{ "type": "Domain", "indicator": "expansivebot.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/expansivebot.com", "alexa": "http://www.alexa.com/siteinfo/expansivebot.com", "indicator": "expansivebot.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4137335788, "indicator": "expansivebot.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 13, "pulses": [ { "id": "68e4108c5f2749cc061f3779", "name": "Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users", "description": "SORVEPOTEL has been observed to spread across Windows systems through convincing phishing messages with malicious ZIP file attachments. Interestingly, the phishing message that contains the malicious file attachment requires users to open it on a desktop, suggesting that threat actors might be more interested in targeting enterprises rather than consumers. Once opened, the malware automatically propagates via WhatsApp Web, causing infected accounts to be banned due to excessive spam activity.", "modified": "2025-11-05T18:03:26.643000", "created": "2025-10-06T18:55:07.208000", "tags": [ "malware", "phishing", "whatsapp", "brazil", "whatsapp web", "c server", "water saci", "lnk file", "powershell", "loader", "bradesco", "persistence", "format", "brazilian", "turn", "telegram", "watsonclient", "SORVEPOTEL" ], "references": [ "https://www.trendmicro.com/en_us/research/25/j/self-propagating-malware-spreads-via-whatsapp.html" ], "public": 1, "adversary": "", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "SORVEPOTEL", "display_name": "SORVEPOTEL", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Crypto", "Financial", "Government", "Manufacturing", "Technology", "Education", "Construction" ], "TLP": "white", "cloned_from": null, "export_count": 92, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "domain": 8, "FileHash-SHA1": 6, "FileHash-SHA256": 8, "URL": 1, "hostname": 2 }, "indicator_count": 32, "is_author": false, "is_subscribing": null, "subscriber_count": 386536, "modified_text": "206 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6927362a094590b632f8779c", "name": "IncursioHack -WhatsApp Malware Campaign Targeting Brazil (GitHub)", "description": "This repository contains Indicators of Compromise (IoCs) related to the WhatsApp malware campaign targeting Brazil. It includes:\n\nMalicious domains\nFile hashes (SHA-256, SHA-1, MD5)\nURLs\nReferences to technical analyses and news articles\nThe goal is to provide threat intelligence for defensive purposes, such as DNS blocking, proxy filtering, and malware detection.\n\nVisit: https://github.com/IncursioHack/WhatsApp-Malware-Campaign-Targeting-Brazil", "modified": "2026-02-26T18:55:49.942000", "created": "2025-11-26T17:17:28.844000", "tags": [ "banker", "whatsapp" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "Eternity", "display_name": "Eternity", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IncursioHack", "id": "371344", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 44, "hostname": 4 }, "indicator_count": 48, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "93 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e008a257bca24dde4b2388", "name": "Self-Propagating Malware Spreads Via WhatsApp", "description": "", "modified": "2026-02-20T16:01:39.829000", "created": "2025-10-03T17:32:16.857000", "tags": [ "malware spreads", "via whatsapp", "users", "compromise sha", "detection file", "ipsurls" ], "references": [ "https://documents.trendmicro.com/assets/txt/WhatsApp%20Self-Propagating%20Malware%20IoCs-hhTEpdC.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "sockbrazil", "id": "297373", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 16, "URL": 1578, "domain": 18, "hostname": 3, "FileHash-MD5": 275, "FileHash-SHA1": 7 }, "indicator_count": 1897, "is_author": false, "is_subscribing": null, "subscriber_count": 6, "modified_text": "99 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69201e95fd53ddea32d9bcd5", "name": "Trendmicro Self-Propagating Malware Spreads Via WhatsApp, Targets Brazilian Users", "description": "Self-Propagating Malware Spreads Via WhatsApp, Targets Brazilian Users", "modified": "2025-12-21T08:00:07.481000", "created": "2025-11-21T08:11:00.138000", "tags": [ "malware spreads, via whatsapp, users, compromise sha, detection " ], "references": [ "https://documents.trendmicro.com/assets/txt/WhatsApp%20Self-Propagating%20Malware%20IoCs-VAeQJ5r.