Sorvepotel WhatsApp Malware Expands Brazilian Banking Theft Campaign with New Attack Vectors

The Sorvepotel malware campaign has significantly escalated its operations against Brazilian financial institutions, introducing sophisticated new attack vectors that exploit WhatsApp Web sessions to compromise banking credentials across more than 20 major banks. This evolution represents one of the most advanced banking Trojan operations currently targeting Latin American financial markets.

Security analysts have identified that Sorvepotel now employs a multi-stage infection process that begins with social engineering attacks delivered through compromised WhatsApp accounts or phishing messages. Once users interact with malicious links, the malware installs payloads that specifically target WhatsApp Web sessions, enabling attackers to maintain persistent access to victims' messaging platforms.

The technical sophistication of Sorvepotel lies in its ability to intercept two-factor authentication codes and session tokens while simultaneously capturing banking credentials through overlay attacks and keylogging. The malware demonstrates advanced evasion techniques, including the ability to bypass many mobile security solutions through legitimate-app masquerading and dynamic code loading.

Recent campaign analysis reveals that Sorvepotel has expanded its target list beyond traditional banking applications to include investment platforms, digital wallets, and government financial services. This broadening scope indicates the attackers' adaptation to the evolving Brazilian digital financial ecosystem, where users increasingly rely on multiple financial applications for daily transactions.

The infection vector typically involves social engineering tactics where victims receive messages appearing to come from trusted contacts or official sources. These messages contain links that redirect to malicious websites hosting the Sorvepotel payload. Once installed, the malware gains extensive permissions that allow it to monitor device activity, capture screenshots during banking sessions, and intercept SMS messages containing authentication codes.

What makes Sorvepotel particularly dangerous is its WhatsApp Web integration. By compromising WhatsApp sessions, attackers can maintain access even after the initial infection might be detected and removed from the mobile device. This persistence mechanism represents a significant advancement over previous Brazilian banking Trojans.

Security professionals have noted that Sorvepotel employs several anti-analysis techniques, including environment detection and delayed execution when security applications are detected. The malware also uses encrypted communication channels to exfiltrate stolen data to command-and-control servers, making detection and analysis more challenging for security researchers.

Organizations operating in Brazil should implement comprehensive security measures including application whitelisting, network monitoring for suspicious outbound connections, and employee education about social engineering risks. Multi-factor authentication remains crucial, though organizations should consider implementing hardware security keys or app-based authenticators rather than SMS-based 2FA, which Sorvepotel can intercept.

The economic impact of this campaign is substantial, with preliminary estimates suggesting millions in potential losses across the targeted financial institutions. The Brazilian Central Bank and cybersecurity authorities have issued alerts to financial institutions, recommending enhanced monitoring for unusual transaction patterns and implementing additional verification steps for high-value operations.

As the campaign continues to evolve, security researchers anticipate further adaptations, including potential expansion to other messaging platforms and increased targeting of corporate banking accounts. The Sorvepotel operation demonstrates the increasing sophistication of financial malware targeting emerging markets and highlights the need for continuous security adaptation in the face of evolving threats.