PostHole
Compose
Login
Unraveling Water Saci's New Multi-Format, AI-Enhanced Attacks Propagated via WhatsApp
Through AI-driven code conversion and a layered infection chain involving different file formats and scripting languages, the threat actors behind Water Saci are quickly upgrading their malware delivery and propagation methods across WhatsApp in Brazil.
Phishing
Unraveling Water Saci's New Multi-Format, AI-Enhanced Attacks Propagated via WhatsApp
Through AI-driven code conversion and a layered infection chain involving different file formats and scripting languages, the threat actors behind Water Saci are quickly upgrading their malware delivery and propagation methods across WhatsApp in Brazil.
By: Jeffrey Francis Bonaobra, Sarah Pearl Camiling, Joe Soares, Byron Gelera, Ian Kenefick, Emmanuel Panopio
Dec 02, 2025
Read time: ( words)
Save to Folio
Key takeaways
- The Water Saci campaign in Brazil has been observed using a highly layered attack chain that involves various file formats (including HTA files, ZIP archives, and PDFs), designed to bypass simple pattern-based detection and increase the complexity of analysis.
- The attackers switched tactics by transitioning from their PowerShell-based propagation routine to a Python variant, which suggests an accelerated development pipeline. This newly observed variant allows for broader browser compatibility, object-oriented code structure, enhanced error handling, and faster automation of malware delivery through WhatsApp Web.
- Evidence suggests that attackers may have used AI tools like LLMs to convert their malware propagation scripts from PowerShell to Python; this would explain their capabilities for batch messaging, improved error handling, and enhanced console output.
- Trend Vision One™ detects and blocks the IoCs discussed in this blog. Trend Micro customers can also access tailored hunting queries, threat insights, and intelligence reports to better understand and proactively defend against this campaign.
Brazil has seen a recent surge of threats delivered via WhatsApp. As observed in our previously published research on the SORVEPOTEL malware and the broader Water Saci campaign, this popular platform has been used to launch sophisticated campaigns. Unsuspecting users receive convincing messages from trusted contacts, often crafted to exploit social engineering tactics and encourage interaction with malicious content. While the core objectives of these campaigns remain consistent, this wave showcases advanced techniques in infection, persistence, and evasion, underscoring how legitimate platforms are increasingly being exploited to reach Brazilian targets more effectively.
Their new multi-format attack chain and possible use of artificial intelligence (AI) to convert propagation scripts from PowerShell to Python exemplifies a layered approach that has enabled Water Saci to bypass conventional security controls, exploit user trust across multiple channels, and ramp up their infection rates. As adversaries’ techniques evolve, organizations must be prepared for the heightened risk posed by campaigns that combine technical complexity with AI-enhanced agility.
Multi-format malware delivery through WhatsApp messages
The initial stage of this campaign demonstrates a diverse set of entry points employed by threat actors to reach victims through WhatsApp. Users reported receiving messages from trusted contacts containing various forms of malicious attachments.
Some users received compressed archive files, such as ZIP files containing harmful payloads (Figure 1). Others were targeted with messages encouraging them to download what appeared to be benign PDF documents, often accompanied by plausible lures like requests to update Adobe Reader for proper viewing (Figures 2 and 3).
[Figure 1. A WhatsApp message luring user to open the ZIP file]
Figure 1. A WhatsApp message luring user to open the ZIP file
download
[Figure 2. A WhatsApp message luring user to open the PDF file]
Figure 2. A WhatsApp message luring user to open the PDF file
download
[Figure 3. Blurred image luring the users to click/update Adobe]
Figure 3. Blurred image luring the users to click/update Adobe
download
A notable subset of victims was targeted with a direct delivery of a malicious .hta file. Unlike ZIP or PDF formats, the .hta file executes its embedded script immediately upon opening, streamlining the infection process for the attacker. One detail observed in multiple cases was the download of files with names following the pattern A-{random characters}.hta directly from web.whatsapp[.]com as shown in the Trend Vision One™ telemetry logs in Figure 4.
[Figure 4. Malicious HTA file]
Figure 4. Malicious HTA file
download
Technical analysis
[Figure 5. Attack chain]
Figure 5. Attack chain
download
Initial vector - HTA file
The infection chain begins when the user executes a malicious HTA file, which contains an embedded Visual Basic (VB) script that utilizes two layers of obfuscation to evade detection and hinder analysis. Once this script is deobfuscated, it reveals commands to create a batch file at C:\temp\instalar.bat and if executed, it initiates connecting to the attacker’s command-and-control (C&C) server to download an MSI installer and an automation (Python) script along with its supporting components.
Banking trojan - First stage
Following execution of the batch file, the infection chain continues with the download and installation of the MSI package. This installer serves as the primary vehicle for delivering the banking trojan and initiating its malicious activities on the compromised system (Figure 6).
[Figure 6. MSI Installation leading to the banking trojan payload]
Figure 6. MSI Installation leading to the banking trojan payload
download
Upon inspection, the MSI package is found to contain several key components, described in more detail in Table 1:
**********
| File name | Description |
|---|---|
| DaXGkoD7.exe | AutoIt interpreter |
| Ons7rxGC.log | Compiled AutoIt script |
| run.vbs | Initial launcher for AutoIt |
| starter.bat | Batch file to launch AutoIt in a specified folder |
| ucJDpQ.tda | Encrypted PE payload |
| fKmkzW.dmp | Alternative encrypted PE payload (If ucJDpQ.tda is missing, fKmkzW.dmp serves as the payload) |
Table 1. Files in the MSI package
The installer leverages a custom action to execute the included VB script (run.vbs), as shown in Figure 7. The script launches the AutoIt interpreter (DaXGkoD7.exe) to run the compiled AutoIt script (Ons7rxGC.log), shown in Figure 8. This process ultimately leads to the unpacking and activation of the final banking trojan payload hidden within the package.
[Figure 7. The MSI installer initially executes the VB script using CustomAction]
Figure 7. The MSI installer initially executes the VB script using CustomAction
download
[Figure 8. The VB script initiates the AutoIt interpreter (DaXGkoD7.exe), which then runs the compiled AutoIt payload (ONs7rxGC.log)]
Figure 8. The VB script initiates the AutoIt interpreter (DaXGkoD7.exe), which then runs the compiled AutoIt payload (ONs7rxGC.log)
download
The AutoIt script checks if it’s being executed for the first time then notifies a remote server (Figure 9). If the marker file executed.dat does not exist, the function sends a notification to a specified URL and creates the marker file with a timestamp. This mechanism ensures that the notification is triggered only once during the first execution.
[Figure 9. AutoIt script initializing first-execution logic with remote notification]
Figure 9. AutoIt script initializing first-execution logic with remote notification
download
[...]