{ "type": "Domain", "indicator": "saogeraldoshoping.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/saogeraldoshoping.com", "alexa": "http://www.alexa.com/siteinfo/saogeraldoshoping.com", "indicator": "saogeraldoshoping.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4138116045, "indicator": "saogeraldoshoping.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "68e4108c5f2749cc061f3779", "name": "Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users", "description": "SORVEPOTEL has been observed to spread across Windows systems through convincing phishing messages with malicious ZIP file attachments. Interestingly, the phishing message that contains the malicious file attachment requires users to open it on a desktop, suggesting that threat actors might be more interested in targeting enterprises rather than consumers. Once opened, the malware automatically propagates via WhatsApp Web, causing infected accounts to be banned due to excessive spam activity.", "modified": "2025-11-05T18:03:26.643000", "created": "2025-10-06T18:55:07.208000", "tags": [ "malware", "phishing", "whatsapp", "brazil", "whatsapp web", "c server", "water saci", "lnk file", "powershell", "loader", "bradesco", "persistence", "format", "brazilian", "turn", "telegram", "watsonclient", "SORVEPOTEL" ], "references": [ "https://www.trendmicro.com/en_us/research/25/j/self-propagating-malware-spreads-via-whatsapp.html" ], "public": 1, "adversary": "", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "SORVEPOTEL", "display_name": "SORVEPOTEL", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Crypto", "Financial", "Government", "Manufacturing", "Technology", "Education", "Construction" ], "TLP": "white", "cloned_from": null, "export_count": 92, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "domain": 8, "FileHash-SHA1": 6, "FileHash-SHA256": 8, "URL": 1, "hostname": 2 }, "indicator_count": 32, "is_author": false, "is_subscribing": null, "subscriber_count": 386508, "modified_text": "206 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69201e95fd53ddea32d9bcd5", "name": "Trendmicro Self-Propagating Malware Spreads Via WhatsApp, Targets Brazilian Users", "description": "Self-Propagating Malware Spreads Via WhatsApp, Targets Brazilian Users", "modified": "2025-12-21T08:00:07.481000", "created": "2025-11-21T08:11:00.138000", "tags": [ "malware spreads, via whatsapp, users, compromise sha, detection " ], "references": [ "https://documents.trendmicro.com/assets/txt/WhatsApp%20Self-Propagating%20Malware%20IoCs-VAeQJ5r.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mr.taz92", "id": "370502", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 8, "URL": 1, "domain": 14, "hostname": 3 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 17, "modified_text": "161 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691ee9d3ad89810ceab7196e", "name": "Update 1: Water Saci: WhatsApp-Driven SORVEPOTEL Malware Targets Brazilian Enterprises", "description": "", "modified": "2025-12-20T10:00:30.740000", "created": "2025-11-20T10:13:39.877000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 1, "domain": 11, "hostname": 1 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "162 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691eec6cd49a4086d2537eec", "name": "Update 1: Water Saci: WhatsApp-Driven SORVEPOTEL Malware Targets Brazilian Enterprises", "description": "", "modified": "2025-12-20T10:00:30.740000", "created": "2025-11-20T10:24:44.952000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 1, "domain": 11, "hostname": 1 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "162 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69146ba742283210c450a63a", "name": "Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users", "description": "", "modified": "2025-11-12T11:12:37.383000", "created": "2025-11-12T11:12:37.383000", "tags": [ "file hash", "domain", "hostname" ], "references": [ "68e4108c5f2749cc061f3779-openIoc1-0.xml" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "modyseck7", "id": "145598", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 6, "FileHash-SHA256": 8, "domain": 8, "hostname": 2 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "199 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e81aa6fa499ffa699c90fe", "name": "EbeeOct2025 Pt1", "description": "", "modified": "2025-11-09T00:03:01.593000", "created": "2025-10-09T20:27:18.015000", "tags": [], "references": [ "IOCs_Oct week-1.pdf" ], "public": 1, "adversary": "Multiple APT/Malware", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 53, "URL": 46, "FileHash-MD5": 178, "FileHash-SHA1": 159, "FileHash-SHA256": 287, "CVE": 1, "domain": 71 }, "indicator_count": 795, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "203 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e71027b3f0c097d0dc40ba", "name": "IOC - Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users", "description": "Trend\u2122 Research is currently investigating an aggressive malware campaign that leverages online instant messaging platform WhatsApp as its primary infection vector. Unlike traditional attacks focused on theft or ransomware, this campaign is engineered for speed and propagation, abusing social trust and automation to spread among Windows users. Trend Research analysis identifies the campaign as Water Saci, with the WhatsApp malware identified as SORVEPOTEL. Currently, it is most active in Brazil.", "modified": "2025-11-08T01:03:18.532000", "created": "2025-10-09T01:30:15.440000", "tags": [ "malware spreads", "via whatsapp", "users", "compromise sha", "detection file", "ipsurls" ], "references": [ "https://www.trendmicro.com/en_us/research/25/j/self-propagating-malware-spreads-via-whatsapp.