The Reveal Platform
Intel Name: Unraveling water saci’s new multi-format, ai-enhanced attacks propagated via whatsapp
Date of Scan: December 3, 2025
Impact: High
Summary: The Water Saci campaign in Brazil employs a heavily layered attack chain using multiple file formats—HTA, ZIP, and PDF—to evade simple detection and complicate analysis. Recently, attackers shifted from PowerShell to a Python-based propagation routine, enabling broader browser compatibility, improved error handling, and faster automated malware delivery through WhatsApp Web. Evidence indicates they may have leveraged AI/LLM tools to convert and enhance their scripts, resulting in more efficient batch messaging and execution.
