SORVEPOTEL

SORVEPOTEL is a self-propagating WhatsApp worm/malware family targeting Windows systems, with activity concentrated in Brazil. It spreads primarily through malicious ZIP attachments sent in WhatsApp messages from compromised accounts, often instructing recipients in Portuguese to open the file on a desktop or PC. Multiple reports describe the malware hijacking or reusing authenticated WhatsApp Web sessions on infected machines, then automatically forwarding the same malicious ZIP or lure messages to the victim’s contacts and group chats for rapid propagation. Observed implementations use browser automation frameworks such as Selenium, ChromeDriver, and WPPConnect to control WhatsApp Web, scrape contacts, and send messages at scale.

Trend Micro tracks related activity as the Water Saci campaign and reported that most known infections were in Brazil, including impacts on government and public service entities as well as manufacturing, technology, education, and construction. The campaign appears engineered primarily for speed and propagation, though SORVEPOTEL also serves as a delivery conduit for banking and infostealer payloads. Reported downstream payloads include Maverick.StageTwo and Maverick.Agent, and other reporting links SORVEPOTEL-enabled chains to banking malware such as Maverick, Casbaneiro, Astaroth/Guildma, and the newer TCLBANKER ecosystem. Elastic assessed TCLBANKER as a major update to the older Maverick and SORVEPOTEL families.

Observed infection chains include ZIP archives containing LNK, VBS, HTA, MSI, batch, PowerShell, Python, or AutoIt components. In several reports, opening the ZIP leads to execution of a Windows shortcut or script that downloads additional payloads from attacker-controlled infrastructure, establishes persistence, and then activates WhatsApp propagation if WhatsApp Web is present. Some variants monitor browser activity and target Brazilian banking, fintech, and cryptocurrency services; reported capabilities include credential theft, browser credential harvesting, monitoring active browser URLs, and delivery of credential-stealing overlays via follow-on malware.

High-confidence behaviors directly described in the reporting include: infecting WhatsApp clients on Windows; hijacking WhatsApp Web sessions; forwarding malicious ZIP files to all contacts and groups; harvesting contact lists and exfiltrating contact metadata; using trusted victim accounts to increase lure credibility; and in some campaigns checking for Portuguese/Brazilian locale as a targeting or anti-analysis control. Reported infrastructure and artifacts associated with related SORVEPOTEL/TCLBANKER activity include ZIP file XXL_21042026-181516.zip (SHA-256: 63beb7372098c03baab77e0dfc8e5dca5e0a7420f382708a4df79bed2d900394), loader DLL screen_retriever_plugin.dll (SHA-256: 701d51b7be8b034c860bf97847bd59a87dca8481c4625328813746964995b626, 8a174aa70a4396547045aef6c69eb0259bae1706880f4375af71085eeb537059, 668f932433a24bbae89d60b24eee4a24808fc741f62c5a3043bb7c9152342f40), and domains such as campanha1-api.ef971a42[.]workers.dev, documents.ef971a42.workers[.]dev, mxtestacionamentos[.]com, arquivos-omie[.]com, documentos-online[.]com, afonsoferragista[.]com, doccompartilhe[.]com, recebamais[.]com, varegjopeaks[.]com, manoelimoveiscaioba[.]com, serverseistemasatu[.]com, miportuarios[.]com, and sorvetenopoate[.]com.