as an intermediate PE loader (Stage 2) into reminiscence,” Development Micro defined. “Nonetheless, if solely a DMP file is discovered (no TDA current), the AutoIt script bypasses the intermediate loader completely and hundreds the banking trojan immediately into the AutoIt course of reminiscence, skipping the method hollowing step and working as an easier two-stage an infection.”
Persistence is achieved by consistently holding tabs on the newly spawned “svchost.exe” course of. Ought to the method be terminated, the malware begins afresh and waits to re-inject the payload the subsequent time the sufferer opens a browser window for a monetary service that is focused by Water Saci.
The assaults stand out for a significant tactical shift. The banking trojan deployed isn’t Maverick, however slightly a malware that reveals structural and behavioral continuity with Casbaneiro. This evaluation relies on the AutoIt-based supply and loader mechanism employed, in addition to the window title monitoring, Registry-based persistence, and IMAP-based fallback command-and-control (C2) mechanism.
As soon as launched, the trojan carries out “aggressive” anti-virtualization checks to sidestep evaluation and detection, and gathers host data by way of Home windows Administration Instrumentation (WMI) queries. It makes Registry modifications to arrange persistence and establishes contact with a C2 server (“serverseistemasatu[.]com”) to ship the collected particulars and obtain backdoor instructions that grant distant management over the contaminated system.
Moreover scanning the titles of energetic home windows to establish whether or not the person is interacting with banking or cryptocurrency platforms, the trojan forcibly terminates a number of browsers to pressure victims to reopen banking websites underneath “attacker-controlled circumstances.” Among the supported options of the trojan are listed beneath –
Ship system data
Allow keyboard seize
Begin/cease display screen seize
Modify display screen decision
Simulate mouse actions and clicks
Carry out file operations
Add/obtain information
Enumerate home windows, and
Create faux banking overlays to seize credentials and transaction information
The second side of the marketing campaign is the usage of a Python script, an enhanced model of its PowerShell predecessor, to allow malware supply to each contact through WhatsApp Net classes utilizing the Selenium browser automation instrument.
There’s “compelling” proof to recommend that Water Saci might have used a big language mannequin (LLMs) or code-translation instrument to port their propagation script from PowerShell to Python, given the practical similarities between the 2 variations and the inclusion of emojis in console outputs.
“The Water Saci marketing campaign exemplifies a brand new period of cyber threats in Brazil, the place attackers exploit the belief and attain of common messaging platforms like WhatsApp to orchestrate large-scale, self-propagating malware campaigns,” Development Micro stated.
“By weaponizing acquainted communication channels and using superior social engineering, menace actors are in a position to swiftly compromise victims, bypass conventional defenses, and maintain persistent banking trojan infections. This marketing campaign demonstrates how legit platforms could be reworked into highly effective vectors for malware supply and underscores the rising sophistication of cybercriminal operations within the area.”
Brazil Focused by New RelayNFC Android Malware
The event comes as Brazilian banking customers are additionally being focused by a beforehand undocumented Android malware dubbed RelayNFC that is designed to hold out Close to-Area Communication (NFC) relay assaults and siphon contactless fee information. The marketing campaign has been working since early November 2025.
“RelayNFC implements a full real-time APDU relay channel, permitting attackers to finish transactions as if the sufferer’s card had been bodily current,” Cyble stated in an evaluation. “The malware is constructed utilizing React Native and Hermes bytecode, which complicates static evaluation and helps evade detection.”
Primarily unfold through phishing, the assault makes use of decoy Portuguese-language websites (e.g., “maisseguraca[.]web site”) to trick customers into putting in the malware underneath the pretext of securing their fee playing cards. The top objective of the marketing campaign is to seize the sufferer’s card particulars and relay them to attackers, who can then carry out fraudulent transactions utilizing the stolen information.
Like different NFC relay malware households resembling SuperCard X and PhantomCard, RelayNFC operates as a reader that is designed to assemble the cardboard information by instructing the sufferer to faucet their fee card on the machine. As soon as the cardboard information is learn, the malware shows a message that prompts them to enter their 4- or 6-digit PIN. The captured data is then despatched to the attacker’s server by way of a WebSocket connection.
“When the attacker initiates a transaction from their POS-emulator machine, the C&C server sends a specifically crafted message of kind ‘apdu’ to the contaminated telephone,” Cyble stated. “This message accommodates a novel request ID, a session identifier, and the APDU command encoded as a hexadecimal string.”
“Upon receiving this instruction, RelayNFC parses the packet, extracts the APDU information, and forwards it on to the sufferer machine’s NFC subsystem, successfully performing as a distant interface to the bodily fee card.”
The cybersecurity firm stated its investigation additionally uncovered a separate phishing web site (“check.ikotech[.]on-line”) that distributes an APK file with a partial implementation of Host Card Emulation (HCE), indicating that the menace actors are experimenting with totally different NFC relay methods.
As a result of HCE permits an Android machine to emulate a fee card, the mechanism permits a sufferer’s card interactions to be transmitted between a legit payment-of-sale (PoS) terminal and an attacker-controlled machine, thereby facilitating a real-time NFC relay assault. The characteristic is assessed to be underneath growth, because the APK file doesn’t register the HCE service within the package deal manifest file.
“The RelayNFC marketing campaign highlights the speedy evolution of NFC relay malware concentrating on fee programs, notably in Brazil,” the corporate stated. “By combining phishing-driven distribution, React Native-based obfuscation, and real-time APDU relaying over WebSockets, the menace actors have created a extremely efficient mechanism for distant EMV transaction fraud.”
