{ "type": "Domain", "indicator": "zapgrande.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/zapgrande.com", "alexa": "http://www.alexa.com/siteinfo/zapgrande.com", "indicator": "zapgrande.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4136930013, "indicator": "zapgrande.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 21, "pulses": [ { "id": "691457292075d4131c6db0ed", "name": "Analyzing the Link Between Two Evolving Brazilian Banking Trojans", "description": "This intelligence report examines the connection between two Brazilian banking trojans, Maverick and Coyote. The malware spreads through WhatsApp, using a multi-stage attack that begins with a malicious LNK file. Both trojans share similarities in their infection methods, targeting Brazilian users and banks. The attack chain involves obfuscated PowerShell commands, downloading additional payloads from command and control servers. The malware employs anti-analysis techniques and targets specific browsers. Persistence is achieved through a batch file in the startup folder. The report provides technical details, including code samples and infection chain analysis, as well as indicators of compromise for the identified malware campaign.", "modified": "2025-12-12T09:00:40.482000", "created": "2025-11-12T09:45:13.946000", "tags": [ "maverick", "whatsapp", "banking trojan", ".net", "powershell", "multi-stage attack", "coyote", "obfuscation", "brazil" ], "references": [ "https://www.cyberproof.com/blog/maverick-and-coyote-analyzing-the-link-between-two-evolving-brazilian-banking-trojans/" ], "public": 1, "adversary": "", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "Maverick", "display_name": "Maverick", "target": null }, { "id": "Coyote", "display_name": "Coyote", "target": null } ], "attack_ids": [ { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 1, "domain": 3 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 386550, "modified_text": "170 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6927362a094590b632f8779c", "name": "IncursioHack -WhatsApp Malware Campaign Targeting Brazil (GitHub)", "description": "This repository contains Indicators of Compromise (IoCs) related to the WhatsApp malware campaign targeting Brazil. It includes:\n\nMalicious domains\nFile hashes (SHA-256, SHA-1, MD5)\nURLs\nReferences to technical analyses and news articles\nThe goal is to provide threat intelligence for defensive purposes, such as DNS blocking, proxy filtering, and malware detection.\n\nVisit: https://github.com/IncursioHack/WhatsApp-Malware-Campaign-Targeting-Brazil", "modified": "2026-02-26T18:55:49.942000", "created": "2025-11-26T17:17:28.844000", "tags": [ "banker", "whatsapp" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "Eternity", "display_name": "Eternity", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IncursioHack", "id": "371344", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 44, "hostname": 4 }, "indicator_count": 48, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "93 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e008a257bca24dde4b2388", "name": "Self-Propagating Malware Spreads Via WhatsApp", "description": "", "modified": "2026-02-20T16:01:39.829000", "created": "2025-10-03T17:32:16.857000", "tags": [ "malware spreads", "via whatsapp", "users", "compromise sha", "detection file", "ipsurls" ], "references": [ "https://documents.trendmicro.com/assets/txt/WhatsApp%20Self-Propagating%20Malware%20IoCs-hhTEpdC.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "sockbrazil", "id": "297373", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 16, "URL": 1578, "domain": 18, "hostname": 3, "FileHash-MD5": 275, "FileHash-SHA1": 7 }, "indicator_count": 1897, "is_author": false, "is_subscribing": null, "subscriber_count": 6, "modified_text": "99 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "692417d9592d7e0be128f6dd", "name": "IOC Blocking", "description": "", "modified": "2025-12-24T08:03:27.807000", "created": "2025-11-24T08:31:21.430000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "vijay2752", "id": "368558", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 3 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "158 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "692025f8c16acca6f3d3e477", "name": "TI Advisory No-ESAF-SOC-TI-457", "description": "", "modified": "2025-12-21T08:00:07.481000", "created": "2025-11-21T08:42:32.337000", "tags": [], "references": [ "UST_Threat Advisiory Report_13.11.2025_Maverick & Coyote - Banking Trojan Threat Advisory-1.