Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

SORVEPOTEL self-propagating WhatsApp Web malware

Malware Activity
First reported
Last updated
Happening score
H score 26
1 unique sources, 1 articles

Summary

Hide ▲

The SORVEPOTEL malware is rapidly spreading through WhatsApp Web on Windows systems, turning trusted chats into a spam channel and triggering account bans. It starts with phishing ZIP attachments that lead victims to a Windows LNK file and a PowerShell payload fetch. The activity is concentrated in Brazil, with observed impact across government, public service, manufacturing, technology, education, and construction.

Related Happenings

TCLBANKER banking trojan activity targeting 59 financial platforms

Malware Activity
First: 08.05.2026 21:12 Last: 08.05.2026 21:12 Sources 1

About this happening: **TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...

Open Happening

TCLBanker self-spreading banking trojan

Malware Activity
First: 08.05.2026 01:06 Last: 08.05.2026 01:06 Sources 1

About this happening: The **TCLBanker** trojan now combines **trojanized installer** delivery with **self-spreading worm modules**, widening access to **59 banking, fintech, and cryptocurrency platform...

Open Happening

Vidar infostealer market rise and distribution expansion

Malware Activity
First: 28.04.2026 22:07 Last: 28.04.2026 22:07 Sources 1

About this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...

Open Happening

UAC-0247 phishing-led malware campaign targeting Ukrainian government and healthcare institutions

Campaign
First: 16.04.2026 09:20 Last: 16.04.2026 09:20 Sources 1

About this happening: A **March-April 2026** **UAC-0247** phishing campaign targeted **Ukrainian government** and **municipal healthcare organizations**, using **malware delivery** to steal data from *...

Open Happening

Augmented Marauder / Water Saci multi-pronged phishing campaign targeting Latin America and Europe

Campaign
First: 01.04.2026 15:36 Last: 01.04.2026 15:36 Sources 1

About this happening: **Water Saci** is actively evolving a **WhatsApp Web worm** in **Brazil** that uses **HTA** and **PDF** lures to deliver a **banking trojan**. The latest wave shifts from **PowerS...

Open Happening

Timeline

  1. 03.10.2025 15:02 2 articles · 7mo ago

    SORVEPOTEL targets Brazilian WhatsApp users

    Initial Disclosure

    Trend Micro reports SORVEPOTEL as a self-propagating Windows malware campaign targeting Brazilian WhatsApp users through phishing ZIP attachments, a Windows LNK file, PowerShell payload retrieval, persistence in the Windows Startup folder, and WhatsApp Web propagation that can lead to account suspensions or bans.

    Show sources
    Open in new tab