A newly identified, financially motivated threat actor, tracked as Water Saci, has been linked to a sustained, multi-year campaign primarily targeting Brazil’s financial, e-commerce, telecommunications, and government sectors. This actor, believed to be Portuguese-speaking and Brazilian-based, has been operational since at least July 2019 and has continued its activities through at least February 2024.

The primary objective of Water Saci is financial gain, achieved through the deployment of a custom malware toolkit, including a stealer component tracked as ‘Saci.Stealer’. This campaign is notable for its scale and its highly specific data-targeting objectives. Intelligence indicates the operation has already affected over 1,000 companies and compromised the data of more than 1.5 million individuals.

The stealer malware is explicitly designed to search for and exfiltrate financial data, with a specific and notable focus on information related to Brazil’s PIS (Payment Information System).

The 2019-2024 operational timeline is a critical finding. It indicates that Water Saci is not an emerging, opportunistic threat, but rather a mature, persistent, and stealthy group that has successfully operated below the radar of public threat intelligence for at least five years. This longevity implies a sophisticated understanding of operational security and an ability to maintain long-term access to victim environments. For security operations, this means any incident response or threat-hunting engagement related to this actor must assume a potential compromise timeline measured in years, not days, necessitating a thorough review of historical logs for evidence of intrusion.

Furthermore, the specific targeting of PIS data, as opposed to generic credit card (PCI) or personally identifiable information (PII), signals a highly specialized adversary. This demonstrates a deep, expert-level knowledge of the Brazilian financial ecosystem and its specific data structures. The actor is not engaging in opportunistic, broad-spectrum data theft; they are conducting a surgical operation to acquire a specific dataset, which they have likely already established a clear monetization path for. This specificity also has direct implications for defenders: standard Data Loss Prevention (DLP) policies configured to detect common formats like credit card numbers or Social Security numbers will likely fail to detect the exfiltration of PIS data. Effective defense requires custom DLP signatures and detection rules built to recognize the unique structure and format of PIS data.

Actor Profile

Water Saci is a sophisticated criminal enterprise characterized by its clear motivation, strong regional nexus, and effective blend of custom and commodity tooling.

• Attribution and Origin: The group is tracked as Water Saci. Analysis of command-line activity and artifacts within their custom scripts reveals the consistent use of Portuguese-language commands and variable names. This linguistic evidence, combined with the group’s exclusive and long-term targeting of Brazilian entities, points with high confidence to a threat actor of Brazilian origin whose operators are native Portuguese speakers.
• Motivation: The actor’s motivation is unequivocally financial. This is demonstrated by their consistent targeting of data-rich financial, e-commerce, and telecommunications entities, and by the core function of their custom Saci.Stealer malware, which is designed to identify and exfiltrate valuable financial and payment system data. This is not an espionage-focused or hacktivist group; it is a professional, for-profit criminal organization.
• Development Capability: Water Saci is not a low-skill actor reliant on purchased or open-source tools. The group maintains and deploys its own custom malware toolkit. This demonstrates a clear in-house software development capability, which allows them to bypass signature-based defenses, rapidly re-tool in response to public disclosures, and craft payloads specifically designed for their targets.

This actor’s operational methodology is defined by a deliberate, hybrid “custom-then-commodity” TTP model. This represents a conscious operational security trade-off. The actor uses their custom ‘Saci’ toolkit for the most critical-path components of their attack, such as the final-stage stealer. This “crown jewel” malware, being unknown to security vendors, has a higher chance of executing successfully.

However, for nearly all other phases of the attack—including execution, defense evasion, persistence, and lateral movement—Water Saci operators rely heavily on “Living off the Land” (LotL) binaries and common administrative tools. They extensively use built-in Windows utilities like powershell.exe, wmic.exe, bitsadmin, and schtasks.exe, as well as common sysadmin tools like PsExec and Remote Desktop Protocol (RDP).

This is a calculated strategy. While the custom malware provides stealth for the payload, the use of commodity tools allows the actor’s post-compromise activity to blend in with the “noise” of legitimate administrative activity. For a SOC, this means that while perimeter defenses might eventually detect the custom malware, the actor, once inside the network, will be exceptionally difficult to distinguish from a systems administrator. This strategy effectively shifts the defensive battleground from the network perimeter to the endpoint, placing the burden of detection on organizations’ ability to log, analyze, and identify anomalous process-level activity and command-line arguments, rather than relying on network-based signatures.

