AI Bolsters Python Variant of Brazilian WhatsApp Attack TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsApplication SecurityDPRK's 'Contagious Interview' Spawns Malicious Npm Package FactoryDPRK's 'Contagious Interview' Spawns Malicious Npm Package FactorybyElizabeth Montalbano, Contributing WriterDec 2, 20255 Min ReadApplication SecurityPrompt Injections Loom Large Over ChatGPT's Atlas BrowserPrompt Injections Loom Large Over ChatGPT's Atlas BrowserbyAlexander CulafiNov 26, 20256 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllApplication SecurityLINE Messaging Bugs Open Asian Users to Cyber EspionageLINE Messaging Bugs Open Asian Users to Cyber EspionagebyTara SealsNov 21, 20257 Min ReadEndpoint SecurityChina's 'PlushDaemon' Hackers Infect Routers to Hijack Software UpdatesChina's 'PlushDaemon' Hackers Infect Routers to Hijack Software UpdatesbyNate Nelson, Contributing WriterNov 20, 20253 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryCyberattacks & Data BreachesEndpoint SecurityRemote WorkforceThreat IntelligenceNewsBreaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia PacificAI Bolsters Python Variant of Brazilian WhatsApp AttacksWater Saci has upgraded its self-propagating malware to compromise banks and cryptocurrency exchanges by targeting enterprise users of the popular chat app.Elizabeth Montalbano, Contributing WriterDecember 3, 20254 Min ReadSource: Lazy Llama via Alamy Stock PhotoAttackers behind a self-propagating malware campaign targeting Brazilian financial institutions have accelerated and upgraded their malicious activity, using artificial intelligence (AI) to spawn a Python variant with advanced propagation and evasion techniques.Water Saci, a campaign to compromise financial institutions and cryptocurrency exchanges in Latin American, has evolved with a highly layered attack chain delivered through WhatsApp that's likely been bolstered with the use of AI-driven code conversion, researchers from Trend Micro revealed Wednesday. Threat actors have designed the latest attacks — which steal data and monitor user desktop activity through the malware — to bypass simple pattern-based detection and make analysis more challenging. They've done this by switching out their previous PowerShell propagation vector with a Python variant that "allows for broader browser compatibility, object-oriented code structure, enhanced error handling, and faster automation of malware delivery through WhatsApp Web," Trend Micro researchers wrote in the post.Water Saci Targeting Financial InstitutionsThe campaign's ultimate goal is to target various banking and cryptocurrency institutions with the information stolen from victims' machines. It's currently active mainly in Brazil but could spread to other Latin American countries as it evolves, the researchers said.Related:China Researches Ways to Disrupt Satellite InternetWater Saci overall demonstrates "a new era of cyber threats in Brazil," with attackers combining psychological tactics with advanced malware delivery that can both self-propagate and evade traditional security defenses, they said. Another threat along these same lines is the "Eternidade" campaign in that country that also aimed to steal banking credentials, which shares quite a few similarities with Water Saci."By weaponizing familiar communication channels and employing advanced social engineering, threat actors are able to swiftly compromise victims, bypass traditional defenses, and sustain persistent banking trojan infections," the researchers wrote. "This campaign demonstrates how legitimate platforms can be transformed into powerful vectors for malware delivery and underscores the growing sophistication of cybercriminal operations in the region."Malware Enhancement Through AI, PythonFrom its discovery, Trend Micro researchers identified Water Saci as an "aggressive" campaign that uses active WhatApp sessions to automatically spread a malicious ZIP file to all contacts and groups associated with a victim's compromised account. The ultimate payload of the campaign is malware known as "Sorvepotel," which spreads across Windows system with a message requiring users to open a desktop, suggesting a corporate focus. Related:US Creates 'Strike Force' to Take Out SE Asian Scam CentersThe latest attack variant comes armed with a robust, multi-stage infection chain that spreads not only malicious ZIP files but a range of others, including HTA files and MSI installers, the researchers said. The initial entry point for malware delivery occurs when WhatsApp desktop users receive messages from trusted contacts, which sets off the attack. "Some users reported that they received compressed archive files, such as ZIP files containing harmful payloads," the researchers wrote. "Others were targeted with messages encouraging them to download what appeared to be benign PDF documents, often accompanied by plausible lures like requests to update Adobe Reader for proper viewing."It also appears that attackers used AI tools like large language models (LLMs) to convert their malware propagation scripts from PowerShell to Python, explaining the variant's new capabilities for batch messaging, improved error handling, and enhanced console output, the researchers added.The variant also includes advanced Python-based automation via WhatsApp, anti-analysis measures, and robust persistence mechanisms that enable attackers "to maximize reach while evading detection and maintaining long-term access to compromised systems," they wrote. Related:Cybersecurity Firms See Surge in AI-Powered Attacks Across AfricaPractical App Defense With threat actors now having a raft of AI-based tools at their disposal to create complex attack campaigns, defenders also need to arm themselves accordingly to combat modern threats. In the case of Water Saci, there are some practical aspects of basic hygiene for Web application use in the enterprise that can go a long way toward this strategy, the researchers noted.Given that attackers use the common chat app WhatsApp for initial access, Trend Micro recommended that organizations mandate that employees disable auto-downloads on WhatsApp to reduce accidental exposure to malicious files.For company-managed devices, administrators also should oversee control of file transfers personal apps like WhatsApp, Telegram, or WeTransfer by using endpoint security or firewall policies to block or restrict file transfers. If an organization supports BYOD, administrators should enforce strict application whitelisting or containerization to protect sensitive environments, the researchers added.Other restrictions that organizations can consider to mitigate Water Saci and campaigns like it include restricting access to personal email and messaging apps on corporate devices, and using Web and email gateways with URL filtering to block known malicious command and control (C2) and phishing domains. And if it's not already a common practice, all organizations should enforce multi-factor authentication (MFA) and session hygiene for all cloud and Web services to prevent session hijacking, the researchers added. Read more about:DR Global Latin AmericaAbout the AuthorElizabeth Montalbano, Contributing WriterElizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.See more from Elizabeth Montalbano, Contributing WriterMore InsightsIndustry ReportsThe Cloud is No Longer EnoughForrester Wave: for Network Analysis and Visibility Solutions, Q4 2025Gartner Magic Quadrant for Network Detection and Response, 20252025 State of Threat Intelligence: What it means for your cybersecurity strategyGartner Innovation Insight: AI SOC AgentsAccess More ResearchWebinarsNavigating the AI Race: The Current State of AI Compliance and Supply Chain SecurityIdentity Security in the Agentic AI EraHow AI & Autonomous Patching Eliminate Exposure RisksSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026More WebinarsYou May Also LikeBlack Hat Middle East & AfricaCybersecurity OperationsAs Gen Z Enters Cybersecurity, Jury Is Out on AI's ImpactAs Gen Z Enters Cybersecurity, Jury Is Out on AI's ImpactbyRobert Lemos, Contributing WriterNov 25, 20254 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsNavigating the AI Race: The Current State of AI Compliance and Supply Chain SecurityWed, Dec 17, 2025 at 1pm ESTIdentity Security in the Agentic AI EraTues, Dec 9, 2025 at 1pm ESTHow AI & Autonomous Patching Eliminate Exposure RisksOn-DemandSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETMore WebinarsWhite PapersESG Open NDR: A Flexible and Powerful Platform for Detections and Data Across Hybrid EnvironmentsRansomware: The case for Open NDRSecure SAST. Innovate Fast: The future of SaaS and Cloud SecurityWhat Can an AI-Powered AppSec Engineer Do?How Squarespace and Semgrep Scaled Secure Development Across Thousands of ReposExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

