Listen to this Post
Introduction
A sophisticated malware campaign targeting WhatsApp users has emerged as a significant cybersecurity concern, demonstrating how attackers continue to weaponize trust between friends, colleagues, and business contacts. Security researchers have uncovered a widespread operation in which malicious Visual Basic Script (VBScript) files are being distributed through direct messages on WhatsApp Desktop and WhatsApp Web. These files disguise themselves as legitimate financial and business documents, tricking unsuspecting recipients into executing malware that ultimately installs remote monitoring software on infected systems.
The campaign highlights a growing trend among cybercriminals: leveraging trusted communication platforms rather than traditional phishing emails. By abusing compromised WhatsApp accounts and sending malicious files directly to victims through familiar contacts, attackers dramatically increase the likelihood of successful infections. The operation spans multiple continents and affects users in countries including Malaysia, Brazil, India, Mexico, Singapore, the United Kingdom, Spain, Taiwan, Australia, Russia, and Vietnam, with Malaysia reporting the largest concentration of victims.
Attack Campaign Targets WhatsApp Desktop and Web Users
Security researchers at Kaspersky identified an active malware operation focused on WhatsApp users accessing the platform through desktop applications and web browsers. Unlike conventional phishing attacks that often arrive through email, this campaign leverages direct messages, creating a stronger sense of legitimacy and trust.
Victims receive files appearing to be routine business or financial documents. These attachments are carefully named to resemble authentic corporate paperwork, increasing the chances that recipients will open them without suspicion. Examples include filenames such as “Financial Reports.vbs” and “Account Statement.vbs,” both designed to appear harmless while concealing malicious code.
The
Compromised WhatsApp Accounts Fuel Distribution
One of the most concerning aspects of this campaign is the apparent use of compromised WhatsApp accounts as distribution channels. Instead of sending messages from unknown numbers, attackers appear to leverage legitimate accounts that already possess established trust relationships with victims.
This tactic significantly increases the success rate of social engineering attacks. When a user receives a file from a known friend, coworker, family member, or business contact, they are far less likely to question its authenticity.
Although researchers believe compromised accounts are involved, the precise method used to gain access remains unknown. Possibilities include credential theft, phishing campaigns, malware infections, or exploitation of previously compromised devices linked to WhatsApp accounts.
The uncertainty surrounding the initial compromise method adds another layer of concern because it suggests attackers may have multiple avenues for infiltrating user accounts.
Obfuscated VBScript Files Disguise Their True Purpose
The malicious files involved in the campaign employ heavy obfuscation techniques designed to frustrate analysis and evade detection. At first glance, these scripts appear to be ordinary business documents, but beneath the surface lies a carefully engineered infection mechanism.
Researchers found extensive comments and metadata embedded within the scripts. These comments mimic legitimate Microsoft Windows Update components, creating the illusion of authenticity. The code contains references to certificate validation, deployment functionality, system integrity checks, and Windows Update modules.
Many comments were written in Chinese, suggesting either the development origins of certain components or an intentional effort to complicate forensic investigations.
Such deception serves two purposes. First, it can confuse security analysts reviewing the code. Second, it can help bypass basic detection mechanisms that rely on identifying suspicious script characteristics.
Multi-Stage Infection Chain Delivers Remote Access
Once a victim executes the malicious VBScript file, the infection process begins through Microsoft’s WScript.exe utility. This legitimate Windows component is commonly used to execute script files, making it an attractive tool for attackers seeking to blend malicious activity with normal operating system behavior.
The initial script does not immediately install malware. Instead, it launches a multi-stage infection chain involving additional payloads downloaded from remote infrastructure.
The malware retrieves secondary VBScript components that perform various tasks necessary for establishing persistence and preparing the victim’s environment for further compromise. This staged approach helps reduce detection rates and allows attackers to adapt payloads over time without modifying the original infection file.
By separating functionality across multiple stages, threat actors gain flexibility while making analysis considerably more difficult for defenders.
WhatsApp Web and Desktop Behave Differently During Infection
Researchers observed notable differences between infections occurring through WhatsApp Web and those involving the desktop application.
For WhatsApp Web users, the attack relies heavily on user interaction. Victims must manually download the malicious file and execute it from their downloads folder or browser download history. Attackers count on users believing the file is a legitimate business document.
The desktop application presents a more seamless execution path. Analysis revealed that WhatsApp.Root.exe, a background process associated with WhatsApp Desktop, can spawn WScript.exe when the malicious attachment is opened.
This distinction may create different forensic footprints depending on which platform victims use, potentially complicating incident response efforts.
The variation also demonstrates that attackers have carefully studied both environments and adapted their techniques accordingly.
ManageEngine RMM Central Used as Final Payload
The ultimate goal of the infection chain is not immediate data theft but rather the installation of legitimate Remote Monitoring and Management software.
One secondary VBScript attempts to interfere with Windows User Account Control mechanisms, while another downloads a compressed ZIP archive containing the installation package for ManageEngine RMM Central.
RMM software is widely used by IT administrators for legitimate remote system management. However, threat actors increasingly abuse these tools because they provide powerful remote access capabilities while appearing legitimate to many security products.
