Ddos 
A new malware campaign uncovered by Trend Micro’s Threat Research team has weaponized WhatsApp to launch one of the most aggressive self-propagating malware outbreaks seen in recent months. The campaign—dubbed “Water Saci”—uses a newly identified malware called SORVEPOTEL, designed to spread rapidly across Windows systems while targeting financial institutions and cryptocurrency exchanges in Brazil.
Trend Micro researchers describe Water Saci as “an aggressive malware campaign that leverages online instant messaging platform WhatsApp as its primary infection vector.” Unlike typical phishing or ransomware attacks, this campaign prioritizes speed and social engineering, abusing the inherent trust users place in WhatsApp conversations.
The infection starts with a phishing message sent from a compromised WhatsApp account—often belonging to a friend or colleague—which contains a malicious ZIP file disguised as a legitimate document (e.g., “RES-20250930_112057.zip” or “ORCAMENTO_114418.zip”). When opened, the archive reveals a malicious Windows shortcut (.LNK) file that silently executes a PowerShell script. This script downloads and executes additional payloads directly from attacker-controlled domains such as sorvetenopotel[.]com and expahnsiveuser[.]com.
According to the report, “SORVEPOTEL has been observed to spread across Windows systems with a message that requires users to open it on a desktop, suggesting that threat actors behind the campaign are targeting enterprises.”
One of the most innovative and dangerous features of SORVEPOTEL is its ability to hijack active WhatsApp Web sessions on infected devices. Trend Micro notes, “When detected, the malware leverages this session to automatically distribute the same malicious ZIP file to all contacts and groups associated with the victim’s compromised account.”
This automated spread not only amplifies the infection rate but also results in WhatsApp account bans due to excessive spam activity. The malware’s behavior reveals a calculated exploitation of BYOD (Bring Your Own Device) environments, where enterprise systems are indirectly compromised through personal messaging platforms.
Once fully deployed, the malware downloads multiple PowerShell and .NET payloads, leading to the activation of Maverick.StageTwo and Maverick.Agent, sophisticated modules engineered to steal financial credentials and monitor user activity.
Trend’s analysis found that “the malware specifically targets Brazilian banking customers,” identifying institutions such as Banco do Brasil, Bradesco, Itaú, Santander, and Caixa Econômica Federal among the targets. The infostealer continuously monitors active browser windows, injecting itself into sessions when users visit financial websites or cryptocurrency platforms like Binance and Mercado Bitcoin.
The report also highlights anti-analysis measures within the malware, including self-termination if debugging tools like IDA or Wireshark are detected. Moreover, geo-validation logic ensures execution only within Brazil, reinforcing its regional focus.
Beyond credential theft, Water Saci deploys an advanced overlay phishing system capable of generating full-screen fake banking interfaces. These overlays imitate legitimate banking apps and websites, capturing passwords, PINs, and multi-factor authentication codes in real time.
Trend Micro explains that the malware “creates full-screen overlays that remain visible by staying topmost, hiding from the taskbar, and covering the entire monitor,” giving users the illusion of a legitimate login interface while silently exfiltrating data.
SORVEPOTEL ensures persistence by copying malicious batch scripts into the Windows Startup folder, guaranteeing execution upon reboot. The malware communicates with multiple command-and-control (C2) servers through obfuscated PowerShell scripts and encrypted headers, dynamically fetching new payloads as instructed.
To evade detection, the attackers use typosquatted domains mimicking benign Brazilian phrases, such as “sorvete no pote” (Portuguese for “ice cream in a cup”), blending malicious traffic with legitimate network behavior.
According to Trend Micro’s telemetry, the Water Saci campaign has predominantly affected Brazil: “457 of the 477 cases we detected as of writing are from Brazil.” The malware has infiltrated government agencies, manufacturing firms, technology companies, and educational institutions.
Trend Micro emphasizes that this outbreak is a warning of things to come: “This campaign not only destabilizes individual users and companies but also offers a blueprint for similar attacks globally.”
Related Posts:
- North Korea’s Lazarus Group: A Persistent Threat to the Defense Sector
- Apple Forced: Third-Party Apps Coming to Brazilian iOS
- Researchers discover the first IoT worm that capable of surviving device reboots
- “Aggressive Inventory Zombies”: Unmasking a Massive Phishing and Pig-Butchering Network
- GLOBAL GROUP: New Ransomware Giant Emerges with AI Negotiators, Affiliate Incentives, and Industrial-Scale Attacks
Donate