Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users

SUMMARY :

SORVEPOTEL has been observed to spread across Windows systems through convincing phishing messages with malicious ZIP file attachments. Interestingly, the phishing message that contains the malicious file attachment requires users to open it on a desktop, suggesting that threat actors might be more interested in targeting enterprises rather than consumers. Once opened, the malware automatically propagates via WhatsApp Web, causing infected accounts to be banned due to excessive spam activity.

OPENCTI LABELS :

powershell,phishing,malware,brazil,lnk file,telegram,loader,persistence,whatsapp,c server,format,whatsapp web,water saci,bradesco,brazilian,turn,watsonclient,sorvepotel


AI COMMENTARY :

1. The threat landscape in Brazil has been shaken by a novel self-propagating malware campaign uncovered under the moniker SORVEPOTEL, which specifically targets desktop environments via WhatsApp Web. This operation diverges from usual consumer-focused attacks by deploying phishing messages carrying malicious ZIP attachments that masquerade as legitimate communications from well-known Brazilian financial institutions such as Bradesco. The cunning nature of this campaign suggests a shift toward more sophisticated enterprise-oriented phishing strategies rather than indiscriminate consumer scams.

2. The infection cycle begins when a user receives a phishing message on WhatsApp or Telegram containing a ZIP archive that holds a malicious LNK file. The attacker prompts the recipient to open the attachment on a Windows desktop, triggering a PowerShell script that executes a loader component. This loader establishes persistence on the compromised system and communicates with a C2 server to download additional payloads, often referred to in threat intel circles as the water saci module, which is the core sorvepotel malware.

3. Upon deployment of the loader, the malware performs several persistence techniques and leverages a sophisticated format that evades traditional endpoint detection systems. The PowerShell-based payload installs a secondary backdoor named watsonclient, which quietly sends reconnaissance data back to the threat actor’s C server. During this stage, the malware ensures it remains undetected by employing obfuscation and encrypted communication channels, making lateral movement and deeper network infiltration possible within an enterprise environment.

4. The most alarming feature of the sorvepotel campaign is its ability to autonomously propagate via WhatsApp Web. Once the system is infected, the malware hijacks the legitimate WhatsApp Web session and sends malicious links to all contacts in the address book, resulting in a rapid expansion of the attack surface. Organizations have reported massive account bans when their devices suddenly begin spamming hundreds of contacts in a short period, effectively disrupting normal business communication channels.

5. The targeted nature of this attack indicates that threat actors are focusing on higher-value enterprise networks rather than home users. By requiring the initial interaction to occur on a desktop, the campaign maximizes the potential impact on corporate networks, accessing encrypted data or critical applications. This enterprise focus highlights a worrying trend in threat intel where advanced persistent threats weaponize everyday collaboration tools to bypass network defenses.

6. Mitigation of this threat requires a multifaceted approach. Enterprises should implement strict email and instant messaging filters to detect and block malicious attachments, enforce application whitelisting to prevent unauthorized PowerShell execution, and deploy up-to-date endpoint detection and response solutions. Regular user awareness training about phishing tactics, especially in the context of financial lures like Bradesco, will reduce the likelihood of an initial compromise. Finally, monitoring WhatsApp Web sessions for anomalous activity and setting rate limits on outbound messages can help detect and contain self-propagating malware before it spreads across the network.




OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users