Brazilian Cybercrime Group Targets Spanish-Speaking Banking Customers
A Brazilian threat actor group known as Water Saci — also tracked under the name Augmented Marauder — is conducting a financially motivated campaign against Spanish-speaking victims throughout Latin America and Spain. The operation deploys Casbaneiro, a well-established banking Trojan, using self-propagating email techniques designed to evade detection and expand rapidly across victim networks.
Brazil has earned a distinct and troubling reputation as the banking malware capital of the world. While North Korea is broadly associated with large-scale cryptocurrency theft and Israel dominates the commercial spyware market, Brazilian hackers have become prolific producers of money-stealing Trojans — generating them at a pace that consistently challenges analysts' ability to keep up.
Two Concurrent Campaigns, One Threat Group
Water Saci has been active for several years, but in recent months the group has been running two financially motivated attack campaigns simultaneously. One campaign operates over WhatsApp, is focused on Brazilian victims, and has been tracked by researchers since last year. The second, newly identified campaign uses email as its delivery vector and has a broader geographic footprint that could extend throughout Latin America and into Spain.
Cybersecurity firm BlueVoyant identified and reported on this second campaign. According to Thomas Elkins, a SOC security analyst at BlueVoyant, the group operates on a near-quarterly cycle of attack campaigns, continuously modifying its tactics.
"This threat group seems as if they have a campaign that they try to launch [roughly] every quarter, and they keep changing it, so it's pretty clear whoever this is [is] very active [and] their end goal is to get access to users' bank accounts within the Latin American region. To me, it's clear that they're going to keep ramping up." — Thomas Elkins, BlueVoyant
How the Attack Chain Works
On the surface, an Augmented Marauder phishing email appears relatively unremarkable. Every targeted victim receives a message referencing a vague, upcoming judicial summons — a social engineering lure designed to provoke concern and urgency. Victims who take the bait are directed to a website where they inadvertently download a malicious zip file.
However, multiple layers of evasion and propagation tactics are embedded throughout each stage of this chain:
- Password-protected attachments: The malicious zip file is protected with a password, lending an air of legitimacy and potentially helping it slip past secure email gateways (SEGs) that scan for malicious content.
- Randomized file names: The zip file's name is uniquely randomized for each victim, creating an obstacle for signature-based detection tools that rely on known file hashes or naming patterns.
- Self-propagation via Horabot: One of the scripts deployed later in the infection chain is a tool called Horabot, which is specifically designed to exploit the victim's own email account. Horabot harvests the victim's contact list, filters those contacts, and then sends out a fresh round of phishing emails — each containing a modified version of the judicial summons attachment locked with a new password.
The Worm Factor: Why Self-Propagation Is So Dangerous
The self-replicating nature of this campaign provides Water Saci with several compounding advantages beyond simple speed of spread.
First, because phishing emails arrive from addresses that belong to people the recipient actually knows and trusts, targets are significantly more likely to open the attachment. Second, emails originating from legitimate, previously uncompromised accounts are far less likely to be flagged by automated email security solutions as suspicious.
Elkins highlighted another tactical benefit of the wormable architecture:
"It's pretty smart because it makes it harder to identify where the attack actually originated from."
He further noted that between the wormable emails in this campaign and the wormable WhatsApp messages used in the concurrent Brazil-focused campaign, the group is "finding new ways to automate their attack chains to not just rely on an attacker-based account." This makes it substantially harder for defenders to identify and disrupt attacker-controlled infrastructure.
Casbaneiro: The Payload at the End of the Chain
The ultimate goal of the entire infection chain is to deliver Casbaneiro, a classic banking Trojan. Once installed, Casbaneiro activates when a victim navigates to a cryptocurrency exchange or financial services website. The malware's list of targeted institutions is extensive, covering major banks operating across Central and South America — including Santander and Banco do Brasil — as well as payment and cryptocurrency platforms such as Binance.
Like many banking Trojans, Casbaneiro deploys an overlay technique — presenting a convincing fake login interface on top of the legitimate site — while simultaneously logging keystrokes to capture usernames, passwords, and any other credentials entered by the victim.
Why Banking Trojans Persist Despite Declining Effectiveness
The continued reliance on banking Trojans by Brazilian threat actors puzzles some analysts, including Elkins, given the broader shift in cybercrime toward network intrusion, data exfiltration, and ransomware.
"It's interesting that they're still hung up on banking Trojans, because a lot of time these newer threat actors are focusing on: How do we gain access to this customer's network? How do we start infiltrating exfiltrating data? How can we use ransomware to get paid?" Elkins observed.
Despite being a more direct approach to financial theft, banking Trojans face increasingly effective countermeasures. As Elkins explained:
"I don't think most of the banking Trojans succeed at this point, in today's environment, because they're so easy to attack now. They're getting caught more easily. I mean, Windows Defender itself has so many different rule sets for catching AutoIT executables [like those used by Water Saci] and stopping that behavior."
Elkins noted that in much of his research, the malware rarely completes its full infection chain in customer environments. "It's usually stopped at the email stage," he said. Nevertheless, the campaigns continue — a signal that the attacks succeed with enough frequency to keep the operation economically viable for the perpetrators.
An Evolving and Persistent Threat
The combination of wormable delivery, password-protected attachments, per-victim filename randomization, and a well-tested banking Trojan payload makes Water Saci's latest campaign a notable evolution of a persistent threat. The group's apparent quarterly cadence of updated campaigns, alongside its simultaneous operation of parallel attack chains on different platforms, points to a disciplined and resourced criminal operation with no signs of slowing down.
Organizations and individuals across Latin America and Spain — particularly those using major banking and cryptocurrency platforms — should exercise heightened caution around unexpected emails referencing legal or judicial matters, especially those containing password-protected attachments.
Source: Dark Reading