Trend Micro uncovers SORVEPOTEL, a worm-like malware exploiting WhatsApp for fast propagation on Windows systems in Brazil—phishing ZIPs lead to account bans and enterprise hits in government, tech sectors. Detect and block early to avoid spam floods.

Trend Micro researchers have identified SORVEPOTEL, a self-propagating malware targeting Brazilian Windows users via WhatsApp phishing campaigns. Designed for rapid spread rather than theft or ransomware, it uses convincing messages from compromised contacts with malicious ZIP attachments—often posing as receipts or health files—urging desktop opening, hinting at enterprise targets.

Trend Micro uncovers SORVEPOTEL, a worm-like malware exploiting WhatsApp for fast propagation on Windows systems in Brazil—phishing ZIPs lead to account bans and enterprise hits in government, tech sectors. Detect and block early to avoid spam floods.Trend Micro uncovers SORVEPOTEL, a worm-like malware exploiting WhatsApp for fast propagation on Windows systems in Brazil—phishing ZIPs lead to account bans and enterprise hits in government, tech sectors. Detect and block early to avoid spam floods.

Upon extraction, the ZIP's LNK file executes a PowerShell script to download a batch payload from a C2 server (e.g., sorvetenopoate[.]com). This establishes persistence by copying to the Startup folder and connecting to C2 for instructions. If WhatsApp Web is active, it auto-sends the ZIP to all contacts and groups, flooding them with spam and triggering account bans per WhatsApp's terms.

Trend Micro uncovers SORVEPOTEL, a worm-like malware exploiting WhatsApp for fast propagation on Windows systems in Brazil—phishing ZIPs lead to account bans and enterprise hits in government, tech sectors. Detect and block early to avoid spam floods.Trend Micro uncovers SORVEPOTEL, a worm-like malware exploiting WhatsApp for fast propagation on Windows systems in Brazil—phishing ZIPs lead to account bans and enterprise hits in government, tech sectors. Detect and block early to avoid spam floods.

Of 477 infections, 457 hit Brazil, affecting government, public services, manufacturing, tech, education, and construction sectors. Distribution also occurs via emails from spoofed legitimate addresses. The campaign exploits WhatsApp's trust for minimal-interaction, large-scale propagation, underscoring risks of communication apps in malware delivery.


NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, FraudProtector.net