relaynfc_campaign_actors

Water Saci is a threat actor targeting users in Brazil with banking malware campaigns. In the provided content, the actor is described as using a multi-layered infection chain involving HTA files and PDFs, with propagation via WhatsApp Web using a worm-like mechanism and social engineering that pressures victims to open malicious attachments from trusted WhatsApp contacts. The campaign shifted from PowerShell-based propagation to a Python-based variant using Selenium for WhatsApp Web automation. The delivered banking trojan is described as structurally similar to Casbaneiro and uses AutoIt scripts for delivery, persistence, anti-analysis, and process injection, including hollowing or injecting into svchost.exe. Reported capabilities include credential theft, system information exfiltration, keyboard and screen capture, file operations, window enumeration, fake banking overlays, browser termination to force reopening of banking sites, Registry-based persistence, anti-virtualization checks, WMI-based host profiling, and IMAP-based fallback C2. The malware specifically checks for Portuguese (Brazil) language settings and monitors for Brazilian banking, payment, and cryptocurrency platforms, including artifacts related to Bradesco, Warsaw, Topaz OFD, Sicoob, and Itaú. The content also mentions a separate previously undocumented Android malware called RelayNFC targeting Brazilian banking users via phishing and decoy Portuguese-language sites. RelayNFC is designed to conduct NFC relay attacks to steal contactless payment data, uses React Native and Hermes bytecode, and implements real-time APDU relay over WebSockets for fraudulent EMV transactions, prompting victims to tap cards and enter PINs. Based on the provided content, Water Saci is the only explicitly named threat actor; RelayNFC is described as malware, not a confirmed actor alias or subgroup.