EXECUTIVE SUMMARY
An unidentified threat actor is distributing malicious VBScript files through direct messages on WhatsApp. The campaign targets users of WhatsApp Desktop and WhatsApp Web across a wide geographic spread that includes Southeast Asia, Latin America, Europe, and Oceania, with Malaysia reporting the highest infection rate. The payload masquerades as financial or tax documents to entice execution, then installs a pre‑configured remote monitoring and management component that grants the attacker persistent remote access. The overall objective appears to be long‑term control of compromised endpoints for data exfiltration and potential ransomware deployment.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
An unidentified threat actor is distributing malicious VBScript files through direct messages on WhatsApp. The campaign targets users of WhatsApp Desktop and WhatsApp Web across a wide geographic spread that includes Southeast Asia, Latin America, Europe, and Oceania, with Malaysia reporting the highest infection rate. The payload masquerades as financial or tax documents to entice execution, then installs a pre‑configured remote monitoring and management component that grants the attacker persistent remote access. The overall objective appears to be long‑term control of compromised endpoints for data exfiltration and potential ransomware deployment.[emaillocker id="1283"]
The infection chain begins when a recipient clicks the attached .vbs file, causing WhatsApp to store the script in the user’s download folder. Windows Script Host then launches the file, which creates a hidden working directory and retrieves two additional VBScript stages from remote servers. The first stage attempts to lower User Account Control prompts by modifying the relevant registry key, while the second stage downloads a compressed archive, extracts it silently, and runs a setup script that installs the RMM agent. Throughout the process the malware uses renamed system utilities and obfuscated strings to evade basic detection.
The campaign is noteworthy because it exploits a trusted communication channel and a legitimate administration platform, making the payload appear benign and difficult for conventional antivirus solutions to flag. Hidden directories, registry tweaks, and the use of standard Windows utilities further blur the line between normal activity and compromise, extending dwell time and complicating incident response. Organizations should reinforce user awareness around unexpected attachments, enforce execution restrictions on script files, monitor for unusual RMM installations, and maintain regular backups. Prompt patching of Windows components and continuous endpoint telemetry can also reduce the attack surface.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Execution | T1059.005 | Command and Scripting Interpreter | Visual Basic |
| Persistence | T1543.003 | Create or Modify System Process | Windows Service |
| Defense Evasion | T1112 | Modify Registry | — |
| Defense Evasion | T1564.001 | Hide Artifacts | Hidden Files and Directories |
| Defense Evasion | T1564.004 | Hide Artifacts | NTFS File Attributes |
| Defense Evasion | T1036.003 | Masquerading | Rename System Utilities |
| Defense Evasion | T1027.007 | Obfuscated Files or Information | Dynamic API Resolution |
| Initial Access | T1078 | Valid Accounts | — |
| Command and Control | T1105 | Ingress Tool Transfer | — |
REFERENCES:
The following reports contain further technical details:
https://securityaffairs.com/194031/malware/whatsapp-malware-campaign-hijacks-trust-installs-legitimate-admin-tools.html
https://securelist.com/whatsapp-vbs-rmm-campaign/120290/