Ethical Hacking News
A new self-spreading WhatsApp malware has been identified by researchers at Trend Micro, which has the potential to spread rapidly across Windows systems, compromising user trust in popular communication platforms. Brazilian users are primarily targeted in this attack, with a focus on minimizing user interaction and spreading through phishing messages.
Brazilian users are the primary target of a new self-spreading WhatsApp malware called SORVEPOTEL. The malware is engineered for speed and propagation, with minimal user interaction, allowing it to spread rapidly across networks. The attack operates by sending phishing messages with malicious ZIP file attachments via compromised contacts on WhatsApp. The malware propagates automatically through the desktop web version of WhatsApp, causing infected accounts to be banned for excessive spamming. Entities in various sectors, including government, public service, manufacturing, technology, education, and construction, are impacted by the malware.
The threat landscape is always evolving, with new and sophisticated malicious actors emerging to challenge cybersecurity professionals worldwide. Recently, a self-spreading WhatsApp malware has been identified by researchers at Trend Micro, which has the potential to spread rapidly across Windows systems, compromising the trust that users have in popular communication platforms like WhatsApp.
According to the recent report from Trend Micro, Brazilian users are the primary target of this new malware, which is codenamed SORVEPOTEL. The malware has been engineered for speed and propagation, with a focus on minimizing user interaction. This approach allows the threat actors to spread rapidly across networks, leveraging the trust that users have in WhatsApp.
The malware operates by sending phishing messages with malicious ZIP file attachments via compromised contacts on WhatsApp. Once the attachment is opened, the malware propagates automatically through the desktop web version of WhatsApp, causing infected accounts to be banned for excessive spamming. The vast majority of infections are concentrated in Brazil, with entities in government, public service, manufacturing, technology, education, and construction sectors impacted the most.
The starting point of the attack is a phishing message sent from an already compromised contact on WhatsApp to lend it a veneer of credibility. The message contains a ZIP attachment that masquerades as a seemingly harmless receipt or health app-related file. However, this appears to be a ruse, with evidence suggesting that the operators behind the campaign have also used emails to distribute the ZIP files from seemingly legitimate email addresses.
Once the recipient falls for the trick and opens the attachment, they are lured into opening a Windows shortcut (LNK) file that silently triggers the execution of a PowerShell script responsible for retrieving the main payload from an external server. The downloaded payload is a batch script designed to establish persistence on the host by copying itself to the Windows Startup folder so that it's automatically launched following a system start. It's also designed to run a PowerShell command that reaches out to a command-and-control (C2) server to fetch further instructions or additional malicious components.
Central to SORVEPOTEL operations is the WhatsApp-focused propagation mechanism. If the malware detects that WhatsApp Web is active on the infected system, it proceeds to distribute the malicious ZIP file to all contacts and groups associated with the victim's compromised account, allowing it to spread rapidly.
The attack results in a high volume of spam messages and frequently leads to account suspensions or bans due to violations of WhatsApp's terms of service. This automated spreading mechanism highlights how threat actors are increasingly leveraging popular communication platforms like WhatsApp to achieve rapid, large-scale malware propagation with minimal user interaction.
"It's clear that the SORVEPOTEL campaign demonstrates how threat actors are using these platforms to spread malware rapidly," said researchers at Trend Micro. "As we move forward in the fight against malware, it is essential for users and organizations alike to remain vigilant and take proactive steps to protect themselves from such threats."
This self-spreading WhatsApp malware serves as a stark reminder of the ongoing threat landscape that cybersecurity professionals face daily. As new technologies emerge and more sophisticated malicious actors become apparent, it's crucial to stay informed about emerging threats like SORVEPOTEL.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Self-Spreading-WhatsApp-Malware-Threatens-Global-Security-ehn.shtml
https://thehackernews.com/2025/10/researchers-warn-of-self-spreading.html
Published: Fri Oct 3 08:41:38 2025 by llama3.2 3B Q4_K_M
