SORVEPOTEL Malware Spreads via WhatsApp in Brazil
Summary
Hide ▲
Show ▼
A self-spreading malware named SORVEPOTEL targets Brazilian users via WhatsApp. The malware spreads through phishing messages containing malicious ZIP files, primarily affecting Windows systems. The campaign is designed for rapid propagation rather than data theft or ransomware. The malware exploits the trust in WhatsApp to spread across contacts and groups, leading to account bans for excessive spam. The majority of infections are concentrated in Brazil, impacting various sectors including government, public service, and technology. The malware uses a Windows shortcut (LNK) file to execute a PowerShell script, which retrieves the main payload and establishes persistence on the infected system. It also communicates with a command-and-control (C2) server for further instructions.
Timeline
-
03.10.2025 15:02 1 articles · 5h ago
SORVEPOTEL Malware Spreads via WhatsApp in Brazil
A self-spreading malware named SORVEPOTEL targets Brazilian users via WhatsApp. The malware spreads through phishing messages containing malicious ZIP files, primarily affecting Windows systems. The campaign is designed for rapid propagation rather than data theft or ransomware. The malware exploits the trust in WhatsApp to spread across contacts and groups, leading to account bans for excessive spam. The majority of infections are concentrated in Brazil, impacting various sectors including government, public service, and technology. The malware uses a Windows shortcut (LNK) file to execute a PowerShell script, which retrieves the main payload and establishes persistence on the infected system. It also communicates with a command-and-control (C2) server for further instructions.
Show sources
- Researchers Warn of Self-Spreading WhatsApp Malware Named SORVEPOTEL — thehackernews.com — 03.10.2025 15:02
Information Snippets
-
SORVEPOTEL spreads through phishing messages with malicious ZIP file attachments on WhatsApp.
First reported: 03.10.2025 15:021 source, 1 articleShow sources
- Researchers Warn of Self-Spreading WhatsApp Malware Named SORVEPOTEL — thehackernews.com — 03.10.2025 15:02
-
The malware targets Windows systems and is designed for rapid propagation.
First reported: 03.10.2025 15:021 source, 1 articleShow sources
- Researchers Warn of Self-Spreading WhatsApp Malware Named SORVEPOTEL — thehackernews.com — 03.10.2025 15:02
-
The campaign primarily affects Brazilian users, with 457 out of 477 infections concentrated in Brazil.
First reported: 03.10.2025 15:021 source, 1 articleShow sources
- Researchers Warn of Self-Spreading WhatsApp Malware Named SORVEPOTEL — thehackernews.com — 03.10.2025 15:02
-
The malware uses a Windows shortcut (LNK) file to execute a PowerShell script.
First reported: 03.10.2025 15:021 source, 1 articleShow sources
- Researchers Warn of Self-Spreading WhatsApp Malware Named SORVEPOTEL — thehackernews.com — 03.10.2025 15:02
-
The malware establishes persistence by copying itself to the Windows Startup folder.
First reported: 03.10.2025 15:021 source, 1 articleShow sources
- Researchers Warn of Self-Spreading WhatsApp Malware Named SORVEPOTEL — thehackernews.com — 03.10.2025 15:02
-
The malware communicates with a C2 server to fetch further instructions or additional malicious components.
First reported: 03.10.2025 15:021 source, 1 articleShow sources
- Researchers Warn of Self-Spreading WhatsApp Malware Named SORVEPOTEL — thehackernews.com — 03.10.2025 15:02
-
The malware spreads through WhatsApp Web, leading to account bans for excessive spam.
First reported: 03.10.2025 15:021 source, 1 articleShow sources
- Researchers Warn of Self-Spreading WhatsApp Malware Named SORVEPOTEL — thehackernews.com — 03.10.2025 15:02
-
The campaign impacts various sectors including government, public service, manufacturing, technology, education, and construction.
First reported: 03.10.2025 15:021 source, 1 articleShow sources
- Researchers Warn of Self-Spreading WhatsApp Malware Named SORVEPOTEL — thehackernews.com — 03.10.2025 15:02