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mr.taz92", "id": "370502", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 8, "URL": 1, "domain": 14, "hostname": 3 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 17, "modified_text": "161 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69146ba742283210c450a63a", "name": "Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users", "description": "", "modified": "2025-11-12T11:12:37.383000", "created": "2025-11-12T11:12:37.383000", "tags": [ "file hash", "domain", "hostname" ], "references": [ "68e4108c5f2749cc061f3779-openIoc1-0.xml" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "modyseck7", "id": "145598", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 6, "FileHash-SHA256": 8, "domain": 8, "hostname": 2 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "200 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e81aa6fa499ffa699c90fe", "name": "EbeeOct2025 Pt1", "description": "", "modified": "2025-11-09T00:03:01.593000", "created": "2025-10-09T20:27:18.015000", "tags": [], "references": [ "IOCs_Oct week-1.pdf" ], "public": 1, "adversary": "Multiple APT/Malware", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 53, "URL": 46, "FileHash-MD5": 178, "FileHash-SHA1": 159, "FileHash-SHA256": 287, "CVE": 1, "domain": 71 }, "indicator_count": 795, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "203 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e71027b3f0c097d0dc40ba", "name": "IOC - Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users", "description": "Trend\u2122 Research is currently investigating an aggressive malware campaign that leverages online instant messaging platform WhatsApp as its primary infection vector. Unlike traditional attacks focused on theft or ransomware, this campaign is engineered for speed and propagation, abusing social trust and automation to spread among Windows users. Trend Research analysis identifies the campaign as Water Saci, with the WhatsApp malware identified as SORVEPOTEL. Currently, it is most active in Brazil.", "modified": "2025-11-08T01:03:18.532000", "created": "2025-10-09T01:30:15.440000", "tags": [ "malware spreads", "via whatsapp", "users", "compromise sha", "detection file", "ipsurls" ], "references": [ "https://www.trendmicro.com/en_us/research/25/j/self-propagating-malware-spreads-via-whatsapp.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 8, "URL": 1, "domain": 14, "hostname": 3 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "204 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e5f81d88c29daff01b2981", "name": "Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users | Trend Micro (US)", "description": "", "modified": "2025-11-05T18:03:26.643000", "created": "2025-10-08T05:35:25.686000", "tags": [ "malware", "phishing", "whatsapp", "brazil", "whatsapp web", "c server", "water saci", "lnk file", "powershell", "loader", "bradesco", "persistence", "format", "brazilian", "turn", "telegram", "watsonclient", "SORVEPOTEL" ], "references": [ "https://www.trendmicro.com/en_us/research/25/j/self-propagating-malware-spreads-via-whatsapp.html" ], "public": 1, "adversary": "", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "SORVEPOTEL", "display_name": "SORVEPOTEL", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Crypto", "Financial", "Government", "Manufacturing", "Technology", "Education", "Construction" ], "TLP": "white", "cloned_from": "68e4108c5f2749cc061f3779", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "domain": 8, "FileHash-SHA1": 6, "FileHash-SHA256": 8, "URL": 1, "hostname": 2 }, "indicator_count": 32, "is_author": false, "is_subscribing": null, "subscriber_count": 280, "modified_text": "206 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68dd47b9cd1d0cba597ed47c", "name": "IoCs Phishing Comprovante Whatsapp (atualizado 03/10/25)", "description": "IoCs relacionados a phishing de comprovante zip por whatsapp", "modified": "2025-11-02T18:02:27.721000", "created": "2025-10-01T15:24:39.353000", "tags": [ "WhatsApp", "ZIP", "Comprovante" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "Trojan:Win32/Pantera", "display_name": "Trojan:Win32/Pantera", "target": "/malware/Trojan:Win32/Pantera" } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "socinterplayers", "id": "261638", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 271, "domain": 43, "hostname": 17, "URL": 5 }, "indicator_count": 336, "is_author": false, "is_subscribing": null, "subscriber_count": 10, "modified_text": "209 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690386e470ff039b4812f36a", "name": "IoCs_Asafe", "description": "Grupo de IoCs agrupados por Asafe Borges.", "modified": "2025-10-30T15:40:19.543000", "created": "2025-10-30T15:40:19.543000", "tags": [ "object", "campaign sha256", "campaign" ], "references": [ "IoCs_malware_whatsapp_campaign.csv", "dom\u00ednios_malware_sorvepotel 1.