Active water saci campaign spreading via whatsapp features multi-vector persistence and sophisticated c&c

Intel Name: Active water saci campaign spreading via whatsapp features multi-vector persistence and sophisticated c&c

Date of Scan: October 28, 2025

Impact: High

Summary:
The ongoing Water Saci campaign reveals a new attack chain leveraging an email-based C&C infrastructure with multi-vector persistence for enhanced resilience. It employs advanced evasion techniques to avoid analysis and limit activity to specific, intended targets. The campaign’s remote command-and-control system enables real-time actions such as pausing, resuming, and monitoring malware operations. Infected devices are effectively converted into a botnet, supporting coordinated attacks across multiple endpoints. Previously, Water Saci—using WhatsApp as its main infection vector and the SORVEPOTEL malware—spread malicious ZIP files to all contacts and groups for rapid propagation.

More Details