As Brazilian banks race to contain a cascade of digital intrusions, new research shows that two rapidly evolving malware families a payment-card relay tool known as RelayNFC and a WhatsApp-propagating banking Trojan linked to the group called Water Saci are reshaping the country’s cybercrime landscape. Their campaigns blend social engineering, real-time payment interception, and experimental use of artificial intelligence, revealing a criminal ecosystem moving with unusual speed and sophistication.
A New Front in Brazil’s Malware Wars
When Maria, a São Paulo office worker, tapped her bank card against her Android phone at the request of what she believed was a security update, nothing seemed amiss. The phone displayed a prompt asking for her PIN a routine step, she thought. Within minutes, fraudulent charges began appearing on her account.
Her experience mirrors a pattern now surfacing across Brazil. According to recent analyses by security firms, a cluster of cybercriminal groups is deploying new malware designed not simply to steal credentials but to manipulate the architecture of contactless payments and messaging platforms themselves.
At the center of this wave is RelayNFC, an Android-based tool that intercepts real-time NFC transactions, and Water Saci, a long-running Brazilian threat actor that has recently retooled its operations to spread through WhatsApp with worm-like efficiency.
Real-Time Theft: How RelayNFC Reroutes Contactless Payments
RelayNFC distinguishes itself from earlier banking malware by exploiting the trusted ritual of tapping a card to a device. Once installed typically through phishing sites disguised as security portals the malware instructs victims to “scan” their own card on their phone. As soon as the NFC subsystem reads the data, the device prompts for the PIN.
What follows is a tightly choreographed relay attack. A command-and-control server pushes a specially crafted APDU message to the phone, containing encoded instructions and identifiers. The malware parses the packet and forwards it directly to the victim’s NFC hardware, effectively transforming the infected phone into a remote interface for the physical card.
Security researchers say the scheme allows attackers operating a point-of-sale emulator often thousands of miles away to conduct transactions “as though the card were physically present.” Investigators also found evidence that the attackers are experimenting with a partial implementation of Host Card Emulation, a technology that normally allows Android phones to act as payment cards. Though incomplete, the feature suggests an ambition to collapse even more of the payment chain into software that criminals can manipulate.
“By combining phishing-driven distribution, React Native obfuscation, and real-time APDU relaying over WebSockets, they’ve built a very effective mechanism for remote transaction fraud,” said one researcher involved in the analysis.
Water Saci’s Evolution: From Banking Trojan to WhatsApp Worm
While RelayNFC targets contactless payments, Water Saci focuses on the broader banking ecosystem and increasingly, on the social networks that knit together Brazil’s digital life. Trend Micro researchers say Water Saci has recently adopted a multi-format attack chain based on HTML Application files, PDFs, and Python scripts. The group previously relied on PowerShell, but investigators believe the criminals may have used large language models or code-translation tools to port their propagation script to Python.
The logic appears chillingly efficient: HTA files trigger Visual Basic Scripts, which run PowerShell commands that download secondary payloads including a customized MSI installer delivering a banking trojan. Once active, the malware spreads automatically through WhatsApp Web, sending malicious attachments to every contact visible in an open browser session.
Messages often come from trusted senders friends, relatives, colleagues whose own machines are already infected. The lure may instruct users to update Adobe Reader or resolve an account problem. With a single click, victims invite the trojan into their systems.
“This campaign demonstrates how legitimate platforms can be transformed into powerful vectors for malware delivery,” researchers said, warning that familiar communication channels may now carry threats with unprecedented reach.
Inside the Trojan: Surveillance, Persistence, and a Brazilian Focus
Once installed, Water Saci’s banking trojan turns the victim’s machine into an instrument of surveillance and manipulation. The malware scans the titles of open windows for signs that the user is interacting with financial platforms, cryptocurrency exchanges, or major Brazilian banks including Santander, Banco do Brasil, and Bradesco.
If it finds a match, the trojan springs into action: it can capture keystrokes, take screenshots, simulate mouse movements, alter screen resolution, upload and download files, and create fake banking overlays to harvest authentication data.
Behind the scenes, the tool exhibits layers of evasive engineering. It checks for antivirus products, harvests system metadata, performs anti-virtualization tests, and burrows into the Windows Registry to maintain persistence. Its fallback command-and-control channel uses IMAP an uncommon choice that helps the malware blend into normal network activity.
The loader component, written in AutoIt, can operate in multiple stages. Depending on which auxiliary files it finds TDA or DMP it either decrypts and injects the banking trojan through a hollowed “svchost.exe” process or loads it directly into memory, bypassing standard detection thresholds.
One telling detail underscores the local nature of the campaign: before fully activating, some components verify that the Windows system language is set to Portuguese (Brazil), suggesting the attackers intend to avoid drawing attention outside their target region.
A Country on Alert as Cybercrime Accelerates
The convergence of RelayNFC and Water Saci reflects broader shifts in Brazil’s cybercrime landscape. Attackers are blending social engineering, advanced technical capabilities, and opportunistic use of new tools including AI to accelerate their operations.
Brazil, with its widespread adoption of digital banking and contactless payments, presents a ripe environment for experimentation. The result is an escalating arms race, with criminals iterating faster than many institutions can respond.
