6th October 2025, Kathmandu
A highly aggressive and self-propagating malware campaign, dubbed SORVEPOTEL, is exploiting the trusted communication channel of WhatsApp to rapidly infiltrate and compromise Windows systems.
SORVEPOTEL Malware Alert WhatsApp Exploited
While its epicenter is overwhelmingly in Brazil, primarily targeting government and public service organizations, the nature of its spread makes it a global concern for any organization using WhatsApp Web.
Unlike typical cyberattacks focused on data exfiltration or ransomware, SORVEPOTEL is engineered for maximum spread. It leverages social trust and automation, turning a victim’s compromised WhatsApp account into a weapon to infect their entire contact list.
Key Infection Details and Attack Vector
The infection begins with a convincing social engineering attack:
Initial Vector: WhatsApp (Primary) & Email (Secondary): A user receives a phishing message on WhatsApp from a contact whose account has already been compromised (a colleague or friend).
The Lure: The message, often in Portuguese, urges the recipient to “baixa o zip no PC e abre” (download the ZIP on PC and open it).
The accompanying ZIP archive is named to resemble legitimate documents, such as budgets, health receipts, or official resolutions. Email phishing is also used, distributing similar ZIPs with names mimicking bank statements.
The Payload Delivery: Inside the ZIP is a malicious Windows shortcut (.LNK) file. When executed, this seemingly harmless shortcut surreptitiously launches a command-line script.
This technique, using a basic LNK file, is designed to successfully evade basic antivirus detection.
Malware Download: The script downloads the main payload from attacker-controlled domains—many of which are typo-squatted URLs (like sorvetenopoate[.]com), cleverly mimicking the innocuous Portuguese phrase “sorvete no pote” (ice cream in a cup).
Persistence and Rapid Self-Propagation
Once the primary payload (a batch script) is on the system, SORVEPOTEL ensures a persistent threat:
Persistence: The batch script copies itself into the Windows Startup folder, guaranteeing execution every time the system boots.
Evasion: It executes an obfuscated PowerShell command in a hidden window, using Base64 encoding to mask its true purpose and minimize forensic traces.
C&C Communication: The malware establishes continuous communication with its Command-and-Control (C&C) servers to download and execute additional in-memory payloads.
Exponential Spread (The Hallmark): The most aggressive feature of SORVEPOTEL is its automated propagation. Upon detecting an active WhatsApp Web session on the infected machine, the malware automatically redistributes the same malicious ZIP file to all contacts and groups in the victim’s address book.
This mechanism drives an exponential infection rate and frequently results in compromised accounts being suspended or banned for spamming.
Geographical and Sector Impact
Trend Research telemetry confirms that over 95% of the detected infections originate in Brazil. While the malware has heavily impacted government and public services, it has also successfully infiltrated the manufacturing, technology, education, and construction sectors.
Critical Mitigations: Protect Your Organization
The SORVEPOTEL campaign underscores the danger of social engineering combined with messaging platform automation. Organizations must take immediate steps to mitigate this evolving threat:
Strengthen Phishing Defenses: Implement rigorous user awareness training. Employees must be extremely cautious of unexpected attachments received via WhatsApp, even from known contacts. Verify the attachment’s authenticity through an alternative, secure channel.
Endpoint Security: Ensure all Windows systems have up-to-date endpoint security solutions capable of detecting fileless and obfuscated script execution (PowerShell/Batch).
Disable/Restrict LNK Auto-Execution: Where possible, enforce security policies that disable or severely restrict the automatic execution of Windows shortcut (.LNK) files.
Monitor WhatsApp Web Behavior: IT and security teams should monitor for anomalous behavior associated with WhatsApp Web sessions, such as mass message sending or unusual traffic patterns originating from the application.
Principle of Least Privilege: Apply least-privilege principles to limit the impact of any script or malware that manages to execute on a user’s machine.
While SORVEPOTEL’s current activity focuses on infection and account bans, security experts warn that its sophisticated delivery and persistence framework could easily be repurposed for more destructive payloads, such as financial data theft, a common thread in prior Brazilian cyber campaigns.
Stay vigilant and ensure your security posture is prepared for this new generation of malware that weaponizes social trust.