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SORVEPOTEL", "display_name": "SORVEPOTEL", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "asafebelo", "id": "353090", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 9, "domain": 55, "FileHash-MD5": 6, "FileHash-SHA1": 6, "hostname": 2 }, "indicator_count": 78, "is_author": false, "is_subscribing": null, "subscriber_count": 0, "modified_text": "212 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e3dcd269b5a73ffaa611a1", "name": "WhatsApp-Driven SORVEPOTEL Malware Targets Brazilian Enterprises", "description": "", "modified": "2025-10-06T15:14:26.994000", "created": "2025-10-06T15:14:26.994000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "abinsiby7048", "id": "355718", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 1, "domain": 5, "hostname": 2 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 23, "modified_text": "236 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e0656ba2258a7ddff6cf37", "name": "Self-Spreading WhatsApp Malware Named SORVEPOTEL", "description": "", "modified": "2025-10-04T00:08:11.852000", "created": "2025-10-04T00:08:11.852000", "tags": [ "urls", "dz domains" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8, "URL": 1, "domain": 11, "hostname": 3 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "239 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68dff609e21c6053f8ed4d4a", "name": "ACTIVIDAD MALICIOSA | Relacionada con SORVEPOTEL 03-10-2025", "description": "SORVEPOTEL es un malware autopropagable dise\u00f1ado para infectar sistemas Windows, caracterizado por su sofisticado mecanismo de distribuci\u00f3n a trav\u00e9s de aplicaciones de mensajer\u00eda instant\u00e1nea. Su arquitectura emplea m\u00faltiples capas de ofuscaci\u00f3n y t\u00e9cnicas de evasi\u00f3n, comenzando con archivos ZIP maliciosos que contienen accesos directos LNK. Estos archivos LNK ejecutan scripts de PowerShell y comandos de Windows altamente ofuscados mediante codificaci\u00f3n Base64, permitiendo la descarga encubierta de cargas \u00fatiles adicionales desde servidores controlados por los atacantes.", "modified": "2025-10-03T16:27:56.081000", "created": "2025-10-03T16:12:57.722000", "tags": [ "ta0001 initial", "access", "ta0005 defense", "ta0011 command", "control", "t1059 command", "files", "t1547 boot", "logon autostart", "execution" ], "references": [ "https://www.virustotal.com/graph/embed/g1a6b6e5ddf2347f79043b198a49d6ae67d0e8b375fe44d1f9a1b2619b224ac5a?theme=light", "https://darfe.es/ciberwiki/index.php?title=SORVEPOTEL", "https://www.trendmicro.com/en_us/research/25/j/self-propagating-malware-spreads-via-whatsapp.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SORVEPOTEL", "display_name": "SORVEPOTEL", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8, "URL": 1, "domain": 11, "hostname": 3 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 267, "modified_text": "239 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "IoCs_malware_whatsapp_campaign.csv", "https://documents.trendmicro.com/assets/txt/WhatsApp%20Self-Propagating%20Malware%20IoCs-hhTEpdC.txt", "https://documents.trendmicro.com/assets/txt/WhatsApp%20Self-Propagating%20Malware%20IoCs-VAeQJ5r.txt", "https://www.trendmicro.com/en_us/research/25/j/self-propagating-malware-spreads-via-whatsapp.html", "https://www.virustotal.com/graph/embed/g1a6b6e5ddf2347f79043b198a49d6ae67d0e8b375fe44d1f9a1b2619b224ac5a?theme=light", "IOCs_Oct week-1.pdf", "dom\u00ednios_malware_sorvepotel 1.csv", "https://darfe.es/ciberwiki/index.php?title=SORVEPOTEL", "68e4108c5f2749cc061f3779-openIoc1-0.xml" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Sorvepotel" ], "industries": [ "Technology", "Education", "Financial", "Manufacturing", "Construction", "Government", "Crypto" ] }, "other": { "adversary": [ "Multiple APT/Malware" ], "malware_families": [ "Sorvepotel", "Trojan:win32/pantera", "Eternity" ], "industries": [ "Technology", "Education", "Financial", "Manufacturing", "Construction", "Government", "Crypto" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 13, "pulses": [ { "id": "68e4108c5f2749cc061f3779", "name": "Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users", "description": "SORVEPOTEL has been observed to spread across Windows systems through convincing phishing messages with malicious ZIP file attachments. Interestingly, the phishing message that contains the malicious file attachment requires users to open it on a