Executive Summary
In late 2025, Brazil was struck by a sophisticated banking trojan campaign perpetrated by the threat actor Water Saci. Leveraging WhatsApp as a wormable transmission channel, attackers delivered highly obfuscated HTA and PDF payloads to users. Once opened, these files initiated a new Python-based trojan variant, enabling credential theft and fraudulent banking transactions. The attack chain also included NFC relay tactics (RelayNFC), amplifying transactional fraud by hijacking contactless payment operations. The campaign evaded detection using advanced scripting and lateral propagation, causing financial and reputational damage within the Brazilian financial sector.
This incident marks a significant escalation in multichannel malware delivery, combining social engineering, banking trojans, and NFC payment interception. It underscores the converging risk between consumer messaging apps and new payment technologies, highlighting the urgency for layered east-west and egress network protection.
Why This Matters Now
The attack highlights an urgent need for organizations to secure not only conventional endpoints but also mobile messaging channels and NFC-enabled systems. With banking trojans increasingly leveraging trusted communication apps and exploiting contactless payment infrastructures, financial institutions must adopt comprehensive, zero trust controls to curb evolving threats targeting both digital and physical transaction flows.
Attack Path Analysis
The attack began with users receiving malicious HTA and PDF files via a WhatsApp worm, enabling initial system compromise. Upon execution, the banking trojan gained foothold and escalated privileges, allowing it to bypass user protections. The malware then moved laterally within internal cloud and network environments, seeking additional targets and persistent access. Once embedded, it established command and control using covert outbound communication channels. Sensitive banking data, credentials, and funds were exfiltrated through encrypted or obfuscated traffic to attacker-controlled infrastructure. The final impact included unauthorized financial transactions, monetary theft, and possible business disruption for the affected entities.
Kill Chain Progression
Initial Compromise
Description
Adversaries delivered malicious HTA and PDF files via WhatsApp, leveraging social engineering to trick users in Brazil into executing malware and establishing an initial presence.
Related CVEs
CVE-2025-22230
CVSS 9.8A vulnerability in VMware products allows remote attackers to execute arbitrary code via crafted network packets.
Affected Products:
VMware VMware ESXi – 7.0.0, 6.7.0
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Phishing: Spearphishing Link
Spearphishing Attachment
Command and Scripting Interpreter: Python
Signed Binary Proxy Execution: Mshta
User Execution: Malicious File
Application Layer Protocol: Web Protocols
Access Stored Application Data
Software Deployment Tools
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Implement Incidence Response Procedures
Control ID: 12.10.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA ZTMM 2.0 – Enforce Phishing-Resistant Authentication
Control ID: PILLAR: Identity, Step 2.2
NIS2 Directive – Technical and Organisational Measures
Control ID: Article 21(2)(a)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Banking/Mortgage
Banking trojan targeting Brazil creates direct risk to financial institutions through WhatsApp worm propagation, compromising customer credentials and transaction security systems.
Financial Services
Python-based banking malware threatens financial service providers with credential theft, requiring enhanced east-west traffic security and zero trust segmentation for protection.
Telecommunications
WhatsApp worm exploitation exposes telecom infrastructure to malware propagation vectors, necessitating improved egress security and threat detection capabilities for network protection.
Information Technology/IT
Sophisticated HTA and PDF attack chains targeting IT systems require enhanced multicloud visibility, inline IPS protection, and cloud native security fabric implementations.
Sources
- Brazil Hit by Banking Trojan Spread via WhatsApp Worm and RelayNFC NFC Relay Fraudhttps://thehackernews.com/2025/12/brazil-hit-by-banking-trojan-spread-via.htmlVerified
- More sophisticated Water Saci attack methods uncoveredhttps://www.scworld.com/brief/more-sophisticated-water-saci-attack-methods-uncoveredVerified
- Self-Propagating Malware Hits WhatsApp Users in Brazilhttps://www.darkreading.com/cyberattacks-data-breaches/self-propagating-malware-hits-whatsapp-users-brazilVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Network segmentation, east-west traffic controls, egress filtering, and real-time threat detection could have isolated compromised workloads, limited malware propagation, and blocked data exfiltration. Zero Trust-driven microsegmentation and policy enforcement restrict attacker lateral movement and detect anomalous egress activities tied to banking trojans.
Control: Cloud Firewall (ACF)
Mitigation: Inbound and outbound network filtering blocks unauthorized or known-malicious traffic sources.
Control: Zero Trust Segmentation
Mitigation: Limits attacker access to privileged resources based on identity and least privilege.
Control: East-West Traffic Security
Mitigation: Internal movement between workloads is monitored and restricted to only authorized communications.
Control: Inline IPS (Suricata)
Mitigation: Malicious C2 traffic is detected and blocked in real-time.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound communication to unapproved destinations is prevented and flagged for response.
Rapid detection of fraudulent behaviors enables incident response before system-wide damage.
Impact at a Glance
Affected Business Functions
- Online Banking Services
- Customer Support
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of customer banking credentials and personal information due to malware infection.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to strictly limit account lateral movement post-compromise.
- • Enforce egress policies with granular FQDN filtering to prevent malware C2 and data exfiltration.
- • Deploy Inline IPS and continuous threat detection to rapidly identify and respond to banking trojan behaviors.
- • Strengthen east-west traffic monitoring to block unauthorized internal communications.
- • Regularly update endpoint and cloud workload posture controls to thwart evolving phishing and malware delivery methods.
