SEVEN // V4.PROPHECY

CODES // DATA STREAM

SECURITY CODE & SCRIPTS « BACK

Scanning for SORVEPOTEL

POWERSHELL

PowerShell script to detect indicators of SORVEPOTEL malware on Windows systems. Scans for suspicious ZIP extractions in temp directories, active WhatsApp Web processes, recent PowerShell execution logs, and newly created scheduled tasks. Designed to identify systems potentially compromised by the self-propagating WhatsApp-based malware targeting enterprise environments in late 2024.

UPLOADED: 2025.10.09

ID: SORVEPOTEL // LANG: Powershell // LINES: 13

# Check for suspicious ZIP extractions in temp directories
Get-ChildItem -Path $env:TEMP -Recurse -Filter "*.exe" -ErrorAction SilentlyContinue | 
    Where-Object {$_.CreationTime -gt (Get-Date).AddDays(-7)}

# Check for WhatsApp Web active processes
Get-Process | Where-Object {$_.ProcessName -like "*whatsapp*"}

# Check recent PowerShell execution history
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} -MaxEvents 50 |
    Select-Object TimeCreated, Message

# Check scheduled tasks created recently
Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-7)}