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 8, "URL": 1, "domain": 14, "hostname": 3 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "204 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e5f81d88c29daff01b2981", "name": "Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users | Trend Micro (US)", "description": "", "modified": "2025-11-05T18:03:26.643000", "created": "2025-10-08T05:35:25.686000", "tags": [ "malware", "phishing", "whatsapp", "brazil", "whatsapp web", "c server", "water saci", "lnk file", "powershell", "loader", "bradesco", "persistence", "format", "brazilian", "turn", "telegram", "watsonclient", "SORVEPOTEL" ], "references": [ "https://www.trendmicro.com/en_us/research/25/j/self-propagating-malware-spreads-via-whatsapp.html" ], "public": 1, "adversary": "", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "SORVEPOTEL", "display_name": "SORVEPOTEL", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Crypto", "Financial", "Government", "Manufacturing", "Technology", "Education", "Construction" ], "TLP": "white", "cloned_from": "68e4108c5f2749cc061f3779", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "domain": 8, "FileHash-SHA1": 6, "FileHash-SHA256": 8, "URL": 1, "hostname": 2 }, "indicator_count": 32, "is_author": false, "is_subscribing": null, "subscriber_count": 280, "modified_text": "206 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690386e470ff039b4812f36a", "name": "IoCs_Asafe", "description": "Grupo de IoCs agrupados por Asafe Borges.", "modified": "2025-10-30T15:40:19.543000", "created": "2025-10-30T15:40:19.543000", "tags": [ "object", "campaign sha256", "campaign" ], "references": [ "IoCs_malware_whatsapp_campaign.csv", "dom\u00ednios_malware_sorvepotel 1.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SORVEPOTEL", "display_name": "SORVEPOTEL", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "asafebelo", "id": "353090", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 9, "domain": 55, "FileHash-MD5": 6, "FileHash-SHA1": 6, "hostname": 2 }, "indicator_count": 78, "is_author": false, "is_subscribing": null, "subscriber_count": 0, "modified_text": "212 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "dom\u00ednios_malware_sorvepotel 1.csv", "https://documents.trendmicro.com/assets/txt/WhatsApp%20Self-Propagating%20Malware%20IoCs-VAeQJ5r.txt", "IoCs_malware_whatsapp_campaign.csv", "68e4108c5f2749cc061f3779-openIoc1-0.xml", "IOCs_Oct week-1.pdf", "https://www.trendmicro.com/en_us/research/25/j/self-propagating-malware-spreads-via-whatsapp.html" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Sorvepotel" ], "industries": [ "Education", "Financial", "Manufacturing", "Technology", "Government", "Crypto", "Construction" ] }, "other": { "adversary": [ "Multiple APT/Malware" ], "malware_families": [ "Sorvepotel" ], "industries": [ "Education", "Financial", "Manufacturing", "Technology", "Government", "Crypto", "Construction" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "68e4108c5f2749cc061f3779", "name": "Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users", "description": "SORVEPOTEL has been observed to spread across Windows systems through convincing phishing messages with malicious ZIP file attachments. Interestingly, the phishing message that contains the malicious file attachment requires users to open it on a desktop, suggesting that threat actors might be more interested in targeting enterprises rather than consumers. Once opened, the malware automatically propagates via WhatsApp Web, causing infected accounts to be banned due to excessive spam activity.", "modified": "2025-11-05T18:03:26.643000", "created": "2025-10-06T18:55:07.208000", "tags": [ "malware", "phishing", "whatsapp", "brazil", "whatsapp web", "c server", "water saci", "lnk file", "powershell", "loader", "bradesco", "persistence", "format", "brazilian", "turn", "telegram", "watsonclient", "SORVEPOTEL" ], "references": [ "https://www.trendmicro.com/en_us/research/25/j/self-propagating-malware-spreads-via-whatsapp.html" ], "public": 1, "adversary": "", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "SORVEPOTEL", "display_name": "SORVEPOTEL", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Crypto", "Financial", "Government", "Manufacturing", "Technology", "Education", "Construction" ], "TLP": "white", "cloned_from": null, "export_count": 92, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "domain": 8, "FileHash-SHA1": 6, "FileHash-SHA256": 8, "URL": 1, "hostname": 2 }, "indicator_count": 32, "is_author": false, "is_subscribing": null, "subscriber_count": 386508, "modified_text": "206 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69201e95fd53ddea32d9bcd5", "name": "Trendmicro Self-Propagating Malware Spreads Via WhatsApp, Targets Brazilian Users", "description": "Self-Propagating Malware Spreads Via WhatsApp, Targets Brazilian Users", "modified": "2025-12-21T08:00:07.481000", "created": "2025-11-21T08:11:00.138000", "tags": [ "malware spreads, via whatsapp, users, compromise sha, detection " ], "references": [ "https://documents.trendmicro.com/assets/txt/WhatsApp%20Self-Propagating%20Malware%20IoCs-VAeQJ5r.