{ "type": "Domain", "indicator": "expahnsiveuser.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/expahnsiveuser.com", "alexa": "http://www.alexa.com/siteinfo/expahnsiveuser.com", "indicator": "expahnsiveuser.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4137354605, "indicator": "expahnsiveuser.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 12, "pulses": [ { "id": "6927362a094590b632f8779c", "name": "IncursioHack -WhatsApp Malware Campaign Targeting Brazil (GitHub)", "description": "This repository contains Indicators of Compromise (IoCs) related to the WhatsApp malware campaign targeting Brazil. It includes:\n\nMalicious domains\nFile hashes (SHA-256, SHA-1, MD5)\nURLs\nReferences to technical analyses and news articles\nThe goal is to provide threat intelligence for defensive purposes, such as DNS blocking, proxy filtering, and malware detection.\n\nVisit: https://github.com/IncursioHack/WhatsApp-Malware-Campaign-Targeting-Brazil", "modified": "2026-02-26T18:55:49.942000", "created": "2025-11-26T17:17:28.844000", "tags": [ "banker", "whatsapp" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "Eternity", "display_name": "Eternity", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IncursioHack", "id": "371344", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 44, "hostname": 4 }, "indicator_count": 48, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e008a257bca24dde4b2388", "name": "Self-Propagating Malware Spreads Via WhatsApp", "description": "", "modified": "2026-02-20T16:01:39.829000", "created": "2025-10-03T17:32:16.857000", "tags": [ "malware spreads", "via whatsapp", "users", "compromise sha", "detection file", "ipsurls" ], "references": [ "https://documents.trendmicro.com/assets/txt/WhatsApp%20Self-Propagating%20Malware%20IoCs-hhTEpdC.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "sockbrazil", "id": "297373", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 16, "URL": 1578, "domain": 18, "hostname": 3, "FileHash-MD5": 275, "FileHash-SHA1": 7 }, "indicator_count": 1897, "is_author": false, "is_subscribing": null, "subscriber_count": 6, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69201e95fd53ddea32d9bcd5", "name": "Trendmicro Self-Propagating Malware Spreads Via WhatsApp, Targets Brazilian Users", "description": "Self-Propagating Malware Spreads Via WhatsApp, Targets Brazilian Users", "modified": "2025-12-21T08:00:07.481000", "created": "2025-11-21T08:11:00.138000", "tags": [ "malware spreads, via whatsapp, users, compromise sha, detection " ], "references": [ "https://documents.trendmicro.com/assets/txt/WhatsApp%20Self-Propagating%20Malware%20IoCs-VAeQJ5r.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mr.taz92", "id": "370502", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 8, "URL": 1, "domain": 14, "hostname": 3 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 17, "modified_text": "162 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691ee9d3ad89810ceab7196e", "name": "Update 1: Water Saci: WhatsApp-Driven SORVEPOTEL Malware Targets Brazilian Enterprises", "description": "", "modified": "2025-12-20T10:00:30.740000", "created": "2025-11-20T10:13:39.877000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 1, "domain": 11, "hostname": 1 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "163 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691eec6cd49a4086d2537eec", "name": "Update 1: Water Saci: WhatsApp-Driven SORVEPOTEL Malware Targets Brazilian Enterprises", "description": "", "modified": "2025-12-20T10:00:30.740000", "created": "2025-11-20T10:24:44.952000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 1, "domain": 11, "hostname": 1 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "163 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e81aa6fa499ffa699c90fe", "name": "EbeeOct2025 Pt1", "description": "", "modified": "2025-11-09T00:03:01.593000", "created": "2025-10-09T20:27:18.015000", "tags": [], "references": [ "IOCs_Oct week-1.pdf" ], "public": 1, "adversary": "Multiple APT/Malware", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 53, "URL": 46, "FileHash-MD5": 178, "FileHash-SHA1": 159, "FileHash-SHA256": 287, "CVE": 1, "domain": 71 }, "indicator_count": 795, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "204 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e74be5fed73285beeb948f", "name": "Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users | Trend Micro (US)", "description": "Trend is the world's leading provider of artificial intelligence (AI) security solutions, with a range of products designed to protect businesses from cyber attacks and cyber-threats, from email to network security.", "modified": "2025-11-08T05:02:32.251000", "created": "2025-10-09T05:45:09.336000", "tags": [ "malware", "latest news", "research", "phishing", "learn", "whatsapp", "trend micro", "trend vision", "trend research", "brazil", "whatsapp web", "c server", "water saci", "lnk