Date: 10/06/2025
Severity: Medium
Summary
SORVEPOTEL has been found spreading across Windows systems, accompanied by a message prompting users to open it on a desktop—indicating that the attackers are likely targeting enterprise environments. The malware exploits active WhatsApp sessions to automatically send the same malicious ZIP file to all contacts and groups linked to the victim’s compromised account, enabling rapid propagation. Its payload is an infostealer specifically aimed at financial institutions and cryptocurrency exchanges within the Brazilian market.
Indicators of Compromise (IOC) List
Domains\URLs : | expansiveuser.com https://sorvetenopote.com/api/itbi/Q77xivT4udoXayYELTwehMD666ovP6DZ imobiliariaricardoparanhos.com sorvetenopote.com www.expansiveuser.com www.sorvetenopote.com zapgrande.com sorvetenopoate.com sorvetenoopote.com etenopote.com expahnsiveuser.com sorv.etenopote.com sorvetenopotel.com casadecampoamazonas.com expansivebot.com bravexolutions.com adoblesecuryt.com saogeraldoshoping.com |
IP Address : | 23.227.203.179 140.99.164.81 92.246.130.15 |
Hash : | 2150f38c436eabebd3a93b3ace1064315153c882ce763991b6d0fb798766e0db
bd62148637152396b757c8b106d5a62982bce9df12f0a6030dda9138e44e7328
2d83c4d620866f4ae647ed6a70113686bb7b80b1a7bbdcf544fd0ffec105c4a6
3b68826e4a1d95b1dd58b3bf1095750f31a72d8bddd1dbb35e6547ac0cf4769b
1a0af26749f5bc21732c53fc12f3a148215c8221cbeffe920411656f1ffe7500
441a2ad553d166df3cd0ea02482f4b8370e8f9618753e1937a251a6318cb8eba
dcdde53c50aef9531c9f59f341a4e2d59796cdd94a973f2c2a464b2cafed41f5
c50b6ff360e5614d91f80a5e2d616a9d0d1a9984751bf251f065426a63dac0b5
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "sorvetenopoate.com" or url like "sorvetenopoate.com" or siteurl like "sorvetenopoate.com" or domainname like "sorv.etenopote.com" or url like "sorv.etenopote.com" or siteurl like "sorv.etenopote.com" or domainname like "www.expansiveuser.com" or url like "www.expansiveuser.com" or siteurl like "www.expansiveuser.com" or domainname like "expahnsiveuser.com" or url like "expahnsiveuser.com" or siteurl like "expahnsiveuser.com" or domainname like "sorvetenopotel.com" or url like "sorvetenopotel.com" or siteurl like "sorvetenopotel.com" or domainname like "adoblesecuryt.com" or url like "adoblesecuryt.com" or siteurl like "adoblesecuryt.com" or domainname like "etenopote.com" or url like "etenopote.com" or siteurl like "etenopote.com" or domainname like "www.sorvetenopote.com" or url like "www.sorvetenopote.com" or siteurl like "www.sorvetenopote.com" or domainname like "https://sorvetenopote.com/api/itbi/Q77xivT4udoXayYELTwehMD666ovP6DZ" or url like "https://sorvetenopote.com/api/itbi/Q77xivT4udoXayYELTwehMD666ovP6DZ" or siteurl like "https://sorvetenopote.com/api/itbi/Q77xivT4udoXayYELTwehMD666ovP6DZ" or domainname like "expansiveuser.com" or url like "expansiveuser.com" or siteurl like "expansiveuser.com" or domainname like "zapgrande.com" or url like "zapgrande.com" or siteurl like "zapgrande.com" or domainname like "imobiliariaricardoparanhos.com" or url like "imobiliariaricardoparanhos.com" or siteurl like "imobiliariaricardoparanhos.com" or domainname like "sorvetenopote.com" or url like "sorvetenopote.com" or siteurl like "sorvetenopote.com" or domainname like "sorvetenoopote.com" or url like "sorvetenoopote.com" or siteurl like "sorvetenoopote.com" or domainname like "casadecampoamazonas.com" or url like "casadecampoamazonas.com" or siteurl like "casadecampoamazonas.com" or domainnanme like "expansivebot.com" or url like "expansivebot.com" or siteurl like "expansivebot.com" or domainname like "bravexolutions.com" or url like "bravexolutions.com" or siteurl like "bravexolutions.com" or domainname like "saogeraldoshoping.com" or url like "saogeraldoshoping.com" or siteurl like "saogeraldoshoping.com" |
Detection Query 2 : | dstipaddress IN ("23.227.203.179","140.99.164.81","92.246.130.15") or srcipaddress IN ("23.227.203.179","140.99.164.81","92.246.130.15") |
Detection Query 3 : | sha256hash IN ("2d83c4d620866f4ae647ed6a70113686bb7b80b1a7bbdcf544fd0ffec105c4a6","c50b6ff360e5614d91f80a5e2d616a9d0d1a9984751bf251f065426a63dac0b5","bd62148637152396b757c8b106d5a62982bce9df12f0a6030dda9138e44e7328","dcdde53c50aef9531c9f59f341a4e2d59796cdd94a973f2c2a464b2cafed41f5","3b68826e4a1d95b1dd58b3bf1095750f31a72d8bddd1dbb35e6547ac0cf4769b","2150f38c436eabebd3a93b3ace1064315153c882ce763991b6d0fb798766e0db","1a0af26749f5bc21732c53fc12f3a148215c8221cbeffe920411656f1ffe7500","441a2ad553d166df3cd0ea02482f4b8370e8f9618753e1937a251a6318cb8eba")
|
Reference:
https://www.trendmicro.com/en_us/research/25/j/self-propagating-malware-spreads-via-whatsapp.html