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 2, "FileHash-SHA256": 3, "domain": 8, "URL": 66 }, "indicator_count": 80, "is_author": false, "is_subscribing": null, "subscriber_count": 23, "modified_text": "161 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69201e95fd53ddea32d9bcd5", "name": "Trendmicro Self-Propagating Malware Spreads Via WhatsApp, Targets Brazilian Users", "description": "Self-Propagating Malware Spreads Via WhatsApp, Targets Brazilian Users", "modified": "2025-12-21T08:00:07.481000", "created": "2025-11-21T08:11:00.138000", "tags": [ "malware spreads, via whatsapp, users, compromise sha, detection " ], "references": [ "https://documents.trendmicro.com/assets/txt/WhatsApp%20Self-Propagating%20Malware%20IoCs-VAeQJ5r.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mr.taz92", "id": "370502", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 8, "URL": 1, "domain": 14, "hostname": 3 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 17, "modified_text": "161 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6916aa77dacfe4a69f394336", "name": "EbeeNov2025 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-20T21:02:55.026000", "created": "2025-11-14T04:05:11.738000", "tags": [ "filehashmd5", "filehashsha1", "filehashsha256" ], "references": [ "Nov.Week2.csv" ], "public": 1, "adversary": "SmudgedSerpent, Sneaky Malware, XLoader, DragonForce, NGATE Android Malware, Phatom Raven, TA4428", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 157, "FileHash-SHA1": 100, "FileHash-SHA256": 131, "URL": 117, "domain": 263, "hostname": 18, "email": 1 }, "indicator_count": 791, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "161 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691f1d132d139a8c1658b274", "name": "ACTIVIDAD MALICIOSA | Rerlacionada con Estafa de WhatsApp", "description": "Mensajer\u00eda de WhatsApp y malware y atacantes are proliferating en r\u00e1pida eu campa\u00f1a de ingenier\u00eda social, a report by eSecurity Planet.", "modified": "2025-12-20T13:05:22.443000", "created": "2025-11-20T13:52:19.345000", "tags": [ "whatsapp", "figura", "powershell", "brasil", "whatsapp web", "maverick", "coyote", "filename", "captura", "water saci", "meta", "teamviewer", "info", "kill", "virustotal", "hunters", "robo", "anydesk", "tenga", "cuando", "el", "contenido", "nunca" ], "references": [ "https://www.esecurityplanet.com/", "https://thehackernews.com/", "https://www.cyberproof.com/", "https://www.welivesecurity.com/", "", "https://www.virustotal.com/graph/embed/g8c3618d3041f4e85bef5e381f5875a8b97902acc771345b3a45ea4cf1a276991?theme=light" ], "public": 1, "adversary": "", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "Maverick", "display_name": "Maverick", "target": null }, { "id": "Coyote", "display_name": "Coyote", "target": null }, { "id": "SORVEPOTEL", "display_name": "SORVEPOTEL", "target": null } ], "attack_ids": [ { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" } ], "industries": [ "comunicaciones" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "URL": 4, "domain": 32, "hostname": 15 }, "indicator_count": 60, "is_author": false, "is_subscribing": null, "subscriber_count": 266, "modified_text": "162 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691eec6cd49a4086d2537eec", "name": "Update 1: Water Saci: WhatsApp-Driven SORVEPOTEL Malware Targets Brazilian Enterprises", "description": "", "modified": "2025-12-20T10:00:30.740000", "created": "2025-11-20T10:24:44.952000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 1, "domain": 11, "hostname": 1 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "162 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691ee9d3ad89810ceab7196e", "name": "Update 1: Water Saci: WhatsApp-Driven SORVEPOTEL Malware Targets Brazilian Enterprises", "description": "", "modified": "2025-12-20T10:00:30.740000", "created": "2025-11-20T10:13:39.877000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 1, "domain": 11, "hostname": 1 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "162 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6916a02c11e45ff5b66a2778", "name": "Maverick & Coyote - Banking Trojan Threat", "description": "", "modified": "2025-12-14T02:00:42.502000", "created": "2025-11-14T03:21:14.493000", "tags": [], "references": [ "UST_Threat Advisiory Report_13.11.2025_Maverick & Coyote - Banking Trojan Threat Advisory.