Water Saci Campaign Uses LLMs to Convert Malware to Python, Spreads Banking Trojan Via WhatsApp Worm

A sophisticated cyber-espionage campaign known as “Water Saci” has aggressively pivoted its tactics, leveraging artificial intelligence and the ubiquity of WhatsApp to target Brazilian users with a potent banking trojan. A new report from Trend Micro reveals that the threat actors have not only diversified their attack vectors but have likely utilized Large Language Models (LLMs) to rewrite their malware, significantly increasing the speed and efficiency of their operations.

Brazil’s most popular communication platform has become the primary battlefield for this campaign. Security researchers have noted a distinct escalation in how these attacks are delivered, moving beyond simple spam to highly credible social engineering.

According to the report, “Brazil has seen a recent surge of threats delivered via WhatsApp.” Victims are not receiving messages from strangers, but rather from compromised accounts of trusted contacts, creating a dangerous veneer of legitimacy. “Unsuspecting users receive convincing messages from trusted contacts, often crafted to exploit social engineering tactics and encourage interaction with malicious content.”

Perhaps the most alarming development in the Water Saci campaign is the evidence of AI-assisted development. The attackers have rapidly transitioned their propagation scripts from PowerShell to Python—a move that enhances compatibility and automation capabilities.

The speed and nature of this refactoring point to non-human assistance. “Evidence suggests that attackers may have used AI tools like LLMs to convert their malware propagation scripts from PowerShell to Python.”

This shift is not merely cosmetic; it represents a tactical upgrade. “This newly observed variant allows for broader browser compatibility, object-oriented code structure, enhanced error handling, and faster automation of malware delivery through WhatsApp Web.”

The infection chain identified by Trend Micro is notably complex, designed to peel away defenses layer by layer. The attackers employ a variety of file types to evade static detection mechanisms.

“The Water Saci campaign in Brazil has been observed using a highly layered attack chain that involves various file formats (including HTA files, ZIP archives, and PDFs), designed to bypass simple pattern-based detection and increase the complexity of analysis.”

The technical anatomy of the attack generally follows this sequence:

1. Initial Vector: A user receives a WhatsApp message with a malicious attachment (ZIP, PDF lure, or HTA file).
2. Execution: If an HTA file is opened, an embedded Visual Basic script executes immediately.
3. Download: The script contacts a Command & Control (C&C) server to retrieve an MSI installer.
4. Payload: The MSI installer triggers an AutoIt loader, which decrypts and injects the final banking trojan into a hollowed system process.

Once entrenched, the malware acts as a comprehensive surveillance tool. It actively scans active windows for keywords related to major Brazilian banks (like Bradesco, Itaú, and Santander) and cryptocurrency wallets.

The trojan is capable of:

• VNC Mirroring: Streaming the victim’s screen to the attacker in real-time.
• Overlay Attacks: Displaying fake login screens or black screens to hide fraudulent activity.
• Persistence: Modifying the Windows Registry to ensure the malware survives system reboots.

The Water Saci campaign illustrates a critical convergence of technical sophistication and AI-enhanced agility. By automating the propagation of malware through trusted channels like WhatsApp, threat actors have created a self-sustaining ecosystem of infection.

Related Posts:

• WhatsApp Worm: New SORVEPOTEL Malware Hijacks Sessions to Spread Aggressively Across Brazil
• Water Saci Evolves: Multi-Layered WhatsApp Worm Uses IMAP Email for Covert C2 and Session Hijacking
• “Lazarus Stealer”: A New Android Trojan Is Stealing Financial Data from Russian Banks
• Apple Confirms EU Restriction on iPhone Mirroring: Fears Android Mirroring Mandate