InfoSecBulletin Cybersecurity for mankind
Trend™ Research is investigating a malware campaign that uses WhatsApp to infect users. This attack is focused on spreading quickly and taking advantage of social trust, rather than theft or ransomware. It’s called SORVEPOTEL and is currently most active in Brazil.
The campaign is dubbed SORVEPOTEL by Trend Micro that weaponizes the trust with the platform to extend its reach across Windows systems, adding the attack is “engineered for speed and propagation” rather than data theft or ransomware.
LastPass says hackers stole customer data via Klue, supply chain breach
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
“SORVEPOTEL has been observed to spread across Windows systems through convincing phishing messages with malicious ZIP file attachments,” researchers Jeffrey Francis Bonaobra, Maristel Policarpio, Sophia Nilette Robles, Cj Arsley Mateo, Jacob Santos, and Paul John Bardon said.
“Interestingly, the phishing message that contains the malicious file attachment requires users to open it on a desktop, suggesting that threat actors might be more interested in targeting enterprises rather than consumers.”
The malware spreads through the desktop version of WhatsApp once the attachment is opened, leading to the banning of infected accounts for spam. There’s no evidence that the attackers have used this access to steal data or encrypt files.
Most infections, 457 out of 477 cases, are in Brazil, primarily affecting government, public service, manufacturing, technology, education, and construction sectors.
The attack begins with a phishing message from a compromised WhatsApp contact, making it look credible. It includes a ZIP file that pretends to be a harmless receipt or health app.
Evidence suggests that the campaign operators have sent the ZIP files via email from legitimate-looking addresses.
If the recipient opens the attachment, they will inadvertently launch a Windows shortcut (LNK) file that executes a PowerShell script to download the main payload from an external server (e.g., sorvetenopoate[.]com).
The downloaded file is a batch script that copies itself to the Windows Startup folder for automatic launching at system start. It also executes a PowerShell command to contact a command-and-control (C2) server for more instructions or malicious components.
SORVEPOTEL mainly operates by using WhatsApp to spread. If the malware identifies active WhatsApp Web on an infected device, it sends a malicious ZIP file to all contacts and groups linked to the victim, enabling quick transmission.
“This automated spreading results in a high volume of spam messages and frequently leads to account suspensions or bans due to violations of WhatsApp’s terms of service,” Trend Micro said.
“The SORVEPOTEL campaign demonstrates how threat actors are increasingly leveraging popular communication platforms like WhatsApp to achieve rapid, large-scale malware propagation with minimal user interaction.”
