Water Saci Threat Actor Evolves Tactics to Deploy Banking Trojan via WhatsApp
The threat actor Water Saci is evolving its tactics, now employing a sophisticated infection chain that uses HTA files and PDFs to propagate a worm. This worm deploys a banking trojan via WhatsApp, targeting users in Brazil. The attackers have shifted from PowerShell to a Python-based variant to spread malware via WhatsApp Web. The new multi-format attack chain uses AI to convert propagation scripts, enabling Water Saci to bypass security controls, exploit user trust, and increase infection rates. Users receive messages on WhatsApp with malicious PDF or HTA attachments, which activate the infection chain and drop a banking trojan. The infection chain involves: ...