file", "alliance", "powershell", "find", "loader", "bradesco", "banco", "stop", "protect", "small", "carriers", "voice", "attack", "download", "persistence", "trojanspy", "locale", "format", "brazilian", "next", "trojan", "turn", "telegram", "korean", "watsonclient" ], "references": [ "https://www.trendmicro.com/en_us/research/25/j/self-propagating-malware-spreads-via-whatsapp.html" ], "public": 1, "adversary": "", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "WhatsApp", "display_name": "WhatsApp", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WatsonClient", "display_name": "WatsonClient", "target": null }, { "id": "Water Saci", "display_name": "Water Saci", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Crypto", "Financial", "Government", "Manufacturing", "Technology", "Education", "Construction" ], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 35, "hostname": 17 }, "indicator_count": 55, "is_author": false, "is_subscribing": null, "subscriber_count": 60, "modified_text": "205 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e71027b3f0c097d0dc40ba", "name": "IOC - Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users", "description": "Trend\u2122 Research is currently investigating an aggressive malware campaign that leverages online instant messaging platform WhatsApp as its primary infection vector. Unlike traditional attacks focused on theft or ransomware, this campaign is engineered for speed and propagation, abusing social trust and automation to spread among Windows users. Trend Research analysis identifies the campaign as Water Saci, with the WhatsApp malware identified as SORVEPOTEL. Currently, it is most active in Brazil.", "modified": "2025-11-08T01:03:18.532000", "created": "2025-10-09T01:30:15.440000", "tags": [ "malware spreads", "via whatsapp", "users", "compromise sha", "detection file", "ipsurls" ], "references": [ "https://www.trendmicro.com/en_us/research/25/j/self-propagating-malware-spreads-via-whatsapp.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 8, "URL": 1, "domain": 14, "hostname": 3 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "205 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68dd47b9cd1d0cba597ed47c", "name": "IoCs Phishing Comprovante Whatsapp (atualizado 03/10/25)", "description": "IoCs relacionados a phishing de comprovante zip por whatsapp", "modified": "2025-11-02T18:02:27.721000", "created": "2025-10-01T15:24:39.353000", "tags": [ "WhatsApp", "ZIP", "Comprovante" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "Trojan:Win32/Pantera", "display_name": "Trojan:Win32/Pantera", "target": "/malware/Trojan:Win32/Pantera" } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "socinterplayers", "id": "261638", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 271, "domain": 43, "hostname": 17, "URL": 5 }, "indicator_count": 336, "is_author": false, "is_subscribing": null, "subscriber_count": 10, "modified_text": "211 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690386e470ff039b4812f36a", "name": "IoCs_Asafe", "description": "Grupo de IoCs agrupados por Asafe Borges.", "modified": "2025-10-30T15:40:19.543000", "created": "2025-10-30T15:40:19.543000", "tags": [ "object", "campaign sha256", "campaign" ], "references": [ "IoCs_malware_whatsapp_campaign.csv", "dom\u00ednios_malware_sorvepotel 1.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SORVEPOTEL", "display_name": "SORVEPOTEL", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "asafebelo", "id": "353090", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 9, "domain": 55, "FileHash-MD5": 6, "FileHash-SHA1": 6, "hostname": 2 }, "indicator_count": 78, "is_author": false, "is_subscribing": null, "subscriber_count": 0, "modified_text": "214 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e0656ba2258a7ddff6cf37", "name": "Self-Spreading WhatsApp Malware Named SORVEPOTEL", "description": "", "modified": "2025-10-04T00:08:11.852000", "created": "2025-10-04T00:08:11.852000", "tags": [ "urls", "dz domains" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8, "URL": 1, "domain": 11, "hostname": 3 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "240 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68dff609e21c6053f8ed4d4a", "name": "ACTIVIDAD MALICIOSA | Relacionada con SORVEPOTEL 03-10-2025", "description": "SORVEPOTEL es un malware autopropagable dise\u00f1ado para infectar sistemas Windows, caracterizado por su sofisticado mecanismo de distribuci\u00f3n a trav\u00e9s de aplicaciones de mensajer\u00eda instant\u00e1nea. Su arquitectura emplea m\u00faltiples capas de ofuscaci\u00f3n y t\u00e9cnicas de evasi\u00f3n, comenzando con archivos ZIP maliciosos que contienen accesos directos LNK. Estos archivos LNK ejecutan scripts de PowerShell y comandos de Windows altamente ofuscados mediante codificaci\u00f3n Base64, permitiendo la descarga encubierta de cargas \u00fatiles adicionales desde servidores controlados por los atacantes.", "modified": "2025-10-03T16:27:56.081000", "created": "2025-10-03T16:12:57.722000", "tags": [ "ta0001 initial", "access", "ta0005 defense", "ta0011 command", "control", "t1059 command", "files", "t1547 boot", "logon autostart", "execution" ], "references": [ "https://www.virustotal.com/graph/embed/g1a6b6e5ddf2347f79043b198a49d6ae67d0e8b375fe44d1f9a1b2619b224ac5a?theme=light", "https://darfe.es/ciberwiki/index.php?title=SORVEPOTEL", "https://www.trendmicro.com/en_us/research/25/j/self-propagating-malware-spreads-via-whatsapp.