Find notable cyber news and cases, enriched with sources, timelines, and signals.

SORVEPOTEL WhatsApp malware campaign spreads across Brazil

Campaign
First reported
Last updated
Happening score
H score 31
1 unique sources, 2 articles

Summary

Hide ▲

A WhatsApp malware campaign in Brazil is spreading SORVEPOTEL, a self-propagating Windows malware that uses phishing ZIP attachments and a desktop-only lure to drive execution on Windows systems. The operation is engineered for speed and propagation rather than data theft or ransomware, and it uses WhatsApp Web to automatically resend the malicious file to contacts and groups after infection. Trend Micro said 457 of 477 cases are in Brazil, with government, public service, manufacturing, technology, education, and construction sectors hit most often. Infections can also trigger account bans because the malware generates high volumes of spam.

Related Happenings

WhatsApp VBScript infection chain installing ManageEngine RMM Central

Malware Activity
H score20 First: 23.06.2026 08:38 Last: 23.06.2026 08:38 Sources 1

About this happening: **VBScript attachments** spread through **WhatsApp direct messages** are now driving a **multi-stage Windows infection chain** that can end in remote access to victim systems. The...

WhatsApp VBScript phishing campaign targeting users in multiple countries

Campaign
H score43 First: 23.06.2026 01:42 Last: 23.06.2026 01:42 Sources 1

About this happening: An **ongoing phishing campaign** is using **compromised WhatsApp accounts** to send **obfuscated VBScript files** to users in **multiple countries**, creating a path to **remote s...

WhatsApp contempt motion against NSO Group

Regulatory/Legal Action
H score33 First: 09.06.2026 11:15 Last: 09.06.2026 11:15 Sources 1

About this happening: WhatsApp moved the **US court** to hold **NSO Group** in contempt over a **permanent injunction** tied to spyware targeting of users. The company says NSO violated the order by us...

NSO Group WhatsApp spear-phishing campaign

Campaign
H score37 First: 08.06.2026 20:08 Last: 08.06.2026 20:08 Sources 1

About this happening: **NSO Group** remains tied to a **WhatsApp** spear-phishing **campaign** that used **malicious links** to push targets to external websites outside the app. On **June 8**, WhatsAp...

TA4922 expanded European phishing-and-malware campaign

Campaign
H score40 First: 04.06.2026 00:45 Last: 04.06.2026 00:45 Sources 1

About this happening: **TA4922** is a **China-linked** cybercrime campaign that has expanded from **East Asia** into **Europe and Africa**, including **the U.K., Germany, Italy, and South Africa**. The...

Timeline

  1. 12.03.2026 19:31 3 articles · 3mo ago

    SORVEPOTEL abuses hijacked WhatsApp desktop web sessions in Brazil

    Initial Disclosure

    Threat actors are abusing previously authenticated WhatsApp chats in Brazil to deliver SORVEPOTEL through WhatsApp's desktop web version, using trusted-session access to send malicious lures that can lead to multi-stage infections and the deployment of banking malware such as Maverick, Casbaneiro, or Astaroth.

    Show sources