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "vijay2752", "id": "368558", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 2, "FileHash-SHA256": 3, "domain": 8, "URL": 67 }, "indicator_count": 81, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "168 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6913efebab44e291052ed525", "name": "IOC - Maverick and Coyote: Analyzing the Link Between Two Evolving Brazilian Banking Trojans", "description": "The CyberProof SOC Team and Threat Hunters responded to an incident involving a suspicious file download spotted through the messaging application WhatsApp. Further investigation helped uncover more related incidents, however the complete infection chain could not be observed or additional files from Command and control failed to deliver in our investigations. VirusTotal hunting of similar files helped us collect more files tied to this Brazilian targeting campaign and we found our analysis related to public research tied to Maverick banking trojan by Kaspersky, WhatsApp worm by Sophos and Sorvepotel by TrendMicro. We saw good number of similarities with the earlier reported Coyote banking malware campaign programmed to target the Brazilian region.\n\nIn this blog, we also share a hunting query to check for suspicious files downloaded through WhatsApp to enable threat hunters and soc team to check for unknown file downloads.", "modified": "2025-12-12T02:01:24.665000", "created": "2025-11-12T02:24:43.553000", "tags": [ "ip asn" ], "references": [ "https://www.cyberproof.com/blog/maverick-and-coyote-analyzing-the-link-between-two-evolving-brazilian-banking-trojans/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 3 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "170 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e81aa6fa499ffa699c90fe", "name": "EbeeOct2025 Pt1", "description": "", "modified": "2025-11-09T00:03:01.593000", "created": "2025-10-09T20:27:18.015000", "tags": [], "references": [ "IOCs_Oct week-1.pdf" ], "public": 1, "adversary": "Multiple APT/Malware", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 53, "URL": 46, "FileHash-MD5": 178, "FileHash-SHA1": 159, "FileHash-SHA256": 287, "CVE": 1, "domain": 71 }, "indicator_count": 795, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "203 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e74be5fed73285beeb948f", "name": "Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users | Trend Micro (US)", "description": "Trend is the world's leading provider of artificial intelligence (AI) security solutions, with a range of products designed to protect businesses from cyber attacks and cyber-threats, from email to network security.", "modified": "2025-11-08T05:02:32.251000", "created": "2025-10-09T05:45:09.336000", "tags": [ "malware", "latest news", "research", "phishing", "learn", "whatsapp", "trend micro", "trend vision", "trend research", "brazil", "whatsapp web", "c server", "water saci", "lnk file", "alliance", "powershell", "find", "loader", "bradesco", "banco", "stop", "protect", "small", "carriers", "voice", "attack", "download", "persistence", "trojanspy", "locale", "format", "brazilian", "next", "trojan", "turn", "telegram", "korean", "watsonclient" ], "references": [ "https://www.trendmicro.com/en_us/research/25/j/self-propagating-malware-spreads-via-whatsapp.html" ], "public": 1, "adversary": "", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "WhatsApp", "display_name": "WhatsApp", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "WatsonClient", "display_name": "WatsonClient", "target": null }, { "id": "Water Saci", "display_name": "Water Saci", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Crypto", "Financial", "Government", "Manufacturing", "Technology", "Education", "Construction" ], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 35, "hostname": 17 }, "indicator_count": 