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SORVEPOTEL", "display_name": "SORVEPOTEL", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8, "URL": 1, "domain": 11, "hostname": 3 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 267, "modified_text": "241 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "IoCs_malware_whatsapp_campaign.csv", "https://darfe.es/ciberwiki/index.php?title=SORVEPOTEL", "dom\u00ednios_malware_sorvepotel 1.csv", "https://documents.trendmicro.com/assets/txt/WhatsApp%20Self-Propagating%20Malware%20IoCs-VAeQJ5r.txt", "https://documents.trendmicro.com/assets/txt/WhatsApp%20Self-Propagating%20Malware%20IoCs-hhTEpdC.txt", "https://www.trendmicro.com/en_us/research/25/j/self-propagating-malware-spreads-via-whatsapp.html", "https://www.virustotal.com/graph/embed/g1a6b6e5ddf2347f79043b198a49d6ae67d0e8b375fe44d1f9a1b2619b224ac5a?theme=light", "IOCs_Oct week-1.pdf" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Multiple APT/Malware" ], "malware_families": [ "Water saci", "Watsonclient", "Trojanspy", "Sorvepotel", "Whatsapp", "Eternity", "Trojan:win32/pantera" ], "industries": [ "Technology", "Manufacturing", "Financial", "Crypto", "Education", "Construction", "Government" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 12, "pulses": [ { "id": "6927362a094590b632f8779c", "name": "IncursioHack -WhatsApp Malware Campaign Targeting Brazil (GitHub)", "description": "This repository contains Indicators of Compromise (IoCs) related to the WhatsApp malware campaign targeting Brazil. It includes:\n\nMalicious domains\nFile hashes (SHA-256, SHA-1, MD5)\nURLs\nReferences to technical analyses and news articles\nThe goal is to provide threat intelligence for defensive purposes, such as DNS blocking, proxy filtering, and malware detection.\n\nVisit: https://github.com/IncursioHack/WhatsApp-Malware-Campaign-Targeting-Brazil", "modified": "2026-02-26T18:55:49.942000", "created": "2025-11-26T17:17:28.844000", "tags": [ "banker", "whatsapp" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "Eternity", "display_name": "Eternity", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IncursioHack", "id": "371344", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 44, "hostname": 4 }, "indicator_count": 48, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e008a257bca24dde4b2388", "name": "Self-Propagating Malware Spreads Via WhatsApp", "description": "", "modified": "2026-02-20T16:01:39.829000", "created": "2025-10-03T17:32:16.857000", "tags": [ "malware spreads", "via whatsapp", "users", "compromise sha", "detection file", "ipsurls" ], "references": [ "https://documents.trendmicro.com/assets/txt/WhatsApp%20Self-Propagating%20Malware%20IoCs-hhTEpdC.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "sockbrazil", "id": "297373", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 16, "URL": 1578, "domain": 18, "hostname": 3, "FileHash-MD5": 275, "FileHash-SHA1": 7 }, "indicator_count": 1897, "is_author": false, "is_subscribing": null, "subscriber_count": 6, "modified_text": "101 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69201e95fd53ddea32d9bcd5", "name": "Trendmicro Self-Propagating Malware Spreads Via WhatsApp, Targets Brazilian Users", "description": "Self-Propagating Malware Spreads Via WhatsApp, Targets Brazilian Users", "modified": "2025-12-21T08:00:07.481000", "created": "2025-11-21T08:11:00.138000", "tags": [ "malware spreads, via whatsapp, users, compromise sha, detection " ], "references": [ "https://documents.trendmicro.com/assets/txt/WhatsApp%20Self-Propagating%20Malware%20IoCs-VAeQJ5r.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mr.taz92", "id": "370502", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 8, "URL": 1, "domain": 14, "hostname": 3 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 17, "modified_text": "162 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691ee9d3ad89810ceab7196e", "name": "Update 1: Water Saci: WhatsApp-Driven SORVEPOTEL Malware Targets Brazilian Enterprises", "description": "", "modified": "2025-12-20T10:00:30.740000", "created": "2025-11-20T10:13:39.877000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 1, "domain": 11, "hostname": 1 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "163 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691eec6cd49a4086d2537eec", "name": "Update 1: Water Saci: WhatsApp-Driven SORVEPOTEL Malware Targets Brazilian Enterprises", "description": "", "modified": "2025-12-20T10:00:30.740000", "created": "2025-11-20T10:24:44.952000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 1, "domain": 11, "hostname": 1 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "163 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e81aa6fa499ffa699c90fe", "name": "EbeeOct2025 