Active Water Saci Campaign Spreading Via WhatsApp Features Multi-Vector Persistence and Sophisticated C&C

    Tuesday, October 28, 2025 In: Threat Research Print

    Date: 10/28/2025

    Severity: High

    Summary

    The ongoing Water Saci campaign reveals a new attack chain leveraging an email-based C&C infrastructure with multi-vector persistence for enhanced resilience. It employs advanced evasion techniques to avoid analysis and limit activity to specific, intended targets. The campaign’s remote command-and-control system enables real-time actions such as pausing, resuming, and monitoring malware operations. Infected devices are effectively converted into a botnet, supporting coordinated attacks across multiple endpoints. Previously, Water Saci—using WhatsApp as its main infection vector and the SORVEPOTEL malware—spread malicious ZIP files to all contacts and groups for rapid propagation.

    Indicators of Compromise (IOC) List

    Domains\URLs : 

    https://cld.pt/dl/download/ac23c304-aa9d-4d27-a845-272ec4de533d/sapotransfer-640a60194938b1/tadeu.ps1?download=true

    https://cld.pt/dl/download/0f58f6f3-e3bb-4cbd-a4fb-d9ddfd4e56bf/sapotransfer-640a2b919605fph/Orcamento%20para%20avalicaco%20.zip?download=true

    adoblesecuryt.com

    intelligentopennetworkingawards.com

    vinhomeshungyentheempires.com

    lefthandsuperstructures.com

    wbdiamonds.com

    cursosgratiss.com.br

    ricardasphotography.com

    mazdafinancialsevrices.com

    miportuarios.com

    https://pastebin.com/raw/SmCz4cp8

    jornalistaaurelianoborgesmidia.com

    clhttradinglimited.com

    miportuarios.com/sisti/api.ps1

    http://aspeimoveis342235.online/

    http://saborizerefeicoes34.site/

    http://casadoconector.online/

    http://albacosmeticos.shop/

    http://motopartshonda.shop/

    http://motopartshonda.site/

    http://saborizerefeicoes34.online/

    http://albacosmeticos.online/

    Hash : 

    2c0dff7f8f724476dffd07b0f51ceaae9600073e927d3694d167664eec194b4d

    341252a437e7535f9ea8707e41f0ff2a775eddb16190eeb9f0c0f524214e4f3d

    fe10ce5fede53d88f8d06fbf533e1d9416b1c423c556915313fe52e9fa70dcec

    b05f07e5709dc25ec544ff64dabf54682f15cc2d34d2367102a096232fb3822a

    536864994d1916fe45824abf0276796284c3d36c0dd98c62d5a55892623a5de0

    1fc9dc27a7a6da52b64592e3ef6f8135ef986fc829d647ee9c12f7cea8e84645

    3ff9c9cc7cc65bef73bf75d222b8ba56728aeb4fc5e8882e82a4fab970dbe1c6

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query  1:

