TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Trend Micro Research

Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users

John Rainier Navato · 2025-10-03 · Read original ↗

ATT&CK techniques detected

17 predictions
T1059.001PowerShell
100%
"to excessive spam activity. once decoded, the powershell command generates a url that points to the command - and - control ( c & c ) server. using net. webclient, the script downloads content from this address, which is then immediately executed in memory via invoke - expression…"
T1059.001PowerShell
98%
"leverages the encoded command ( - enc ) feature for additional payload obfuscation. batch script download and persistence the payload downloaded by the script is usually a batch file (. bat ), designed to establish persistence on the infected system. this is achieved by copying i…"
T1566.001Spearphishing Attachment
91%
"or " orcamento _ 114418. zip, " or something similarly disguised as a benign document, such as a receipt, budget, or health app - related file. exploiting trust in whatsapp conversations, the message, which is in portuguese, encourages the user to " baixa o zip no pc e abre " ( d…"
T1204.002Malicious File
88%
"malicious lnk file upon extracting the zip file, the victim discovers a windows shortcut (. lnk ) file. when the lnk file is executed, this shortcut covertly launches a command - line or powershell script that downloads the primary malware payload from attacker - controlled domai…"
T1204.002Malicious File
87%
"or " orcamento _ 114418. zip, " or something similarly disguised as a benign document, such as a receipt, budget, or health app - related file. exploiting trust in whatsapp conversations, the message, which is in portuguese, encourages the user to " baixa o zip no pc e abre " ( d…"
T1071Application Layer Protocol
84%
"iso regionname = " bra " - region name = " brazil " or " brasil " - two letter iso regionname = " br " - system time is set to brazilian format : - " dd / mm / yyyy ( standard brazilian ) - " dd / mm / yy " ( short year brazilian ) - " dd / mm " ( minimal brazilian ) - " dd / mm …"
T1059.001PowerShell
72%
"shellcode injected into powershell _ ise. exe is responsible for decrypting the next - stage payload and loading it via clr hosting, as demonstrated by the apis observed during runtime and enumerated below. first payload maverick. stagetwo one of the retrieved payloads is a. net …"
T1620Reflective Code Loading
69%
"a key feature of this malware is its ability to detect whether whatsapp web is active on the infected machine. when detected, the malware leverages this session to automatically distribute the same malicious zip file to all contacts and groups associated with the victim ’ s compr…"
T1620Reflective Code Loading
59%
"[. ] com [. ] br - uniprimebr [. ] com [. ] br - www [. ] banestes [. ] com [. ] br - www [. ] itau [. ] com [. ] br - www [. ] rendimento [. ] com [. ] br - www2s [. ] bancoamazonia [. ] com [. ] br - wwws [. ] uniprimedobrasil [. ] com [. ] br - zeitbank [. ] com [. ] br the ma…"
T1566.001Spearphishing Attachment
59%
"and have clear byod policies in place if this is the case. attackers know the big investment of companies in common attack vectors such as e - mail and web gateways and so get a ride via byod of mobiles. the false sense of urgency impressed upon the user to open their computer an…"
T1059.001PowerShell
51%
"a key feature of this malware is its ability to detect whether whatsapp web is active on the infected machine. when detected, the malware leverages this session to automatically distribute the same malicious zip file to all contacts and groups associated with the victim ’ s compr…"
T1059.001PowerShell
49%
"/ ] zapgrande [. ] com / api / v1 / { hashed guid - based endpoint identifier }, which includes an x - timestamp containing the execution timestamp, and an x - request - hash consisting of a base64 - encoded value. the x - request - hash header contains a base64 - encoded hmacsha…"
T1566.002Spearphishing Link
44%
"to all contacts and groups associated with the victim ’ s compromised account for rapidly propagation. - the payload of this threat is an infostealer designed to target various financial institutions and crypto exchanges in the brazilian market. trend™ research is currently inves…"
T1055.001Dynamic-link Library Injection
42%
"a key feature of this malware is its ability to detect whether whatsapp web is active on the infected machine. when detected, the malware leverages this session to automatically distribute the same malicious zip file to all contacts and groups associated with the victim ’ s compr…"
T1041Exfiltration Over C2 Channel
38%
"iso regionname = " bra " - region name = " brazil " or " brasil " - two letter iso regionname = " br " - system time is set to brazilian format : - " dd / mm / yyyy ( standard brazilian ) - " dd / mm / yy " ( short year brazilian ) - " dd / mm " ( minimal brazilian ) - " dd / mm …"
T1217Browser Information Discovery
35%
"browser ) and returns " banco. bradesco " if detected, indicating this malware specifically targets brazilian banking customers. the trojan continuously monitors the user ' s active browser url and conditionally executes malicious payloads when specific target websites are visite…"
T1055.001Dynamic-link Library Injection
33%
"shellcode injected into powershell _ ise. exe is responsible for decrypting the next - stage payload and loading it via clr hosting, as demonstrated by the apis observed during runtime and enumerated below. first payload maverick. stagetwo one of the retrieved payloads is a. net …"

Summary

Trend™ Research has identified an active campaign spreading via WhatsApp through a ZIP file attachment. When executed, the malware establishes persistence and hijacks the compromised WhatsApp account to send copies of itself to the victim’s contacts.