55, "is_author": false, "is_subscribing": null, "subscriber_count": 60, "modified_text": "204 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e71027b3f0c097d0dc40ba", "name": "IOC - Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users", "description": "Trend\u2122 Research is currently investigating an aggressive malware campaign that leverages online instant messaging platform WhatsApp as its primary infection vector. Unlike traditional attacks focused on theft or ransomware, this campaign is engineered for speed and propagation, abusing social trust and automation to spread among Windows users. Trend Research analysis identifies the campaign as Water Saci, with the WhatsApp malware identified as SORVEPOTEL. Currently, it is most active in Brazil.", "modified": "2025-11-08T01:03:18.532000", "created": "2025-10-09T01:30:15.440000", "tags": [ "malware spreads", "via whatsapp", "users", "compromise sha", "detection file", "ipsurls" ], "references": [ "https://www.trendmicro.com/en_us/research/25/j/self-propagating-malware-spreads-via-whatsapp.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 8, "URL": 1, "domain": 14, "hostname": 3 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "204 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68dd47b9cd1d0cba597ed47c", "name": "IoCs Phishing Comprovante Whatsapp (atualizado 03/10/25)", "description": "IoCs relacionados a phishing de comprovante zip por whatsapp", "modified": "2025-11-02T18:02:27.721000", "created": "2025-10-01T15:24:39.353000", "tags": [ "WhatsApp", "ZIP", "Comprovante" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "Trojan:Win32/Pantera", "display_name": "Trojan:Win32/Pantera", "target": "/malware/Trojan:Win32/Pantera" } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "socinterplayers", "id": "261638", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 271, "domain": 43, "hostname": 17, "URL": 5 }, "indicator_count": 336, "is_author": false, "is_subscribing": null, "subscriber_count": 10, "modified_text": "209 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6904a6a97bf4a9cccf2c816c", "name": "Campanha de Phishing Brasil \u2014 Uma analise do Malware", "description": "Nos ultimos dias detectamos uma campanha de phishing disseminada via WhatsApp no Brasil. O vetor de distribui\u00e7\u00e3o s\u00e3o arquivos ZIP com nomes que imitam comprovantes ou recibos (ex.: NEW-20251001_142417-PED_B921F902.zip, ComprovanteSantander-13390363.913574822.zip). O ZIP cont\u00e9m um atalho (.lnk) que, ao ser clicado, executa um cmd contendo diversos for que montam e invocam um comando PowerShell ofuscado. O PowerShell baixa um payload (\u2248757 KB) de um dom\u00ednio malicioso e reconstr\u00f3i/execute em mem\u00f3ria um assembly .NET \u2014 comportamento fileless.", "modified": "2025-10-31T12:08:07.650000", "created": "2025-10-31T12:08:07.650000", "tags": [ "encodedcommand", "anlise tcnica", "bnye5s", "base64", "utf16le", "fileless", "bnye5s%", "Brazil", "brasil", "phishing" ], "references": [ "https://medium.com/@dathannobrega/campanha-de-phishing-brasil-uma-analise-do-malware-f08b3df50539" ], "public": 1, "adversary": "NUNCA", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dathannobrega", "id": "284201", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 2, "URL": 3, "domain": 3, "hostname": 1 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 18, "modified_text": "212 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690386e470ff039b4812f36a", "name": "IoCs_Asafe", "description": "Grupo de IoCs agrupados por Asafe Borges.", "modified": "2025-10-30T15:40:19.543000", "created": "2025-10-30T15:40:19.543000", "tags": [ "object", "campaign sha256", "campaign" ], "references": [ "IoCs_malware_whatsapp_campaign.csv", "dom\u00ednios_malware_sorvepotel 1.