An ongoing malware campaign is targeting WhatsApp users across multiple countries, using deceptive messages that push VBScript files to contacts — and it’s leading to full remote system access.
Here’s how it works. The attacker sends messages from compromised WhatsApp accounts. The messages contain nothing but a heavily obfuscated VBS file, named to look like a financial report, billing statement, or account notice. The filenames are localized in multiple languages, which tells you this is a global operation.
When a victim downloads and opens the file on Windows, the VBScript fetches two additional scripts from the attacker’s infrastructure. Those scripts disable UAC protections through Registry modifications, then download a ZIP archive containing ManageEngine Endpoint Central — a legitimate IT management tool used by administrators everywhere.
The software gets silently installed in the background and configured to connect to attacker-controlled management servers. That gives the attacker remote administration access on the victim’s computer. From there, the world is their oyster.
Kaspersky’s telemetry shows the campaign spreading across Brazil, India, Mexico, Singapore, the UK, Spain, Taiwan, Australia, Russia, Vietnam, and Malaysia. The researchers found signs of Chinese language use and infrastructure overlap with IPs previously associated with ValleyRAT and Gh0st RAT activity, but there’s not enough evidence for high-confidence attribution yet.
What’s still unknown is how the attacker compromised the WhatsApp accounts in the first place.
There’s an important technical detail here. When the VBScript file is delivered via WhatsApp Web, it has to be downloaded manually. But when opened in the WhatsApp Desktop client, it can be executed directly via Windows Script Host. That’s a meaningful difference in the attack chain.
The takeaway is simple: treat files from contacts with caution, even trusted ones. Always verify through secondary means, and scan downloaded files with an up-to-date antivirus before executing them. It’s basic hygiene, but campaigns like this one prove it still matters.
