Antivirus firm Trend Micro has issued a warning about an ongoing malware campaign that uses compromised WhatsApp accounts to spread malicious payloads and steal financial credentials.
The campaign, dubbed Water Saci by Trend Micro, uses a specific malware strain called SORVEPOTEL. The attackers first gain control of a WhatsApp account, then send a malicious ZIP file to all the account’s contacts and groups via WhatsApp Web.
Recipients are instructed to open the ZIP file on a desktop (Windows machine). Inside the archive is a .LNK (Windows shortcut) file, which when executed launches a PowerShell script that downloads the main malware payload from attacker-controlled servers.
Propagation via WhatsApp Web
A key feature of the malware is its ability to detect if WhatsApp Web is active on the infected device. If a session is detected, the malware automatically dispatches the same malicious ZIP file through WhatsApp Web to all contacts and groups linked to the compromised account.
This automated propagation can generate a high volume of spam messages. Many infected accounts are subsequently suspended or banned by WhatsApp for violating terms of service.
Payload and credential theft
Once installed, the malware aims to steal login credentials from banking apps, cryptocurrency exchanges, and other financial services. It achieves this through several tactics:
- Overlay phishing windows: The malware can place fake login screens (“overlays”) over real websites, tricking users into entering their credentials.
- Keystroke logging and system monitoring: It can record keystrokes and monitor user activity to intercept entered information.
- Exfiltration and C2 communication: The malware communicates with command-and-control (C2) servers to receive instructions and upload stolen data.
- Persistence mechanisms: To ensure it survives reboots, it may copy itself into the Windows Startup folder or employ other persistence techniques.
Trend Micro’s telemetry suggests the campaign is regionally focused: out of 477 detected cases, 457 were located in Brazil. The targets include public service and government organizations as well as entities in manufacturing, education, technology, and construction sectors.
Initial infection vectors
While WhatsApp messaging is the main propagation route, phishing emails also appear to be used as an alternative delivery method. The ZIP attachments are often named to resemble legitimate documents (e.g., “RES-20250930_112057.zip”, “ORCAMENTO_114418.zip”) to fool victims into opening them.
What users and organizations should do
- Be cautious of receiving ZIP attachments via WhatsApp, even from contacts you know.
- Do not execute files on desktops unless you are certain of their legitimacy.
- Keep antivirus/endpoint protection and systems up-to-date.
- Monitor for unusual WhatsApp activity or device behavior.
- Limit use of WhatsApp Web, particularly on machines handling sensitive tasks.
- Educate users about phishing tactics and maintain strict security awareness programs.