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SORVEPOTEL", "display_name": "SORVEPOTEL", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "asafebelo", "id": "353090", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 9, "domain": 55, "FileHash-MD5": 6, "FileHash-SHA1": 6, "hostname": 2 }, "indicator_count": 78, "is_author": false, "is_subscribing": null, "subscriber_count": 0, "modified_text": "213 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e06a869eb198668b562a99", "name": "Twitter Feed - FABO97662188 - 03-10-2025", "description": "", "modified": "2025-10-04T00:29:58.467000", "created": "2025-10-04T00:29:58.467000", "tags": [ "Trojan", "malware" ], "references": [ "https://x.com/FABO97662188/status/1974086750923530316" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 3 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "239 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e0656ba2258a7ddff6cf37", "name": "Self-Spreading WhatsApp Malware Named SORVEPOTEL", "description": "", "modified": "2025-10-04T00:08:11.852000", "created": "2025-10-04T00:08:11.852000", "tags": [ "urls", "dz domains" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8, "URL": 1, "domain": 11, "hostname": 3 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "239 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68dff609e21c6053f8ed4d4a", "name": "ACTIVIDAD MALICIOSA | Relacionada con SORVEPOTEL 03-10-2025", "description": "SORVEPOTEL es un malware autopropagable dise\u00f1ado para infectar sistemas Windows, caracterizado por su sofisticado mecanismo de distribuci\u00f3n a trav\u00e9s de aplicaciones de mensajer\u00eda instant\u00e1nea. Su arquitectura emplea m\u00faltiples capas de ofuscaci\u00f3n y t\u00e9cnicas de evasi\u00f3n, comenzando con archivos ZIP maliciosos que contienen accesos directos LNK. Estos archivos LNK ejecutan scripts de PowerShell y comandos de Windows altamente ofuscados mediante codificaci\u00f3n Base64, permitiendo la descarga encubierta de cargas \u00fatiles adicionales desde servidores controlados por los atacantes.", "modified": "2025-10-03T16:27:56.081000", "created": "2025-10-03T16:12:57.722000", "tags": [ "ta0001 initial", "access", "ta0005 defense", "ta0011 command", "control", "t1059 command", "files", "t1547 boot", "logon autostart", "execution" ], "references": [ "https://www.virustotal.com/graph/embed/g1a6b6e5ddf2347f79043b198a49d6ae67d0e8b375fe44d1f9a1b2619b224ac5a?theme=light", "https://darfe.es/ciberwiki/index.php?title=SORVEPOTEL", "https://www.trendmicro.com/en_us/research/25/j/self-propagating-malware-spreads-via-whatsapp.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SORVEPOTEL", "display_name": "SORVEPOTEL", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8, "URL": 1, "domain": 11, "hostname": 3 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 267, "modified_text": "239 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "IoCs_malware_whatsapp_campaign.csv", "UST_Threat Advisiory Report_13.11.2025_Maverick & Coyote - Banking Trojan Threat Advisory-1.pdf", "https://documents.trendmicro.com/assets/txt/WhatsApp%20Self-Propagating%20Malware%20IoCs-VAeQJ5r.txt", "https://documents.trendmicro.com/assets/txt/WhatsApp%20Self-Propagating%20Malware%20IoCs-hhTEpdC.txt", "https://www.trendmicro.com/en_us/research/25/j/self-propagating-malware-spreads-via-whatsapp.html", "https://www.cyberproof.com/blog/maverick-and-coyote-analyzing-the-link-between-two-evolving-brazilian-banking-trojans/", "https://www.virustotal.com/graph/embed/g8c3618d3041f4e85bef5e381f5875a8b97902acc771345b3a45ea4cf1a276991?theme=light", "https://darfe.es/ciberwiki/index.php?title=SORVEPOTEL", "https://www.virustotal.com/graph/embed/g1a6b6e5ddf2347f79043b198a49d6ae67d0e8b375fe44d1f9a1b2619b224ac5a?theme=light", "https://x.com/FABO97662188/status/1974086750923530316", "UST_Threat Advisiory Report_13.11.2025_Maverick & Coyote - Banking Trojan Threat Advisory.pdf", "https://thehackernews.com/", "dom\u00ednios_malware_sorvepotel 1.csv", "https://www.esecurityplanet.com/", "https://medium.com/@dathannobrega/campanha-de-phishing-brasil-uma-analise-do-malware-f08b3df50539", "https://www.cyberproof.com/", "https://www.welivesecurity.com/", "IOCs_Oct week-1.pdf", "Nov.Week2.