Brazil today is a cybercriminal’s paradise. The birth of a new banking trojan, known as Water Saci, is even more worrisome. Detected by Microsoft as “LightBasin,” this advanced malware spreads mostly via phishing methods. It reaches users throughout the country by hijacking the popular messaging platforms, such as WhatsApp. Water Saci’s campaign, which began in early November 2025, leverages advanced techniques to compromise users’ banking data.
The malware uses decoy Portuguese-language sites to dupe people into unknowingly using these sites to download and install it onto their devices. Once infiltrated, Water Saci uses a Python scripting tool to coordinate so that the malware can be delivered. With this convoluted plot, in addition to going after particular banking sites, it is able to circumvent traditional security protections with wildly creative methods.
Tactics and Delivery Mechanism
Water Saci’s main mode of distribution is through phishing, a most effective method for spreading. Malware authors have developed phishing sites that are nearly identical to real banking services operating in Portuguese. These fraudulent websites, designed to mimic popular legitimate services, trick victims into downloading this trojan.
Water Saci delivers its malicious payload by the means of a Python script. It uses the Selenium browser automation tool to move within WhatsApp Web sessions. This is a dangerous new tactic that allows attackers to intercept users’ online communications, increasing the chances that they come in contact with sensitive data.
“Their new multi-format attack chain and possible use of artificial intelligence (AI) to convert propagation scripts from PowerShell to Python exemplifies a layered approach that has enabled Water Saci to bypass conventional security controls,” – Trend Micro researchers.
The trojan’s capabilities go beyond what’s found in typical malware trojans. Most importantly, it suspiciously scours their entire Google Chrome browsing history. Here’s the deep dive. The focus here is on visits to banking websites such as Santander, Banco do Brasil, Caixa Econômica Federal, Sicredi, Bradesco. This smarts enables it to zero in on victims, often with chilling precision.
Comprehensive Malware Features
Water Saci displays a variety of sophisticated features intended for nefarious use. The trojan records keystrokes and periodically takes screenshots of the victim’s activity. It can adjust screen resolution and simulate mouse movement and clicks. This misleading behavior entices users into providing their banking credentials.
Once Saci infects a host, Water Saci checks for a file called “executed.dat.” If it doesn’t find this file, its processes will fail. If the marker file is not found, the malware will attempt to forcibly close other browsers. This technique forces victims to re-enter banking credentials on sites now controlled by the attackers.
“If a TDA file is present, the AutoIt script decrypts and loads it as an intermediate PE loader (Stage 2) into memory,” – Trend Micro.
This sophisticated operational structure allows Water Saci to execute various file operations, upload or download files, and create fake overlays designed to capture sensitive information such as login credentials and transaction data.
Evolving Threat Landscape
The rise of Water Saci is a sign of a new age of cyber attacks in Brazil. Cybercriminals are further leveraging the trust inherent with widely-used messaging platforms such as WhatsApp to conduct highly effective, large-scale malware campaigns. The sophistication of this trojan foreshadows a more worrisome development in the complexity of cyber-attack strategies.
The malware uses React Native and Hermes bytecode, making static analysis more difficult. This complicates the job for cybersecurity professions trying to identify the threat. This obfuscation technique increases the trojan’s efficacy by orders of magnitude. It aids the trojan’s evasion of security systems that rely on classic detection techniques.
“By combining phishing-driven distribution, React Native-based obfuscation, and real-time APDU relaying over WebSockets, the threat actors have created a highly effective mechanism for remote EMV transaction fraud,” – Trend Micro.
Saci’s campaign serves as a reminder of the dire consequences that increasingly sophisticated cyber threats pose to everyday users and financial institutions. With attackers employing multi-faceted strategies, including a potential pivot towards artificial intelligence in their operations, responding effectively requires heightened vigilance from both individuals and organizations.
