Brazil Hit by Banking Trojan Spread via WhatsApp Worm and RelayNFC NFC Relay Fraud

The Water Saci threat actor is evolving its tactics with a sophisticated infection chain targeting Brazilian users. The campaign uses HTML Application (HTA) files and PDFs to spread via WhatsApp as a worm that deploys banking trojans. Attackers have shifted from PowerShell to Python-based variants for malware propagation. The campaign combines traditional banking trojan techniques with NFC relay fraud capabilities through RelayNFC. This represents an active, highly layered attack specifically targeting Brazil's financial sector through popular messaging platforms.