Date: 12/03/2025
Severity: High
Summary
The Water Saci campaign in Brazil employs a heavily layered attack chain using multiple file formats—HTA, ZIP, and PDF—to evade simple detection and complicate analysis. Recently, attackers shifted from PowerShell to a Python-based propagation routine, enabling broader browser compatibility, improved error handling, and faster automated malware delivery through WhatsApp Web. Evidence indicates they may have leveraged AI/LLM tools to convert and enhance their scripts, resulting in more efficient batch messaging and execution.
Indicators of Compromise (IOC) List
Urls/Domains | storeshomeestusfluworkss.online https://centrogauchodabahia123.com/altor/installer.msi centrogauchodabahia123.com https://centrogauchodabahia123.com/altor/whatsz.py |
Hash | 2d95769a016b397333ba90fdc2f668f883c64774a2c0aaaf6b2d942bebaee9e0
c03fecbf52c38cf363bbc4f94bbe183e394f921af756442b674f4fe5f2b2090c
12f2e7e997480a3ea3150614664d6de4e6e229dacd6e8ff0ed74cd22207e753d
495697717be4a80c9db9fe2dbb40c57d4811ffe5ebceb9375666066b3dda73c3
9b0996380c61060ed3bfec25962c56131ea0eac42c7f373216aab72fdb7b8ac7
15e8f315901ea12639665f1adb9d18a9ace1074a33d70e47ad43203eb8ebfba4
6745bb11b8c692be78ec7ade285094beef907ecb3a99f475afa284ccbe7565f2
6ee5355b786282a6904806a4f55e59e9aad8067ae01b37afaf0009527e5c0205
ec69a53fd3ff11327aa98248bf55572f4ea8c1b40a12f49f5669f3df1f598353
5db59a8a8c2ca54615a6079fa9035d2886c1ec2270ee508efbb0ff98c98b90be
de07516f39845fb91d9b4f78abeb32933f39282540f8920fe6508057eedcbbea
a416cad095a6e77857f8fba4552ddc8ece41ce997b5086a4fbea5ac0fdfc4860
67ad7a950257cc5920b2119539049bcea3863bb2002f7118fcef57788f7eca59
ebe37505fa162461515d50bd86cb0fd983a000d418f0be0f9098e087170909bd
f262434276f3fa09915479277f696585d0b0e4e72e72cbc924c658d7bb07a3ff
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "storeshomeestusfluworkss.online" or siteurl like "storeshomeestusfluworkss.online" or url like "storeshomeestusfluworkss.online" or domainname like "https://centrogauchodabahia123.com/altor/installer.msi" or siteurl like "https://centrogauchodabahia123.com/altor/installer.msi" or url like "https://centrogauchodabahia123.com/altor/installer.msi" or domainname like "centrogauchodabahia123.com" or siteurl like "centrogauchodabahia123.com" or url like "centrogauchodabahia123.com" or domainname like "https://centrogauchodabahia123.com/altor/whatsz.py" or siteurl like "https://centrogauchodabahia123.com/altor/whatsz.py" or url like "https://centrogauchodabahia123.com/altor/whatsz.py" |
Detection Query 2 : | sha256hash IN ("f262434276f3fa09915479277f696585d0b0e4e72e72cbc924c658d7bb07a3ff","12f2e7e997480a3ea3150614664d6de4e6e229dacd6e8ff0ed74cd22207e753d","ec69a53fd3ff11327aa98248bf55572f4ea8c1b40a12f49f5669f3df1f598353","de07516f39845fb91d9b4f78abeb32933f39282540f8920fe6508057eedcbbea","15e8f315901ea12639665f1adb9d18a9ace1074a33d70e47ad43203eb8ebfba4","5db59a8a8c2ca54615a6079fa9035d2886c1ec2270ee508efbb0ff98c98b90be","a416cad095a6e77857f8fba4552ddc8ece41ce997b5086a4fbea5ac0fdfc4860","9b0996380c61060ed3bfec25962c56131ea0eac42c7f373216aab72fdb7b8ac7","495697717be4a80c9db9fe2dbb40c57d4811ffe5ebceb9375666066b3dda73c3","2d95769a016b397333ba90fdc2f668f883c64774a2c0aaaf6b2d942bebaee9e0","c03fecbf52c38cf363bbc4f94bbe183e394f921af756442b674f4fe5f2b2090c","6745bb11b8c692be78ec7ade285094beef907ecb3a99f475afa284ccbe7565f2","6ee5355b786282a6904806a4f55e59e9aad8067ae01b37afaf0009527e5c0205","67ad7a950257cc5920b2119539049bcea3863bb2002f7118fcef57788f7eca59","ebe37505fa162461515d50bd86cb0fd983a000d418f0be0f9098e087170909bd")
|
Reference:
https://www.trendmicro.com/en_us/research/25/l/water-saci.html