desktop, suggesting that threat actors might be more interested in targeting enterprises rather than consumers. Once opened, the malware automatically propagates via WhatsApp Web, causing infected accounts to be banned due to excessive spam activity.", "modified": "2025-11-05T18:03:26.643000", "created": "2025-10-06T18:55:07.208000", "tags": [ "malware", "phishing", "whatsapp", "brazil", "whatsapp web", "c server", "water saci", "lnk file", "powershell", "loader", "bradesco", "persistence", "format", "brazilian", "turn", "telegram", "watsonclient", "SORVEPOTEL" ], "references": [ "https://www.trendmicro.com/en_us/research/25/j/self-propagating-malware-spreads-via-whatsapp.html" ], "public": 1, "adversary": "", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "SORVEPOTEL", "display_name": "SORVEPOTEL", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Crypto", "Financial", "Government", "Manufacturing", "Technology", "Education", "Construction" ], "TLP": "white", "cloned_from": null, "export_count": 92, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "domain": 8, "FileHash-SHA1": 6, "FileHash-SHA256": 8, "URL": 1, "hostname": 2 }, "indicator_count": 32, "is_author": false, "is_subscribing": null, "subscriber_count": 386536, "modified_text": "206 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6927362a094590b632f8779c", "name": "IncursioHack -WhatsApp Malware Campaign Targeting Brazil (GitHub)", "description": "This repository contains Indicators of Compromise (IoCs) related to the WhatsApp malware campaign targeting Brazil. It includes:\n\nMalicious domains\nFile hashes (SHA-256, SHA-1, MD5)\nURLs\nReferences to technical analyses and news articles\nThe goal is to provide threat intelligence for defensive purposes, such as DNS blocking, proxy filtering, and malware detection.\n\nVisit: https://github.com/IncursioHack/WhatsApp-Malware-Campaign-Targeting-Brazil", "modified": "2026-02-26T18:55:49.942000", "created": "2025-11-26T17:17:28.844000", "tags": [ "banker", "whatsapp" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "Eternity", "display_name": "Eternity", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IncursioHack", "id": "371344", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 44, "hostname": 4 }, "indicator_count": 48, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "93 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e008a257bca24dde4b2388", "name": "Self-Propagating Malware Spreads Via WhatsApp", "description": "", "modified": "2026-02-20T16:01:39.829000", "created": "2025-10-03T17:32:16.857000", "tags": [ "malware spreads", "via whatsapp", "users", "compromise sha", "detection file", "ipsurls" ], "references": [ "https://documents.trendmicro.com/assets/txt/WhatsApp%20Self-Propagating%20Malware%20IoCs-hhTEpdC.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "sockbrazil", "id": "297373", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 16, "URL": 1578, "domain": 18, "hostname": 3, "FileHash-MD5": 275, "FileHash-SHA1": 7 }, "indicator_count": 1897, "is_author": false, "is_subscribing": null, "subscriber_count": 6, "modified_text": "99 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69201e95fd53ddea32d9bcd5", "name": "Trendmicro Self-Propagating Malware Spreads Via WhatsApp, Targets Brazilian Users", "description": "Self-Propagating Malware Spreads Via WhatsApp, Targets Brazilian Users", "modified": "2025-12-21T08:00:07.481000", "created": "2025-11-21T08:11:00.138000", "tags": [ "malware spreads, via whatsapp, users, compromise sha, detection " ], "references": [ "https://documents.trendmicro.com/assets/txt/WhatsApp%20Self-Propagating%20Malware%20IoCs-VAeQJ5r.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mr.taz92", "id": "370502", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 8, "URL": 1, "domain": 14, "hostname": 3 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 17, "modified_text": "161 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69146ba742283210c450a63a", "name": "Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users", "description": "", "modified": "2025-11-12T11:12:37.383000", "created": "2025-11-12T11:12:37.383000", "tags": [ "file hash", "domain", "hostname" ], "references": [ "68e4108c5f2749cc061f3779-openIoc1-0.xml" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "modyseck7", "id": "145598", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 6, "FileHash-SHA256": 8, "domain": 8, "hostname": 2 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "200 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e81aa6fa499ffa699c90fe", "name": "EbeeOct2025 