TLP:CLEAR-[SORVEPOTEL: Self-Spreading WhatsApp Malware Targeting Windows Systems]

Advisory ID: NCC-CSIRT-2025-021

Summary: 

Researchers have discovered a self-propagating malware campaign called SORVEPOTEL, which spreads primarily through WhatsApp messages containing malicious ZIP attachments, and occasionally via email. Once executed, the malware can harvest sensitive data, monitor browser activity, take control of WhatsApp sessions, and automatically forward the infected ZIP file to a victim’s contacts, allowing it to spread rapidly.

The campaign has recorded hundreds of infections, with initial impact concentrated in Brazil, targeting organizations in the manufacturing, banking, education, technology, and construction sectors. Brazilian authorities warn that the malware could evolve to target sensitive government systems, raising concerns about broader regional and international implications.

Damage/Probability: Critical/High

Product(s): 

• WhatsApp (Web/Desktop sessions exploited for propagation)
• Microsoft Windows endpoints (primary infection targets)
• Email clients (alternative delivery channels)

Version(s): 

Not version-specific, affects a wide range of unpatched/poorly secured IoT firmware and consumer router firmware versions.

Platform(s): 

• Windows desktop/laptop environments
• Corporate workstations
• Devices linked to WhatsApp Web (accessed) through a web browser on Windows systems.

Description: 

The SORVEPOTEL malware is distributed through phishing messages sent from compromised WhatsApp accounts or emails that include ZIP attachments disguised as invoices, receipts, or forms. When opened, these files execute a .NET-based loader (e.g., Maverick.StageTwo), which installs the main payload (Maverick.Agent).

The malware establishes persistence through batch scripts and scheduled tasks, monitors browser activity for a list of financial websites, and communicates with command-and-control (C2) servers for further instructions. Critically, it abuses WhatsApp Web/Desktop sessions on infected systems to automatically send the malicious ZIP file to the victim’s contact list, enabling self-spreading propagation.

Although currently focused in Brazil, researchers caution that the malware’s modular structure could be easily adapted to target users in other regions, including West Africa. Its tactics of social engineering, data theft, and automated messaging are consistent with methods observed in regional financial and government-targeted cyber campaigns.

Impacts: 

• Theft of credentials and session tokens from browsers and financial platforms.
• Rapid lateral spread through trusted WhatsApp contacts.
• Compromise of sensitive data, including government and corporate information.
• Disruption of operations and potential reputational damage.

Detection & Indication of Compromise (IoCs): 

• Unexpected WhatsApp messages from known contacts containing ZIP attachments.
• Suspicious .NET executables appearing in “Downloads” or “Temp” folders.
• New batch scripts or scheduled tasks created after ZIP extraction.
• High-volume outbound WhatsApp Web traffic from a desktop device.
• Unusual connections to unrecognized domains following ZIP execution.

Solutions:  

• User Awareness: Do not open ZIP attachments from WhatsApp or email unless verified independently.
• Session Control: Immediately log out of all active WhatsApp Web/Desktop sessions after any suspicious activity.
• Endpoint Protection: Update antivirus and EDR signatures; quarantine any identified infections.
• System Hardening: Restrict execution of unsigned scripts or .NET binaries; apply OS and browser patches.
• Containment: Isolate compromised hosts and review browser and WhatsApp activity logs.
• Messaging Controls: Implement attachment filtering for email and monitor corporate WhatsApp channels.
• Include WhatsApp-based social engineering in security awareness and phishing simulations.
• Instruct SOC teams to monitor for malware families linked to the Maverick loader.
• Strengthen endpoint and network segmentation to limit lateral spread.
• Share any identified IOCs with NCC-CSIRT and relevant national CERTs for coordinated response.

References:

• https://cyberpress.org/malware-attack/

• https://ithelp.harrisburgu.edu/support/discussions/topics/44001025903

• https://kudelskisecurity.com/research/sorvepotel-self-propagating-malware-spreading-via-whatsapp

• https://thehackernews.com/2025/10/researchers-warn-of-self-spreading.html

• https://cybersecuritynews.com/threat-actors-attack-windows-systems-with-sorvepotel-malware/

• https://gbhackers.com/sorvepotel-malware/

• https://cyberpress.org/malware-attack/

• https://www.trendmicro.com/en_us/research/25/j/self-propagating-malware-spreads-via-whatsapp.html

• https://thehackernews.com/2025/10/researchers-warn-of-self-spreading.html