Active Water Saci Campaign Hijacks WhatsApp Web Sessions to Spread Malware via Multi-Vector Persistence
Trend Micro details the Active Water Saci campaign, which uses malicious ZIP files and PowerShell scripts to hijack WhatsApp Web sessions, harvest contacts, and spread malware with sophisticated C&C control.
Trend Micro researchers have uncovered a sophisticated malware campaign dubbed Active Water Saci that spreads through WhatsApp Web by hijacking browser sessions and using multi-vector persistence. The infection begins when a user downloads and extracts a malicious ZIP file named Orcamento-2025*.zip, which contains an obfuscated VBS downloader. This downloader executes a PowerShell script (tadeu.ps1) directly in memory, bypassing traditional file-based detection.
The PowerShell script, which masquerades as 'WhatsApp Automation v6.0', establishes contact with a command-and-control (C&C) server at hxxps://miportuarios[.]com/sisti/config[.]php to download operational parameters. If the C&C server is unreachable, the malware falls back to hardcoded default settings, ensuring the attack proceeds regardless of network conditions. The consistent use of Portuguese in the malware suggests the threat actor is focused on Brazil.
A key technique involves hijacking WhatsApp Web sessions by copying the victim's Chrome profile data, including cookies, authentication tokens, and saved browser sessions. This allows the malware to bypass WhatsApp Web's authentication entirely, gaining immediate access to the victim's account without triggering security alerts or requiring QR code scanning. The malware then systematically harvests all WhatsApp contacts, filtering out specific number patterns, and exfiltrates the list to the C&C server.
The malware implements a sophisticated remote control system that allows attackers to pause, resume, and monitor the spreading campaign in real-time. Before each contact and during message delays, the malware sends GET requests to the C&C server to check if distribution should continue. If the server responds with 'false', the malware immediately pauses all operations; if 'true', it continues spreading. This turns the infected machines into a botnet capable of coordinated activity based on attacker commands.
For distribution, the malware converts a downloaded ZIP payload into base64 encoding and sends it through WhatsApp's messaging system with randomized filenames like 'Orcamento-202512345678.zip'. It iterates through every harvested contact, personalizing greeting messages by replacing template variables with time-based greetings and contact names. The malware also creates a temporary workspace in C:\temp, downloads the latest WhatsApp automation library (WA-JS) from GitHub, and installs the Selenium PowerShell module for automated browser tasks.
Trend Micro notes that this campaign demonstrates a significant evolution in social engineering attacks, combining fileless execution, browser session hijacking, and real-time C&C control. The multi-vector persistence mechanisms and fallback defaults make the malware resilient to takedowns. Users are advised to avoid downloading unexpected ZIP files from WhatsApp, even if they appear to come from known contacts, and to enable multi-factor authentication where possible.