Water Saci Evolves: Multi-Layered WhatsApp Worm Uses IMAP Email for Covert C2 and Session Hijacking

Researchers from Trend Research have identified a major evolution in the Water Saci malware campaign, marking one of the most advanced social engineering and self-propagating attacks seen in Latin America. The campaign, which initially spread via WhatsApp messages, has evolved into a multi-layered, script-driven botnet capable of real-time coordination and remote control.

According to Trend Micro, “Further investigation into the active Water Saci campaign shows a new attack chain that utilizes an email-based C&C infrastructure, employs multi-vector persistence for resilience, and incorporates advanced checks to evade analysis and restrict activity to specific targets.”

First observed in September 2025, Water Saci initially masqueraded as ZIP attachments shared through compromised WhatsApp accounts. The attached file — typically named “Orcamento-2025.zip” — contained an obfuscated Visual Basic Script (VBS) downloader that executed PowerShell commands directly in memory, enabling fileless infection.

The updated campaign, Trend notes, “diverges from previously discussed .NET-based methods,” replacing traditional binaries with lightweight scripts that dynamically orchestrate payload downloads and execution via Visual Basic Script (VBS) and PowerShell (PS1) loaders.

When executed, the malicious script displays a banner posing as “WhatsApp Automation v6.0”, concealing its true intent while harvesting all contacts from the victim’s WhatsApp Web session. “The downloaded PowerShell script is used to hijack WhatsApp Web sessions, harvest all contacts from the victim’s account, and automatically distribute malicious ZIP files,” the report explains.

One of the most striking developments in this campaign is its dual-layered C&C architecture. Unlike traditional HTTP-based control, Water Saci uses IMAP connections to email inboxes hosted on terra.com.br as its command infrastructure. The malware logs into these accounts using hardcoded credentials, retrieves encrypted instructions, and then transitions to HTTP polling for follow-up commands.

As Trend describes, “The most sophisticated aspect of the backdoor is its email-based C&C infrastructure. Rather than relying on traditional HTTP-based communication, the malware leverages IMAP connections to retrieve commands.”

If the email C&C becomes unreachable, the malware seamlessly switches to HTTP POST polling — sending beacon requests every five seconds — to fetch and execute commands such as file operations, screenshot capture, and process management.

These capabilities transform infected systems into botnet nodes capable of remote coordination. The report highlights that “the new attack chain also features a sophisticated remote command-and-control system that allows threat actors real-time management, including pausing, resuming, and monitoring the malware’s campaign, effectively converting infected machines into a botnet tool.”

The malware checks the Chrome browser version and installs Selenium PowerShell modules and ChromeDriver to automate WhatsApp Web tasks. This allows the attackers to bypass QR-code authentication, reuse the victim’s existing browser session, and directly send messages to all contacts.

“It then installs the Selenium PowerShell module, enabling automated browser tasks on the victim’s machine,” the Trend Research report notes.

Using JavaScript injection, the malware sends personalized messages and malicious ZIP attachments to each contact. It even monitors its own spread: “The malware generates detailed campaign statistics and sends them back to the C&C server, giving threat actors insight into success rates, victim system profiles, and lists of successfully contacted targets.”

Water Saci employs multiple persistence and evasion mechanisms designed to resist forensic analysis. Its anti-debugging routines detect common tools like OllyDbg, x64dbg, and ProcMon and, if found, trigger a self-destruct routine that wipes the malware from disk.

To ensure persistence, “the auto-installation routine establishes a foothold through both registry modifications and scheduled task creation using a dropped copy of itself named WinManagers.vbs saved in C:\ProgramData\WindowsManager.”

Trend Research believes Water Saci may be linked to the Coyote malware family — a Brazilian banking trojan that evolved from phishing-based .NET payloads to stealthy browser automation attacks.

The report notes that “Water Saci shares similarities to Coyote, a stealthy banking trojan that spread via WhatsApp in early 2025,” and that both campaigns “operate within the same Brazilian cybercriminal ecosystem.”

Like Coyote, Water Saci has undergone three major evolutionary waves:

• Compiled Trojan Phase – Using ZIP-based phishing attachments with LNK or EXE launchers.
• Automation Phase – Integrating ChromeDriver and Selenium automation to hijack browsers.
• Script-Based Phase – Fileless PowerShell and VBS loaders, leveraging live WhatsApp sessions for propagation.

Trend Micro summarizes: “Attackers who once relied on noisy, file-based banking Trojans have quietly moved toward low-artifact, browser-state abuse, and WhatsApp Web became the preferred delivery highway.”

Related Posts:

• WhatsApp Worm: New SORVEPOTEL Malware Hijacks Sessions to Spread Aggressively Across Brazil
• Critical (CVSS 9.8): Cyrus IMAP Flaw Risks Full System Compromise on openSUSE
• North Korean Cyber Espionage Group Kimsuky Exploits University Website in Watering Hole Attack
• Researchers discover the first IoT worm that capable of surviving device reboots
• CISA Flags Two Actively Exploited Vulnerabilities: TP-Link Router Reset Flaw and WhatsApp Zero-Day Chain