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Maverick", "Coyote" ], "industries": [ "Finance" ] }, "other": { "adversary": [ "SmudgedSerpent, Sneaky Malware, XLoader, DragonForce, NGATE Android Malware, Phatom Raven, TA4428", "NUNCA", "Multiple APT/Malware" ], "malware_families": [ "Water saci", "Maverick", "Watsonclient", "Trojanspy", "Coyote", "Sorvepotel", "Whatsapp", "Eternity", "Trojan:win32/pantera" ], "industries": [ "Technology", "Manufacturing", "Financial", "Crypto", "Education", "Construction", "Government", "Comunicaciones" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 21, "pulses": [ { "id": "691457292075d4131c6db0ed", "name": "Analyzing the Link Between Two Evolving Brazilian Banking Trojans", "description": "This intelligence report examines the connection between two Brazilian banking trojans, Maverick and Coyote. The malware spreads through WhatsApp, using a multi-stage attack that begins with a malicious LNK file. Both trojans share similarities in their infection methods, targeting Brazilian users and banks. The attack chain involves obfuscated PowerShell commands, downloading additional payloads from command and control servers. The malware employs anti-analysis techniques and targets specific browsers. Persistence is achieved through a batch file in the startup folder. The report provides technical details, including code samples and infection chain analysis, as well as indicators of compromise for the identified malware campaign.", "modified": "2025-12-12T09:00:40.482000", "created": "2025-11-12T09:45:13.946000", "tags": [ "maverick", "whatsapp", "banking trojan", ".net", "powershell", "multi-stage attack", "coyote", "obfuscation", "brazil" ], "references": [ "https://www.cyberproof.com/blog/maverick-and-coyote-analyzing-the-link-between-two-evolving-brazilian-banking-trojans/" ], "public": 1, "adversary": "", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "Maverick", "display_name": "Maverick", "target": null }, { "id": "Coyote", "display_name": "Coyote", "target": null } ], "attack_ids": [ { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 1, "domain": 3 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 386550, "modified_text": "170 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6927362a094590b632f8779c", "name": "IncursioHack -WhatsApp Malware Campaign Targeting Brazil (GitHub)", "description": "This repository contains Indicators of Compromise (IoCs) related to the WhatsApp malware campaign targeting Brazil. It includes:\n\nMalicious domains\nFile hashes (SHA-256, SHA-1, MD5)\nURLs\nReferences to technical analyses and news articles\nThe goal is to provide threat intelligence for defensive purposes, such as DNS blocking, proxy filtering, and malware detection.\n\nVisit: https://github.com/IncursioHack/WhatsApp-Malware-Campaign-Targeting-Brazil", "modified": "2026-02-26T18:55:49.942000", "created": "2025-11-26T17:17:28.844000", "tags": [ "banker", "whatsapp" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "Eternity", "display_name": "Eternity", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IncursioHack", "id": "371344", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 44, "hostname": 4 }, "indicator_count": 48, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "93 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e008a257bca24dde4b2388", "name": "Self-Propagating Malware Spreads Via WhatsApp", "description": "", "modified": "2026-02-20T16:01:39.829000", "created": "2025-10-03T17:32:16.857000", "tags": [ "malware spreads", "via whatsapp", "users", "compromise sha", "detection file", "ipsurls" ], "references": [ "https://documents.trendmicro.com/assets/txt/WhatsApp%20Self-Propagating%20Malware%20IoCs-hhTEpdC.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "sockbrazil", "id": "297373", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 16, "URL": 1578, "domain": 18, "hostname": 3, "FileHash-MD5": 275, "FileHash-SHA1": 7 }, "indicator_count": 1897, "is_author": false, "is_subscribing": null, "subscriber_count": 6, "modified_text": "99 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "692417d9592d7e0be128f6dd", "name": "IOC Blocking", "description": "", "modified": "2025-12-24T08:03:27.807000", "created": "2025-11-24T08:31:21.430000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "vijay2752", "id": "368558", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 3 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "158 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "692025f8c16acca6f3d3e477", "name": "TI Advisory No-ESAF-SOC-TI-457", "description": "", "modified": "2025-12-21T08:00:07.481000", "created": "2025-11-21T08:42:32.337000", "tags": [], "references": [ "UST_Threat Advisiory Report_13.11.2025_Maverick & Coyote - Banking Trojan Threat Advisory-1.