Pt1", "description": "", "modified": "2025-11-09T00:03:01.593000", "created": "2025-10-09T20:27:18.015000", "tags": [], "references": [ "IOCs_Oct week-1.pdf" ], "public": 1, "adversary": "Multiple APT/Malware", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 53, "URL": 46, "FileHash-MD5": 178, "FileHash-SHA1": 159, "FileHash-SHA256": 287, "CVE": 1, "domain": 71 }, "indicator_count": 795, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "203 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e71027b3f0c097d0dc40ba", "name": "IOC - Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users", "description": "Trend\u2122 Research is currently investigating an aggressive malware campaign that leverages online instant messaging platform WhatsApp as its primary infection vector. Unlike traditional attacks focused on theft or ransomware, this campaign is engineered for speed and propagation, abusing social trust and automation to spread among Windows users. Trend Research analysis identifies the campaign as Water Saci, with the WhatsApp malware identified as SORVEPOTEL. Currently, it is most active in Brazil.", "modified": "2025-11-08T01:03:18.532000", "created": "2025-10-09T01:30:15.440000", "tags": [ "malware spreads", "via whatsapp", "users", "compromise sha", "detection file", "ipsurls" ], "references": [ "https://www.trendmicro.com/en_us/research/25/j/self-propagating-malware-spreads-via-whatsapp.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 8, "URL": 1, "domain": 14, "hostname": 3 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "204 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e5f81d88c29daff01b2981", "name": "Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users | Trend Micro (US)", "description": "", "modified": "2025-11-05T18:03:26.643000", "created": "2025-10-08T05:35:25.686000", "tags": [ "malware", "phishing", "whatsapp", "brazil", "whatsapp web", "c server", "water saci", "lnk file", "powershell", "loader", "bradesco", "persistence", "format", "brazilian", "turn", "telegram", "watsonclient", "SORVEPOTEL" ], "references": [ "https://www.trendmicro.com/en_us/research/25/j/self-propagating-malware-spreads-via-whatsapp.html" ], "public": 1, "adversary": "", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "SORVEPOTEL", "display_name": "SORVEPOTEL", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Crypto", "Financial", "Government", "Manufacturing", "Technology", "Education", "Construction" ], "TLP": "white", "cloned_from": "68e4108c5f2749cc061f3779", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "domain": 8, "FileHash-SHA1": 6, "FileHash-SHA256": 8, "URL": 1, "hostname": 2 }, "indicator_count": 32, "is_author": false, "is_subscribing": null, "subscriber_count": 280, "modified_text": "206 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68dd47b9cd1d0cba597ed47c", "name": "IoCs Phishing Comprovante Whatsapp (atualizado 03/10/25)", "description": "IoCs relacionados a phishing de comprovante zip por whatsapp", "modified": "2025-11-02T18:02:27.721000", "created": "2025-10-01T15:24:39.353000", "tags": [ "WhatsApp", "ZIP", "Comprovante" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "Trojan:Win32/Pantera", "display_name": "Trojan:Win32/Pantera", "target": "/malware/Trojan:Win32/Pantera" } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "socinterplayers", "id": "261638", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 271, "domain": 43, "hostname": 17, "URL": 5 }, "indicator_count": 336, "is_author": false, "is_subscribing": null, "subscriber_count": 10, "modified_text": "209 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690386e470ff039b4812f36a", "name": "IoCs_Asafe", "description": "Grupo de IoCs agrupados por Asafe Borges.", "modified": "2025-10-30T15:40:19.543000", "created": "2025-10-30T15:40:19.543000", "tags": [ "object", "campaign sha256", "campaign" ], "references": [ "IoCs_malware_whatsapp_campaign.csv", "dom\u00ednios_malware_sorvepotel 1.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SORVEPOTEL", "display_name": "SORVEPOTEL", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "asafebelo", "id": "353090", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 9, "domain": 55, "FileHash-MD5": 6, "FileHash-SHA1": 6, "hostname": 2 }, "indicator_count": 78, "is_author": false, "is_subscribing": null, "subscriber_count": 0, "modified_text": "212 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "expansivebot.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "expansivebot.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780235557.0503297 }