As far as I'm concerned, these seems to come in ZIP archives with the LNK calling the BAT and at the very least, get distributed through #WhatsApp. And potentially through cliente[.]rte[.]com[.]br a few days ago. Don't have access to the WhatsApp Web on the compromised systems.