Redazione RHC : 6 October 2025 08:13
Trend Micro researchers have detected a large-scale malware campaign targeting users in Brazil. It is distributed via the desktop version of WhatsApp and is characterized by a high infection rate. The malware, internally named SORVEPOTEL , does not steal data or encrypt, as is typically the case with spyware or ransomware. Its primary goal is to replicate as quickly as possible and infect new systems.
The infection begins with a phishing message sent from a compromised WhatsApp contact . This creates the illusion of authenticity and entices the victim to open the attached ZIP file. The file is disguised as a harmless document, such as a receipt or a file supposedly related to a medical app . According to Trend Micro, in some cases, a similar ZIP archive has also been distributed via email from fake but seemingly legitimate addresses.
Once the archive is opened, the user is lured to the attached link (LNK file ) intended for Windows. The automatic execution of this link triggers a PowerShell script, which contacts an external server .
The core of the entire scheme is the propagation mechanism via WhatsApp Web. If the malware detects that the web version of the messenger is active on an infected computer, it automatically sends the same ZIP file to all the user’s contacts and chat groups.
This self-propagation method via WhatsApp allows the malware to spread rapidly to new systems with virtually no human intervention.
According to Trend Micro, ” this automated campaign generates a high volume of spam messages and often leads to WhatsApp blocking the compromised account for violating its terms of service .” Researchers note that the campaign’s authors appear to be interested in the scope of the infection rather than accessing sensitive information. No evidence of data theft or file encryption was found.
Of the 477 infections reported, 457 occurred in Brazil. Those affected include government agencies, educational institutions, industry, technology, construction, and public services .
The researchers note that the phishing email is designed to be opened on a computer, which could indicate that the attack is targeting businesses rather than ordinary users.
“ SORVEPOTEL demonstrates how cybercriminals are increasingly exploiting popular communication platforms, such as WhatsApp, to distribute malware quickly and widely, with minimal victim involvement ,” concludes Trend Micro.
Redazione