SORVEPOTEL WhatsApp malware campaign spreads across Brazil
Campaign
Summary
Hide ▲
Show ▼
A WhatsApp malware campaign in Brazil is spreading SORVEPOTEL, a self-propagating Windows malware that uses phishing ZIP attachments and a desktop-only lure to drive execution on Windows systems. The operation is engineered for speed and propagation rather than data theft or ransomware, and it uses WhatsApp Web to automatically resend the malicious file to contacts and groups after infection. Trend Micro said 457 of 477 cases are in Brazil, with government, public service, manufacturing, technology, education, and construction sectors hit most often. Infections can also trigger account bans because the malware generates high volumes of spam.
Related Happenings
TCLBANKER banking trojan activity targeting 59 financial platforms
Malware Activity
First: 08.05.2026 21:12
Last: 08.05.2026 21:12
Sources 1
About this happening:
**TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...
TCLBANKER banking trojan activity targeting 59 financial platforms
Malware ActivityAbout this happening: **TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...
TCLBanker self-spreading banking trojan
Malware Activity
First: 08.05.2026 01:06
Last: 08.05.2026 01:06
Sources 1
About this happening:
The **TCLBanker** trojan now combines **trojanized installer** delivery with **self-spreading worm modules**, widening access to **59 banking, fintech, and cryptocurrency platform...
TCLBanker self-spreading banking trojan
Malware ActivityAbout this happening: The **TCLBanker** trojan now combines **trojanized installer** delivery with **self-spreading worm modules**, widening access to **59 banking, fintech, and cryptocurrency platform...
UAC-0247 phishing-led malware campaign targeting Ukrainian government and healthcare institutions
Campaign
First: 16.04.2026 09:20
Last: 16.04.2026 09:20
Sources 1
About this happening:
A **March-April 2026** **UAC-0247** phishing campaign targeted **Ukrainian government** and **municipal healthcare organizations**, using **malware delivery** to steal data from *...
UAC-0247 phishing-led malware campaign targeting Ukrainian government and healthcare institutions
CampaignAbout this happening: A **March-April 2026** **UAC-0247** phishing campaign targeted **Ukrainian government** and **municipal healthcare organizations**, using **malware delivery** to steal data from *...
Bitter Middle East spear-phishing campaign targeting civil society figures
Campaign
First: 09.04.2026 13:45
Last: 09.04.2026 13:45
Sources 1
About this happening:
A **spear-phishing campaign** targeted **civil society figures in Middle Eastern countries**, including **three journalists in Egypt and Lebanon**, creating account-compromise ris...
Bitter Middle East spear-phishing campaign targeting civil society figures
CampaignAbout this happening: A **spear-phishing campaign** targeted **civil society figures in Middle Eastern countries**, including **three journalists in Egypt and Lebanon**, creating account-compromise ris...
NoVoice Android malware hidden in Google Play apps
Malware Activity
First: 01.04.2026 21:07
Last: 01.04.2026 21:07
Sources 1
About this happening:
**NoVoice** Android malware was found hidden in **more than 50 Google Play apps**, exposing **at least 2.3 million downloads** to compromise. After installation, it used **old And...
NoVoice Android malware hidden in Google Play apps
Malware ActivityAbout this happening: **NoVoice** Android malware was found hidden in **more than 50 Google Play apps**, exposing **at least 2.3 million downloads** to compromise. After installation, it used **old And...
Timeline
-
12.03.2026 19:31 3 articles · 2mo ago
SORVEPOTEL abuses hijacked WhatsApp desktop web sessions in Brazil
Initial DisclosureThreat actors are abusing previously authenticated WhatsApp chats in Brazil to deliver SORVEPOTEL through WhatsApp's desktop web version, using trusted-session access to send malicious lures that can lead to multi-stage infections and the deployment of banking malware such as Maverick, Casbaneiro, or Astaroth.
Show sources
- Rust-Based VENON Malware Targets 33 Brazilian Banks with Credential-Stealing Overlays — thehackernews.com — 12.03.2026 19:31
- Rust-Based VENON Malware Targets 33 Brazilian Banks with Credential-Stealing Overlays — thehackernews.com — 12.03.2026 19:31
- Researchers Warn of Self-Spreading WhatsApp Malware Named SORVEPOTEL — thehackernews.com — 03.10.2025 15:02