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mr.taz92", "id": "370502", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 8, "URL": 1, "domain": 14, "hostname": 3 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 17, "modified_text": "161 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691ee9d3ad89810ceab7196e", "name": "Update 1: Water Saci: WhatsApp-Driven SORVEPOTEL Malware Targets Brazilian Enterprises", "description": "", "modified": "2025-12-20T10:00:30.740000", "created": "2025-11-20T10:13:39.877000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 1, "domain": 11, "hostname": 1 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "162 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691eec6cd49a4086d2537eec", "name": "Update 1: Water Saci: WhatsApp-Driven SORVEPOTEL Malware Targets Brazilian Enterprises", "description": "", "modified": "2025-12-20T10:00:30.740000", "created": "2025-11-20T10:24:44.952000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 1, "domain": 11, "hostname": 1 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "162 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69146ba742283210c450a63a", "name": "Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users", "description": "", "modified": "2025-11-12T11:12:37.383000", "created": "2025-11-12T11:12:37.383000", "tags": [ "file hash", "domain", "hostname" ], "references": [ "68e4108c5f2749cc061f3779-openIoc1-0.xml" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "modyseck7", "id": "145598", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 6, "FileHash-SHA256": 8, "domain": 8, "hostname": 2 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "199 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e81aa6fa499ffa699c90fe", "name": "EbeeOct2025 Pt1", "description": "", "modified": "2025-11-09T00:03:01.593000", "created": "2025-10-09T20:27:18.015000", "tags": [], "references": [ "IOCs_Oct week-1.pdf" ], "public": 1, "adversary": "Multiple APT/Malware", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 53, "URL": 46, "FileHash-MD5": 178, "FileHash-SHA1": 159, "FileHash-SHA256": 287, "CVE": 1, "domain": 71 }, "indicator_count": 795, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "203 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e71027b3f0c097d0dc40ba", "name": "IOC - Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users", "description": "Trend\u2122 Research is currently investigating an aggressive malware campaign that leverages online instant messaging platform WhatsApp as its primary infection vector. Unlike traditional attacks focused on theft or ransomware, this campaign is engineered for speed and propagation, abusing social trust and automation to spread among Windows users. Trend Research analysis identifies the campaign as Water Saci, with the WhatsApp malware identified as SORVEPOTEL. Currently, it is most active in Brazil.", "modified": "2025-11-08T01:03:18.532000", "created": "2025-10-09T01:30:15.440000", "tags": [ "malware spreads", "via whatsapp", "users", "compromise sha", "detection file", "ipsurls" ], "references": [ "https://www.trendmicro.com/en_us/research/25/j/self-propagating-malware-spreads-via-whatsapp.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 8, "URL": 1, "domain": 14, "hostname": 3 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "204 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e5f81d88c29daff01b2981", "name": "Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users | Trend Micro (US)", "description": "", "modified": "2025-11-05T18:03:26.643000", "created": "2025-10-08T05:35:25.686000", "tags": [ "malware", "phishing", "whatsapp", "brazil", "whatsapp web", "c server", "water saci", "lnk file", "powershell", "loader", "bradesco", "persistence", "format", "brazilian", "turn", "telegram", "watsonclient", "SORVEPOTEL" ], "references": [ "https://www.trendmicro.com/en_us/research/25/j/self-propagating-malware-spreads-via-whatsapp.html" ], "public": 1, "adversary": "", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "SORVEPOTEL", "display_name": "SORVEPOTEL", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Crypto", "Financial", "Government", "Manufacturing", "Technology", "Education", "Construction" ], "TLP": "white", "cloned_from": "68e4108c5f2749cc061f3779", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "domain": 8, "FileHash-SHA1": 6, "FileHash-SHA256": 8, "URL": 1, "hostname": 2 }, "indicator_count": 32, "is_author": false, "is_subscribing": null, "subscriber_count": 280, "modified_text": "206 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690386e470ff039b4812f36a", "name": "IoCs_Asafe", "description": "Grupo de IoCs agrupados por Asafe Borges.", "modified": "2025-10-30T15:40:19.543000", "created": "2025-10-30T15:40:19.543000", "tags": [ "object", "campaign sha256", "campaign" ], "references": [ "IoCs_malware_whatsapp_campaign.csv", "dom\u00ednios_malware_sorvepotel 1.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SORVEPOTEL", "display_name": "SORVEPOTEL", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "asafebelo", "id": "353090", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 9, "domain": 55, "FileHash-MD5": 6, "FileHash-SHA1": 6, "hostname": 2 }, "indicator_count": 78, "is_author": false, "is_subscribing": null, "subscriber_count": 0, "modified_text": "212 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "saogeraldoshoping.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "saogeraldoshoping.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780223275.3563008 }