Cybercriminals targeting Brazilian users have aggressively escalated their tactics, launching a highly sophisticated campaign dubbed “Water Saci.”
This new wave of attacks weaponizes WhatsApp Web, a platform implicitly trusted by millions, to deliver banking trojans and steal sensitive financial data.
By compromising user accounts, the attackers send convincing messages to trusted contacts, creating a rapid, self-propagating infection loop that leverages social engineering to bypass traditional security defenses effectively, impacting countless unsuspecting individuals.
The infection chain typically begins when users receive messages containing malicious attachments, such as ZIP archives, PDF lures disguised as Adobe updates, or direct HTA files following specific naming patterns like A-{random}.hta.
.webp "Water Saci Hackers Leveraging AI Tools to Attack WhatsApp Web Users 2")
Once a victim opens these files, they execute a complex multi-stage attack sequence involving Visual Basic scripts and MSI installers.
.webp "Water Saci Hackers Leveraging AI Tools to Attack WhatsApp Web Users 3")
This process stealthily downloads a banking trojan while simultaneously deploying automation scripts designed to hijack the victim’s WhatsApp session for further propagation, ensuring maximum reach.
.webp "Water Saci Hackers Leveraging AI Tools to Attack WhatsApp Web Users 5")
Trend Micro security analysts identified that this campaign marks a significant shift in malware development, utilizing artificial intelligence to accelerate its capabilities.
The attackers appear to have used Large Language Models (LLMs) to translate and optimize their propagation code, transitioning from PowerShell to a more robust Python-based infrastructure.
Strategic shift
This strategic shift significantly enhances their ability to spread malware across different browsers, including Chrome, Edge, and Firefox, making detection increasingly difficult for standard security protocols and leaving users vulnerable.
A critical component of this technical evolution is the whatsz.py script, which replaces earlier PowerShell variants.
Analysis reveals compelling evidence of AI-assisted coding, such as script headers explicitly stating “Versao Python Convertido de PowerShell”, and comments like “version optimized with errors handling.”
.webp "Water Saci Hackers Leveraging AI Tools to Attack WhatsApp Web Users 6")
This script relies on component files like chromedriver.exe to automate the infection process, using Selenium to inject the WA-JS library, extract contact lists, and send malicious files in bulk to unsuspecting victims.
The Python code exhibits a sophisticated object-oriented structure with advanced error handling, features typically absent in quick manual ports.
.webp "Water Saci Hackers Leveraging AI Tools to Attack WhatsApp Web Users 7")
For instance, the main automation class defines clear formatting for various statuses, ensuring reliable execution.
Additionally, the console output includes colorful emojis, a trait rarely seen in standard malware but common in AI-generated codebases.
This advanced automation allows the malware to operate autonomously, pausing and resuming tasks to blend in with normal network traffic while reporting progress to a command-and-control server, ultimately ensuring persistent access.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
