← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users
WHITE AlienVault 2025-10-06 Modified: 2025-11-05
32
IOCs
MEDIUM VOLUME
SORVEPOTEL has been observed to spread across Windows systems through convincing phishing messages with malicious ZIP file attachments. Interestingly, the phishing message that contains the malicious file attachment requires users to open it on a desktop, suggesting that threat actors might be more interested in targeting enterprises rather than consumers. Once opened, the malware automatically propagates via WhatsApp Web, causing infected accounts to be banned due to excessive spam activity.
malwarephishingwhatsappbrazilwhatsapp webc serverwater sacilnk filepowershellloaderbradescopersistenceformatbrazilianturntelegramwatsonclientSORVEPOTEL
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
SORVEPOTEL
Indicators of Compromise (32)
All FileHash-MD5 domain FileHash-SHA1 FileHash-SHA256 URL hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 19230d53a96d4facbead047f645e02b8 2025-10-06
domain adoblesecuryt.com 2025-10-06
FileHash-MD5 211bab3c481245005fbad0ea8bc6dd77 MD5 of c50b6ff360e5614d91f80a5e2d616a9d0d1a9984751bf251f065426a63dac0b5 2025-10-06
FileHash-MD5 553ae7e68bcaeb0354a4068330cf105b MD5 of bd62148637152396b757c8b106d5a62982bce9df12f0a6030dda9138e44e7328 2025-10-06
FileHash-MD5 5db5aef3f0e7f9a540f27b1bf8590096 MD5 of 2d83c4d620866f4ae647ed6a70113686bb7b80b1a7bbdcf544fd0ffec105c4a6 2025-10-06
FileHash-MD5 61051166b22c6388695edf8554a72cd2 MD5 of 3b68826e4a1d95b1dd58b3bf1095750f31a72d8bddd1dbb35e6547ac0cf4769b 2025-10-06
FileHash-MD5 9d34bd7fa0327ebc40fa4b33897aaca0 MD5 of dcdde53c50aef9531c9f59f341a4e2d59796cdd94a973f2c2a464b2cafed41f5 2025-10-06
FileHash-MD5 f8258c7b97f88428d31f567a6e12656c MD5 of 1a0af26749f5bc21732c53fc12f3a148215c8221cbeffe920411656f1ffe7500 2025-10-06
FileHash-SHA1 1f6cd7c09480caf82231e4a1d9fb7593f17746b6 SHA1 of 2d83c4d620866f4ae647ed6a70113686bb7b80b1a7bbdcf544fd0ffec105c4a6 2025-10-06
FileHash-SHA1 b2ca2326114f8845ef9e69efa91511d22a46e174 SHA1 of 1a0af26749f5bc21732c53fc12f3a148215c8221cbeffe920411656f1ffe7500 2025-10-06
FileHash-SHA1 c18af1ad244a775142e8d79e516734dec446eed4 SHA1 of 3b68826e4a1d95b1dd58b3bf1095750f31a72d8bddd1dbb35e6547ac0cf4769b 2025-10-06
FileHash-SHA1 d2e7f3dff732748d3cf2d415600b81ab67b6a404 SHA1 of c50b6ff360e5614d91f80a5e2d616a9d0d1a9984751bf251f065426a63dac0b5 2025-10-06
FileHash-SHA1 d31635862f4238dc15c7e7ff27a70877cd271a16 SHA1 of bd62148637152396b757c8b106d5a62982bce9df12f0a6030dda9138e44e7328 2025-10-06
FileHash-SHA1 e1b03152340789ecc4e2d9fb4720b0d44d0513e1 SHA1 of dcdde53c50aef9531c9f59f341a4e2d59796cdd94a973f2c2a464b2cafed41f5 2025-10-06
FileHash-SHA256 1a0af26749f5bc21732c53fc12f3a148215c8221cbeffe920411656f1ffe7500 2025-10-06
FileHash-SHA256 2150f38c436eabebd3a93b3ace1064315153c882ce763991b6d0fb798766e0db 2025-10-06
FileHash-SHA256 2d83c4d620866f4ae647ed6a70113686bb7b80b1a7bbdcf544fd0ffec105c4a6 2025-10-06
FileHash-SHA256 3b68826e4a1d95b1dd58b3bf1095750f31a72d8bddd1dbb35e6547ac0cf4769b 2025-10-06
FileHash-SHA256 441a2ad553d166df3cd0ea02482f4b8370e8f9618753e1937a251a6318cb8eba 2025-10-06
FileHash-SHA256 bd62148637152396b757c8b106d5a62982bce9df12f0a6030dda9138e44e7328 2025-10-06
FileHash-SHA256 c50b6ff360e5614d91f80a5e2d616a9d0d1a9984751bf251f065426a63dac0b5 2025-10-06
FileHash-SHA256 dcdde53c50aef9531c9f59f341a4e2d59796cdd94a973f2c2a464b2cafed41f5 2025-10-06
URL https://sorvetenopote.com/api/itbi/Q77xivT4udoXayYELTwehMD666ovP6DZ 2025-10-06
domain bravexolutions.com 2025-10-06
domain casadecampoamazonas.com 2025-10-06
domain expansivebot.com 2025-10-06
domain expansiveuser.com 2025-10-06
domain imobiliariaricardoparanhos.com 2025-10-06
domain saogeraldoshoping.com 2025-10-06
domain sorvetenopote.com 2025-10-06
hostname www.expansiveuser.com 2025-10-06
hostname www.sorvetenopote.com 2025-10-06
References (1)
↗ https://www.trendmicro.com/en_us/research/25/j/self-propagating-malware-spreads-via-whatsapp.html