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 2, "FileHash-SHA256": 3, "domain": 8, "URL": 66 }, "indicator_count": 80, "is_author": false, "is_subscribing": null, "subscriber_count": 23, "modified_text": "161 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69201e95fd53ddea32d9bcd5", "name": "Trendmicro Self-Propagating Malware Spreads Via WhatsApp, Targets Brazilian Users", "description": "Self-Propagating Malware Spreads Via WhatsApp, Targets Brazilian Users", "modified": "2025-12-21T08:00:07.481000", "created": "2025-11-21T08:11:00.138000", "tags": [ "malware spreads, via whatsapp, users, compromise sha, detection " ], "references": [ "https://documents.trendmicro.com/assets/txt/WhatsApp%20Self-Propagating%20Malware%20IoCs-VAeQJ5r.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mr.taz92", "id": "370502", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 8, "URL": 1, "domain": 14, "hostname": 3 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 17, "modified_text": "161 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6916aa77dacfe4a69f394336", "name": "EbeeNov2025 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-20T21:02:55.026000", "created": "2025-11-14T04:05:11.738000", "tags": [ "filehashmd5", "filehashsha1", "filehashsha256" ], "references": [ "Nov.Week2.csv" ], "public": 1, "adversary": "SmudgedSerpent, Sneaky Malware, XLoader, DragonForce, NGATE Android Malware, Phatom Raven, TA4428", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 157, "FileHash-SHA1": 100, "FileHash-SHA256": 131, "URL": 117, "domain": 263, "hostname": 18, "email": 1 }, "indicator_count": 791, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "161 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691f1d132d139a8c1658b274", "name": "ACTIVIDAD MALICIOSA | Rerlacionada con Estafa de WhatsApp", "description": "Mensajer\u00eda de WhatsApp y malware y atacantes are proliferating en r\u00e1pida eu campa\u00f1a de ingenier\u00eda social, a report by eSecurity Planet.", "modified": "2025-12-20T13:05:22.443000", "created": "2025-11-20T13:52:19.345000", "tags": [ "whatsapp", "figura", "powershell", "brasil", "whatsapp web", "maverick", "coyote", "filename", "captura", "water saci", "meta", "teamviewer", "info", "kill", "virustotal", "hunters", "robo", "anydesk", "tenga", "cuando", "el", "contenido", "nunca" ], "references": [ "https://www.esecurityplanet.com/", "https://thehackernews.com/", "https://www.cyberproof.com/", "https://www.welivesecurity.com/", "", "https://www.virustotal.com/graph/embed/g8c3618d3041f4e85bef5e381f5875a8b97902acc771345b3a45ea4cf1a276991?theme=light" ], "public": 1, "adversary": "", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "Maverick", "display_name": "Maverick", "target": null }, { "id": "Coyote", "display_name": "Coyote", "target": null }, { "id": "SORVEPOTEL", "display_name": "SORVEPOTEL", "target": null } ], "attack_ids": [ { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" } ], "industries": [ "comunicaciones" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "URL": 4, "domain": 32, "hostname": 15 }, "indicator_count": 60, "is_author": false, "is_subscribing": null, "subscriber_count": 266, "modified_text": "162 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691eec6cd49a4086d2537eec", "name": "Update 1: Water Saci: WhatsApp-Driven SORVEPOTEL Malware Targets Brazilian Enterprises", "description": "", "modified": "2025-12-20T10:00:30.740000", "created": "2025-11-20T10:24:44.952000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 1, "domain": 11, "hostname": 1 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "162 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691ee9d3ad89810ceab7196e", "name": "Update 1: Water Saci: WhatsApp-Driven SORVEPOTEL Malware Targets Brazilian Enterprises", "description": "", "modified": "2025-12-20T10:00:30.740000", "created": "2025-11-20T10:13:39.877000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 1, "domain": 11, "hostname": 1 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "162 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "zapgrande.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "zapgrande.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780242198.5318272 }