Pt1", "description": "", "modified": "2025-11-09T00:03:01.593000", "created": "2025-10-09T20:27:18.015000", "tags": [], "references": [ "IOCs_Oct week-1.pdf" ], "public": 1, "adversary": "Multiple APT/Malware", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 53, "URL": 46, "FileHash-MD5": 178, "FileHash-SHA1": 159, "FileHash-SHA256": 287, "CVE": 1, "domain": 71 }, "indicator_count": 795, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "204 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e74be5fed73285beeb948f", "name": "Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users | Trend Micro (US)", "description": "Trend is the world's leading provider of artificial intelligence (AI) security solutions, with a range of products designed to protect businesses from cyber attacks and cyber-threats, from email to network security.", "modified": "2025-11-08T05:02:32.251000", "created": "2025-10-09T05:45:09.336000", "tags": [ "malware", "latest news", "research", "phishing", "learn", "whatsapp", "trend micro", "trend vision", "trend research", "brazil", "whatsapp web", "c server", "water saci", "lnk file", "alliance", "powershell", "find", "loader", "bradesco", "banco", "stop", "protect", "small", "carriers", "voice", "attack", "download", "persistence", "trojanspy", "locale", "format", "brazilian", "next", "trojan", "turn", "telegram", "korean", "watsonclient" ], "references": [ "https://www.trendmicro.com/en_us/research/25/j/self-propagating-malware-spreads-via-whatsapp.html" ], "public": 1, "adversary": "", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "WhatsApp", "display_name": "WhatsApp", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WatsonClient", "display_name": "WatsonClient", "target": null }, { "id": "Water Saci", "display_name": "Water Saci", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Crypto", "Financial", "Government", "Manufacturing", "Technology", "Education", "Construction" ], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 35, "hostname": 17 }, "indicator_count": 55, "is_author": false, "is_subscribing": null, "subscriber_count": 60, "modified_text": "205 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e71027b3f0c097d0dc40ba", "name": "IOC - Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users", "description": "Trend\u2122 Research is currently investigating an aggressive malware campaign that leverages online instant messaging platform WhatsApp as its primary infection vector. Unlike traditional attacks focused on theft or ransomware, this campaign is engineered for speed and propagation, abusing social trust and automation to spread among Windows users. Trend Research analysis identifies the campaign as Water Saci, with the WhatsApp malware identified as SORVEPOTEL. Currently, it is most active in Brazil.", "modified": "2025-11-08T01:03:18.532000", "created": "2025-10-09T01:30:15.440000", "tags": [ "malware spreads", "via whatsapp", "users", "compromise sha", "detection file", "ipsurls" ], "references": [ "https://www.trendmicro.com/en_us/research/25/j/self-propagating-malware-spreads-via-whatsapp.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 8, "URL": 1, "domain": 14, "hostname": 3 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "205 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68dd47b9cd1d0cba597ed47c", "name": "IoCs Phishing Comprovante Whatsapp (atualizado 03/10/25)", "description": "IoCs relacionados a phishing de comprovante zip por whatsapp", "modified": "2025-11-02T18:02:27.721000", "created": "2025-10-01T15:24:39.353000", "tags": [ "WhatsApp", "ZIP", "Comprovante" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "Trojan:Win32/Pantera", "display_name": "Trojan:Win32/Pantera", "target": "/malware/Trojan:Win32/Pantera" } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "socinterplayers", "id": "261638", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 271, "domain": 43, "hostname": 17, "URL": 5 }, "indicator_count": 336, "is_author": false, "is_subscribing": null, "subscriber_count": 10, "modified_text": "211 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690386e470ff039b4812f36a", "name": "IoCs_Asafe", "description": "Grupo de IoCs agrupados por Asafe Borges.", "modified": "2025-10-30T15:40:19.543000", "created": "2025-10-30T15:40:19.543000", "tags": [ "object", "campaign sha256", "campaign" ], "references": [ "IoCs_malware_whatsapp_campaign.csv", "dom\u00ednios_malware_sorvepotel 1.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SORVEPOTEL", "display_name": "SORVEPOTEL", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "asafebelo", "id": "353090", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 9, "domain": 55, "FileHash-MD5": 6, "FileHash-SHA1": 6, "hostname": 2 }, "indicator_count": 78, "is_author": false, "is_subscribing": null, "subscriber_count": 0, "modified_text": "214 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "expahnsiveuser.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "expahnsiveuser.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780347696.575167 }