Targeting and Victimology

Water Saci’s targeting is highly focused and geographically concentrated, reflecting its deep understanding of the Brazilian market.

• Geographic Focus: All known victims of the Water Saci campaign are located in Brazil. There is currently no evidence to suggest this actor is operating outside of this geographic boundary.
• Industry Verticals: The actor demonstrates a clear targeting pattern, focusing on data-rich environments where financial information is aggregated. Observed victims fall into four primary sectors:
  • Telecommunications
  • E-commerce
  • Financial Services
  • Government
• Scale of Operations: The campaign has achieved a significant scale, impacting over 1,000 companies. The resulting data breach has compromised the personal and financial information of more than 1.5 million individuals.

The breadth of this victimology, spanning from high-security targets like government and financial services to high-volume, lower-security targets like e-commerce, suggests a sophisticated, tiered targeting strategy. Achieving a compromise-footprint of over 1,000 companies through individual, “hands-on-keyboard” attacks is resource-intensive and impractical.

A more probable scenario is that Water Saci employs a supply chain or “island hopping” methodology. The actor may initially compromise softer targets, such as smaller e-commerce sites or telecommunications providers, to use as a vector. These initial compromises could serve multiple purposes:

1. Credential Harvesting: Steal administrative or user credentials that may be re-used, allowing access to other, higher-value services.
2. Island Hopping: Use the compromised partner or supplier organization as a trusted “island” from which to launch subsequent attacks against primary targets (e.g., a financial institution that uses the compromised telecommunications provider for services).

For a SOC at a high-value financial or government target, this implication is critical: their defensive perimeter is not limited to their own infrastructure. The security posture of their third-party partners and suppliers represents a viable and actively exploited attack vector by this threat actor. The 1.5 million compromised individuals are the collateral damage; the 1,000 companies are the primary targets, likely used as both sources of data and stepping stones to one another.

Technical Analysis: Attack Chain

Water Saci’s attack chain is a multi-stage process that leverages commodity vectors for initial access before transitioning to a more sophisticated “Living off the Land” approach for internal movement and execution.

Initial Compromise and Foothold

The actor gains an initial foothold through high-volume, common initial access vectors that target end-users.

• Phishing: The primary vector is phishing emails. These emails use common but effective social engineering lures, such as fake software updates, financial invoices, or payment notifications.
• Payload: The malicious attachments are typically first-stage droppers, such as malicious VBScript (.vbs) or Windows Shortcut (.LNK) files.
• Drive-by-Compromise: The actor is also known to use drive-by compromise techniques, likely by compromising legitimate websites to redirect visiting users to actor-controlled infrastructure that delivers the initial payload.

Execution and Defense Evasion

This phase of the attack is “noisy” from a process-logging perspective and provides significant detection opportunities. The actor relies on a core set of Windows scripting engines and LotL binaries.

• Scripting Engines: The initial .vbs payloads are executed via the built-in Windows Script Host engines, wscript.exe and cscript.exe.
• PowerShell: The actor makes extensive use of obfuscated PowerShell commands. The hallmark of their activity is the use of powershell.exe -e (or -encodedcommand). This indicates a Base64-encoded payload, a common technique to achieve fileless execution and bypass simple, signature-sased antivirus scanners that look for malicious .ps1 files on disk.
• Living off the Land (LotL) Binaries: Water Saci’s TTPs are characterized by a “holy trinity” of built-in Windows binaries used for defense evasion and payload delivery:
  1. mshta.exe: This binary is used to download and execute remote HTA (HTML Application) payloads. It is a favored tool for actors as it is a signed, trusted Microsoft binary that can execute script-based logic, often bypassing application whitelisting rules.
  2. bitsadmin: This command-line tool is used to download subsequent payloads (such as the Saci.Stealer) from C2 infrastructure. The BITS (Background Intelligent Transfer Service) is a legitimate Windows component, and its traffic is often proxied by the OS and trusted by firewalls, making it an effective tool for covertly downloading malware.
  3. wmic.exe: The actor uses the Windows Management Instrumentation Command-line tool for process creation, specifically via wmic.exe process call create. This is a well-known defense evasion technique. When a process is created with this command, its parent process is WmiPrvSE.exe, not wmic.exe. This breaks the parent-child process chain, thwarting simple analysis that relies on tracing a malicious process back to its originator.
• Active Defense Evasion: Water Saci’s tooling is not just passive; it actively fights back. The malware is known to execute commands designed to “disable security products.” It actively identifies and attempts to terminate processes or services associated with common endpoint detection and response (EDR) and antivirus (AV) solutions before deploying the primary Saci.Stealer payload.
• Linguistic Obfuscation: The actor’s custom scripts and in-line commands frequently contain Portuguese-language strings and variable names. This serves as a minor layer of obfuscation for analysts not fluent in the language and is a high-confidence artifact for attribution.