    domainname like "https://pastebin.com/raw/SmCz4cp8" or url like "https://pastebin.com/raw/SmCz4cp8" or siteurl like "https://pastebin.com/raw/SmCz4cp8" or domainname like "wbdiamonds.com" or url like "wbdiamonds.com" or siteurl like "wbdiamonds.com" or domainname like "lefthandsuperstructures.com" or url like "lefthandsuperstructures.com" or siteurl like "lefthandsuperstructures.com" or domainname like "http://casadoconector.online/" or url like "http://casadoconector.online/" or siteurl like "http://casadoconector.online/" or domainname like "miportuarios.com" or url like "miportuarios.com" or siteurl like "miportuarios.com" or domainname like "clhttradinglimited.com" or url like "clhttradinglimited.com" or siteurl like "clhttradinglimited.com" or domainname like "http://albacosmeticos.shop/" or url like "http://albacosmeticos.shop/" or siteurl like "http://albacosmeticos.shop/" or domainname like "https://cld.pt/dl/download/0f58f6f3-e3bb-4cbd-a4fb-d9ddfd4e56bf/sapotransfer-640a2b919605fph/Orcamento%20para%20avalicaco%20.zip?download=true" or url like "https://cld.pt/dl/download/0f58f6f3-e3bb-4cbd-a4fb-d9ddfd4e56bf/sapotransfer-640a2b919605fph/Orcamento%20para%20avalicaco%20.zip?download=true" or siteurl like "https://cld.pt/dl/download/0f58f6f3-e3bb-4cbd-a4fb-d9ddfd4e56bf/sapotransfer-640a2b919605fph/Orcamento%20para%20avalicaco%20.zip?download=true" or domainname like "https://cld.pt/dl/download/ac23c304-aa9d-4d27-a845-272ec4de533d/sapotransfer-640a60194938b1/tadeu.ps1?download=true" or url like "https://cld.pt/dl/download/ac23c304-aa9d-4d27-a845-272ec4de533d/sapotransfer-640a60194938b1/tadeu.ps1?download=true" or siteurl like "https://cld.pt/dl/download/ac23c304-aa9d-4d27-a845-272ec4de533d/sapotransfer-640a60194938b1/tadeu.ps1?download=true" or domainname like "http://motopartshonda.shop/" or url like "http://motopartshonda.shop/" or siteurl like "http://motopartshonda.shop/" or domainname like "ricardasphotography.com" or url like "ricardasphotography.com" or siteurl like "ricardasphotography.com" or domainname like "adoblesecuryt.com" or url like "adoblesecuryt.com" or siteurl like "adoblesecuryt.com" or domainname like "http://albacosmeticos.online/" or url like "http://albacosmeticos.online/" or siteurl like "http://albacosmeticos.online/" or domainname like "jornalistaaurelianoborgesmidia.com" or url like "jornalistaaurelianoborgesmidia.com" or siteurl like "jornalistaaurelianoborgesmidia.com" or domainname like "http://saborizerefeicoes34.site/" or url like "http://saborizerefeicoes34.site/" or siteurl like "http://saborizerefeicoes34.site/" or domainname like "cursosgratiss.com.br" or url like "cursosgratiss.com.br" or siteurl like "cursosgratiss.com.br" or domainname like "intelligentopennetworkingawards.com" or url like "intelligentopennetworkingawards.com" or siteurl like "intelligentopennetworkingawards.com" or domainname like "vinhomeshungyentheempires.com" or url like "vinhomeshungyentheempires.com" or siteurl like "vinhomeshungyentheempires.com" or domainname like "mazdafinancialsevrices.com" or url like "mazdafinancialsevrices.com" or siteurl like "mazdafinancialsevrices.com" or domainname like "miportuarios.com/sisti/api.ps1" or url like "miportuarios.com/sisti/api.ps1" or siteurl like "miportuarios.com/sisti/api.ps1" or domainname like "http://aspeimoveis342235.online/" or url like "http://aspeimoveis342235.online/" or siteurl like "http://aspeimoveis342235.online/" or domainname like "http://motopartshonda.site/" or url like "http://motopartshonda.site/" or siteurl like "http://motopartshonda.site/" or domainname like "http://saborizerefeicoes34.online/" or url like "http://saborizerefeicoes34.online/" or siteurl like "http://saborizerefeicoes34.online/"

    Detection Query 2 :

    sha256hash IN ("2c0dff7f8f724476dffd07b0f51ceaae9600073e927d3694d167664eec194b4d","3ff9c9cc7cc65bef73bf75d222b8ba56728aeb4fc5e8882e82a4fab970dbe1c6","341252a437e7535f9ea8707e41f0ff2a775eddb16190eeb9f0c0f524214e4f3d","fe10ce5fede53d88f8d06fbf533e1d9416b1c423c556915313fe52e9fa70dcec","b05f07e5709dc25ec544ff64dabf54682f15cc2d34d2367102a096232fb3822a","536864994d1916fe45824abf0276796284c3d36c0dd98c62d5a55892623a5de0","1fc9dc27a7a6da52b64592e3ef6f8135ef986fc829d647ee9c12f7cea8e84645")

    Reference:

    https://www.trendmicro.com/en_us/research/25/j/active-water-saci-campaign-whatsapp-update.html


    Tags

    MalwareThreat ActorWater SaciSORVEPOTELWhatsappBotnet

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.