The Brazilian cybercriminal campaign, dubbed Water Saci, has undergone a significant evolution, leveraging artificial intelligence to bolster its operations and evade traditional security defenses. Trend Micro researchers identified this campaign as aggressively utilizing WhatsApp to spread a Python malware variant, “Sorvepotel,” targeting financial institutions and cryptocurrency exchanges within Brazil and potentially other Latin American countries. This shift from PowerShell propagation to Python represents a sophisticated adaptation designed to enhance compatibility across various platforms – particularly browsers – and improve the malware’s automation capabilities.

The core objective of Water Saci remains focused on data theft and continuous monitoring of user desktop activity, achieved through “Sorvepotel.” However, the incorporation of AI, specifically through the conversion of malicious scripts from PowerShell to Python, dramatically elevates the campaign’s capabilities. This Python variant boasts improved error handling, faster automation of malware delivery via WhatsApp Web, and better console output. Attackers exploited the common chat app WhatsApp as the initial point of access, demonstrating the power of utilizing trusted communication channels for malicious purposes.

The malware’s infection chain is multi-faceted, incorporating a range of file types – ZIP archives, HTAs, and MSI installers – to maximize the chances of successful delivery. Attackers utilized sophisticated social engineering tactics, mimicking legitimate requests for updates (e.g., Adobe Reader) to deceive users into downloading malicious files. The campaign’s success highlights the growing sophistication of cybercriminal operations and the need for organizations to move beyond simple pattern-based detection.

Trend Micro researchers emphasized the “aggressive” nature of Water Saci, noting its active use of WhatsApp sessions for automated propagation and its persistent attempts to maintain access to compromised systems. The multi-stage infection chain includes advanced Python-based automation, anti-analysis measures, and robust persistence mechanisms, allowing the attackers to maximize reach while evading detection and maintaining long-term access.

Recognizing the evolving threat landscape, the researchers provided actionable advice for defenders. They recommended mandatory disabling of auto-downloads on WhatsApp, restricting file transfers via company-managed devices, and employing endpoint security or firewall policies to block or restrict sensitive file transfers from personal apps like WhatsApp, Telegram, or WeTransfer. Furthermore, they advocated for URL filtering to block known command-and-control (C2) and phishing domains, enforcing multi-factor authentication (MFA) and session hygiene across cloud and web services, and potentially implementing application whitelisting or containerization to isolate sensitive environments. Ultimately, the Water Saci campaign serves as a stark reminder of the importance of proactive security measures and a vigilant approach to protecting against evolving cyber threats utilizing established communication channels.