- WhatsApp accounts across 11 countries are being hijacked to distribute malware-laden VBScript files.
- The campaign uses obfuscated scripts disguised as business documents to install legitimate RMM software for remote system access.
- The infection chain manipulates Windows UAC and leverages previously seen infrastructure linked to Gh0st RAT and ValleyRAT.
- Users in Malaysia have been the primary targets of this widespread social engineering attack.
Malicious actors have launched a global campaign using compromised WhatsApp accounts to deliver malware via direct messages, according to a recent report. This sophisticated social engineering scheme, active as of June 2026, primarily targets users in Malaysia, Brazil, India, and several other nations by distributing deceptive Visual Basic Script files.
The attack leverages hijacked accounts to send VBScript attachments masquerading as financial reports or account statements. Consequently, when executed, these heavily obfuscated scripts initiate a multi-stage infection process designed to install legitimate Remote Monitoring and Management software.
Security researcher Fareed Radzi from Kaspersky stated, “The threat actor uses deceptive file names masquerading as business and financial documents to persuade recipients to download and execute the attachment.” The scripts contain extensive comments written in Chinese, mimicking legitimate Windows Update components to evade detection.
However, the infection method differs slightly between WhatsApp Web and the WhatsApp Desktop application. In the desktop client, the malware is executed directly by the application’s background process, while web users must manually open the downloaded file.
The final payloads attempt to tamper with Windows User Account Control and fetch a ZIP file containing ManageEngine RMM Central. Meanwhile, infrastructure analysis revealed overlaps with previous malware campaigns, though the activity remains unattributed.
Kaspersky advises extreme caution with unexpected WhatsApp attachments, especially script or executable file types. Users should independently verify the legitimacy of any suspicious files before opening them.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