Persistence and Privilege Escalation

Once on the system, the actor’s immediate priorities are to ensure durable access and escalate privileges to “own” the box and the network.

• Persistence: The primary persistence mechanism is Windows Scheduled Tasks. The actor uses the schtasks.exe command-line utility to create new tasks. These tasks are configured to re-launch the actor’s payload (often the obfuscated PowerShell command) at set intervals or on system boot, ensuring the infection survives a reboot.
• Privilege Escalation: The lynchpin of Water Saci’s entire internal campaign is credential theft. The actor is confirmed to “dump LSASS process memory.” The Local Security Authority Subsystem Service (lsass.exe) process stores credentials (such as plaintext passwords, NTLM hashes, and Kerberos tickets) for users who have logged onto the system. By dumping this process’s memory, the actor can extract these credentials, effectively gaining administrative-level access to the local machine and harvesting credentials that can be used for lateral movement.

Internal Reconnaissance and Lateral Movement

Armed with high-privilege credentials extracted from the lsass dump, the actor pivots from “patient zero” and begins to move through the network to high-value targets like domain controllers and data servers.

• Lateral Movement: The actor’s lateral movement TTPs are, by design, identical to those of a legitimate systems administrator. This makes them exceptionally difficult to detect without careful behavioral baselining. The two primary methods observed are:
  1. PsExec: This common, legitimate sysadmin tool (part of the Sysinternals suite) is used to remotely execute commands and deploy the Saci.Stealer to other machines on the network.
  2. Remote Desktop Protocol (RDP): With stolen administrative credentials, the actor simply logs into other systems via interactive RDP sessions, blending in completely with normal administrative activity.

Command and Control Infrastructure

Water Saci’s C2 methodology is advanced and designed to thwart traditional network-based signature defenses.

• C2-as-a-Service (CaaS): The actor is confirmed to “use legitimate cloud services” for command and control. Instead of standing up their own “bulletproof” C2 servers (which can be easily identified and blocklisted), their malware beacons and exfiltrates data to FQDNs associated with major, trusted cloud providers (e.g., AWS, Azure, Google Cloud, etc.). This tactic makes IP- and domain-based blocklisting not only ineffective but also dangerous, as defenders risk blocking legitimate business-critical services.

Impact: Data Exfiltration and Objectives

This is the final “Actions on Objectives” phase, where the actor reaps the rewards of the compromise.

• Objective: Financial gain.
• Payload: The ‘Saci.Stealer’ malware is deployed to compromised systems of interest (e.g., database servers, e-commerce web servers).
• Data Target: The stealer is hard-coded to search for and steal “financial data,” with its most specific target being “PIS data.”
• Staging and Exfiltration: Before exfiltration, the stolen data is aggregated and compressed. The actor is known to “stage data in.zip files.” These compressed archives are then exfiltrated over the covert C2 channel (i.e., uploaded to a legitimate cloud service) to complete the data theft.

Water Saci: TTPs Mapped to MITRE ATT&CK

The following table maps the observed TTPs of Water Saci to the MITRE ATT&CK framework. This provides a standardized reference for security teams to assess their detection and mitigation coverage against this specific threat.

Detection and Hunting Guidance

The following guidance is provided to enable SOCs and threat hunters to build high-confidence detections and proactively hunt for Water Saci activity.

Critical Detection 1: The lsass Dump (The Lynchpin)

The actor’s entire post-compromise campaign (privilege escalation, lateral movement) is dependent on the successful dumping of lsass.exe memory. Detecting or preventing this TTP is the single most effective way to disrupt this attack chain.

