SORVEPOTEL WhatsApp malware campaign spreads across Brazil
Campaign
Summary
Hide ▲
Show ▼
A WhatsApp malware campaign in Brazil is spreading SORVEPOTEL, a self-propagating Windows malware that uses phishing ZIP attachments and a desktop-only lure to drive execution on Windows systems. The operation is engineered for speed and propagation rather than data theft or ransomware, and it uses WhatsApp Web to automatically resend the malicious file to contacts and groups after infection. Trend Micro said 457 of 477 cases are in Brazil, with government, public service, manufacturing, technology, education, and construction sectors hit most often. Infections can also trigger account bans because the malware generates high volumes of spam.
Related Happenings
WhatsApp VBScript infection chain installing ManageEngine RMM Central
Malware Activity
H score20
First: 23.06.2026 08:38
Last: 23.06.2026 08:38
Sources 1
About this happening:
**VBScript attachments** spread through **WhatsApp direct messages** are now driving a **multi-stage Windows infection chain** that can end in remote access to victim systems. The...
WhatsApp VBScript infection chain installing ManageEngine RMM Central
Malware ActivityAbout this happening: **VBScript attachments** spread through **WhatsApp direct messages** are now driving a **multi-stage Windows infection chain** that can end in remote access to victim systems. The...
WhatsApp VBScript phishing campaign targeting users in multiple countries
Campaign
H score43
First: 23.06.2026 01:42
Last: 23.06.2026 01:42
Sources 1
About this happening:
An **ongoing phishing campaign** is using **compromised WhatsApp accounts** to send **obfuscated VBScript files** to users in **multiple countries**, creating a path to **remote s...
WhatsApp VBScript phishing campaign targeting users in multiple countries
CampaignAbout this happening: An **ongoing phishing campaign** is using **compromised WhatsApp accounts** to send **obfuscated VBScript files** to users in **multiple countries**, creating a path to **remote s...
WhatsApp contempt motion against NSO Group
Regulatory/Legal Action
H score33
First: 09.06.2026 11:15
Last: 09.06.2026 11:15
Sources 1
About this happening:
WhatsApp moved the **US court** to hold **NSO Group** in contempt over a **permanent injunction** tied to spyware targeting of users. The company says NSO violated the order by us...
WhatsApp contempt motion against NSO Group
Regulatory/Legal ActionAbout this happening: WhatsApp moved the **US court** to hold **NSO Group** in contempt over a **permanent injunction** tied to spyware targeting of users. The company says NSO violated the order by us...
NSO Group WhatsApp spear-phishing campaign
Campaign
H score37
First: 08.06.2026 20:08
Last: 08.06.2026 20:08
Sources 1
About this happening:
**NSO Group** remains tied to a **WhatsApp** spear-phishing **campaign** that used **malicious links** to push targets to external websites outside the app. On **June 8**, WhatsAp...
NSO Group WhatsApp spear-phishing campaign
CampaignAbout this happening: **NSO Group** remains tied to a **WhatsApp** spear-phishing **campaign** that used **malicious links** to push targets to external websites outside the app. On **June 8**, WhatsAp...
TA4922 expanded European phishing-and-malware campaign
Campaign
H score40
First: 04.06.2026 00:45
Last: 04.06.2026 00:45
Sources 1
About this happening:
**TA4922** is a **China-linked** cybercrime campaign that has expanded from **East Asia** into **Europe and Africa**, including **the U.K., Germany, Italy, and South Africa**. The...
TA4922 expanded European phishing-and-malware campaign
CampaignAbout this happening: **TA4922** is a **China-linked** cybercrime campaign that has expanded from **East Asia** into **Europe and Africa**, including **the U.K., Germany, Italy, and South Africa**. The...
Timeline
-
12.03.2026 19:31 3 articles · 3mo ago
SORVEPOTEL abuses hijacked WhatsApp desktop web sessions in Brazil
Initial DisclosureThreat actors are abusing previously authenticated WhatsApp chats in Brazil to deliver SORVEPOTEL through WhatsApp's desktop web version, using trusted-session access to send malicious lures that can lead to multi-stage infections and the deployment of banking malware such as Maverick, Casbaneiro, or Astaroth.
Show sources
- Rust-Based VENON Malware Targets 33 Brazilian Banks with Credential-Stealing Overlays — thehackernews.com — 12.03.2026 19:31
- Rust-Based VENON Malware Targets 33 Brazilian Banks with Credential-Stealing Overlays — thehackernews.com — 12.03.2026 19:31
- Researchers Warn of Self-Spreading WhatsApp Malware Named SORVEPOTEL — thehackernews.com — 03.10.2025 15:02