Image by Brett Jordan, from Unsplash
Self-Propagating Malware Spreads Through WhatsApp
Reading time: 2 min
Last Updated: Oct 5, 2025
-
![Kiara Fabbri]()
-
![Sarah Frazier]()
Fact-Checked by Sarah Frazier Content Manager
A new malware campaign is rapidly spreading through WhatsApp in Brazil.
In a rush? Here are the quick facts:
- Targets mainly enterprises, including government and public service organizations.
- Malware hijacks WhatsApp Web to send itself automatically to contacts.
- Infection starts via phishing messages or emails with disguised ZIP files.
Named SORVEPOTEL, the malware uses ZIP file attachments to infect Windows computers and then hijacks WhatsApp accounts to send itself to all contacts, as first discovered by Trend Micro Researchers.
The method enables fast distribution between users who need to perform only minimal actions.
According to Trend Micro, “SORVEPOTEL has been observed to spread across Windows systems with a message that requires users to open it on a desktop, suggesting that threat actors behind the campaign are targeting enterprises.”
The majority of detected cases amount to 457 out of 477 which have occurred in Brazil and impacted government institutions and public services and manufacturing and technology and education and construction organizations.
The infection starts when a person opens a phishing email which seems to be from their contact list. The message contains a ZIP file that masquerades as a receipt or budget document or health-related document. It encourages the user to “baixa o zip no PC e abre” (download the ZIP on PC and open it).
The attackers have used phishing emails which seem to originate from authentic email addresses with two different subject lines: “Documento de Rafael B” and “Extrato.”
The ZIP file contains a Windows shortcut (.LNK) file which executes when opened to download malware from attacker-controlled domains without user interaction. The malware creates persistence by running automatically at startup and uses active WhatsApp sessions to distribute itself to all contacts and groups which frequently leads to account bans for spam activities.
The Trend Micro analysis shows that the attackers want to spread their malware across multiple systems instead of trying to penetrate deep into the system. The Brazilian government has employed these methods in previous election campaigns to attack financial information.
Users and organizations need to disable auto-downloads on WhatsApp and manage file transfers while boosting their security knowledge. The Trend Micro team actively tracks this campaign to detect any future occurrences.
Previous Story
Latest articles 