• Preventative Action: Enable LSA Protection (“RunAsPPL”) via GPO or registry settings on all Windows endpoints and servers. This prevents non-standard, non-Microsoft-signed processes from reading the memory of lsass.exe.
• Detective Action (EDR): Deploy and tune EDR rules to detect and block any process (e.g., powershell.exe, wmic.exe, procdump.exe, or any unsigned binary) that attempts to open a handle with read access to the lsass.exe process.
• Hunting Action (SIEM): Hunt for command-line arguments associated with lsass dumping tools, such as procdump.exe -ma lsass.exe or the use of comsvcs.dll MiniDump.

Critical Detection 2: The Anomalous Process Chain (The Noise)

The actor’s reliance on a specific set of LotL binaries creates highly anomalous and suspicious parent-child process relationships that are rare in a normal corporate environment.

• Detective Action (SIEM/EDR): Create high-severity correlation rules for the following process chains:
  • mshta.exe (parent) -> powershell.exe (child)
  • wmic.exe (parent) -> powersV*.exe (child) (Note: The child is often WmiPrvSE.exe, but wmic can also be used to launch PowerShell directly).
  • Any Microsoft Office Application (WINWORD.EXE, EXCEL.EXE, OUTLOOK.EXE) (parent) -> cscript.exe or wscript.exe (child)
  • cscript.exe or wscript.exe (parent) -> bitsadmin.exe (child)
  • cscript.exe or wscript.exe (parent) -> powershell.exe (child)

Critical Detection 3: The C2 Evasion (The Network Blind Spot)

The use of legitimate cloud services for C2 makes IP/domain blocklisting ineffective. Defense must shift to identifying anomalous processes performing normal-looking network activity.

• Detective Action (EDR/NDR):
  1. Do not rely on network-level IOCs for C2 detection.
  2. Instead, focus on process-level network monitoring. Create a baseline of “normal” processes that communicate with cloud services (e.g., chrome.exe, edge.exe, onedrive.exe, teams.exe).
  3. Create high-severity alerts for any anomalous process making outbound connections to known cloud FQDNs or IP ranges (e.g., AWS, Azure, Google Cloud, Pastebin, etc.). A process like powershell.exe, cscript.exe, or an unknown binary in C:\ProgramData should never be communicating directly with an AWS S3 bucket.

Critical Detection 4: The Defense Evasion (“Smash and Grab”)

The actor must disable security tools on high-value targets to run the stealer. This action is a high-confidence, low-volume “scream” alert.

• Detective Action (SIEM/EDR):
  • Create high-priority alerts for any command-line activity that attempts to stop or kill your AV or EDR services (e.g., net stop <service_name>, taskkill /IM <edr_process.exe> /f).
  • Use FIM (File Integrity Monitoring) to alert on any changes to the registry keys that control your security tools’ services (e.g., changing a service “Start” value from 2 (Automatic) to 4 (Disabled)).

Threat Hunting Query 1: The “Linguistic” Artifact

The actor’s use of Portuguese in their scripts is a unique and high-fidelity artifact.

• Hunting Action (SIEM/Endpoint):
  • Proactively hunt all command-line logs (e.g., EventCode 4688, EDR process logs) for common Portuguese keywords or strings found in command-line arguments (e.g., “de”, “para”, “executar”, “servico”, “dados”). In a non-Portuguese-speaking corporate environment, any such finding is extremely suspicious and warrants immediate investigation.

Threat Hunting Query 2: The Staging

The actor stages stolen data in .zip files in world-writable directories.

• Hunting Action (SIEM/Endpoint):
  • Hunt for FIM (File Integrity Monitoring) or EDR events showing the creation of large (>10MB) .zip files in common staging directories like C:\ProgramData\, C:\Users\Public\, C:\temp\, or C:\Windows\Temp\.
  • Correlate this file-creation event with its parent process. If the parent process is powershell.exe, cscript.exe, wmic.exe, or an unknown binary, this is a high-confidence indicator of active data staging and exfiltration.

Indicators of Compromise

The following are discrete indicators of compromise (IOCs) associated with the Water Saci threat actor. Network indicators, particularly domains and IPs, should be considered low-confidence and short-lived given the actor’s use of legitimate cloud infrastructure. Host-based artifacts (file paths, hashes, mutexes) are higher-fidelity indicators of an active compromise.

Network and Host-Based Indicators of Compromise