Once installed, the software can potentially allow attackers to monitor systems, execute commands, transfer files, and maintain long-term access to compromised environments.
This “living off the land” approach reflects a broader trend in cybercrime where legitimate administrative tools are repurposed for malicious objectives.
Infrastructure Links Raise Additional Questions
Although researchers have not definitively attributed the campaign to a specific threat group, they discovered intriguing infrastructure overlaps with previous malware operations.
An IP address associated with the activity reportedly overlaps with infrastructure previously connected to both Gh0st RAT and ValleyRAT campaigns. These malware families have historically been linked to sophisticated cyber espionage and criminal activities.
Infrastructure overlaps alone do not prove attribution. Shared hosting providers, recycled servers, and leased infrastructure can create misleading connections. Nevertheless, such findings provide valuable investigative leads and may assist future threat intelligence efforts.
Until more evidence emerges, the responsible actors remain unidentified.
Deep Analysis: Malware Execution Flow and Defensive Commands
Understanding the Technical Chain
The attack demonstrates how legitimate Windows components can be abused to execute malicious workflows without immediately triggering alarms.
The infection path generally follows this sequence:
Malicious file received via WhatsApp.
User executes VBScript attachment.
WScript.exe launches script.
Additional payloads downloaded remotely.
UAC-related modifications attempted.
ZIP archive retrieved.
ManageEngine RMM Central installed.
Remote access established.
Security teams can investigate suspicious activity using several Windows and Linux commands.
Windows Investigation Commands
Check running script processes:
tasklist | findstr wscript
Review active network connections:
netstat -ano
Inspect startup entries:
wmic startup get caption,command
View scheduled tasks:
schtasks /query /fo LIST
Search for VBS files:
dir C:.vbs /s
Review recent PowerShell activity:
Get-History
Check installed software:
Get-WmiObject Win32_Product
Linux Threat Hunting Commands
Monitor suspicious connections:
netstat -tulpn
Review active processes:
ps aux
Inspect downloaded files:
find ~/Downloads -type f
Search script artifacts:
find / -name ".vbs" 2>/dev/null
Review system logs:
journalctl -xe
Inspect network sessions:
ss -tulnp
Monitor file changes:
inotifywait -m ~/Downloads
The campaign serves as a reminder that cybersecurity is increasingly less about malware sophistication alone and more about exploiting human trust. Attackers understand that convincing a user to click remains easier than defeating modern security technology directly.
What Undercode Say:
Human Trust Has Become the New Attack Surface
The most revealing aspect of this operation is not the VBScript itself but the delivery mechanism. Cybercriminals increasingly recognize that social trust provides a more reliable pathway into systems than technical exploitation.
Traditional email phishing campaigns face sophisticated filtering technologies, spam detection engines, and user awareness training. Messaging applications bypass many of those defenses.
WhatsApp’s reputation as a personal and professional communication platform creates a psychological advantage for attackers.
The use of compromised accounts amplifies this effect dramatically.
A malicious attachment arriving from a known contact carries a level of credibility that most phishing emails cannot achieve.
The attackers also display a strong understanding of international targeting.
By translating filenames into multiple languages, they eliminate barriers that could reduce victim engagement.
Another notable trend is the abuse of legitimate administrative software.
RMM tools are becoming the preferred weapon of modern threat actors.
Unlike custom malware, legitimate RMM applications often possess trusted digital signatures.
Security products may classify them as authorized software rather than malicious code.
This allows attackers to remain operational for longer periods.
The campaign also illustrates the growing importance of endpoint visibility.
Organizations focused exclusively on perimeter security may completely miss such attacks.
The initial compromise occurs through a trusted platform.
The payload executes through legitimate Windows components.
The final software installation involves a legitimate administration product.
Every stage attempts to appear normal.
This blending strategy is increasingly common.
Attackers are moving away from noisy malware.
Instead, they are leveraging existing system tools.
The overlap with infrastructure linked to Gh0st RAT and ValleyRAT deserves attention but should not be overstated.
Infrastructure reuse can create false attribution trails.
Threat intelligence analysts must avoid jumping to conclusions.
From a defensive perspective, blocking dangerous script extensions remains one of the simplest and most effective controls.
Few ordinary users genuinely require direct execution of VBS files.
Organizations should consider restricting script execution where operationally feasible.
Application allow-listing can further reduce risk.
Monitoring unexpected RMM deployments should become standard practice.
Any remote administration software appearing without a documented business justification should trigger investigation.
The campaign ultimately reinforces a timeless cybersecurity principle.
Technology alone cannot solve social engineering.
Awareness, verification procedures, and healthy skepticism remain critical layers of defense.
As attackers increasingly exploit trust networks rather than software vulnerabilities, organizations must adapt their security strategies accordingly.
✅ Kaspersky researchers reported a campaign using malicious VBScript files distributed through WhatsApp Desktop and WhatsApp Web.
✅ The infection chain ultimately installs legitimate ManageEngine RMM Central software to provide remote access capabilities.
✅ Researchers observed targeting across multiple countries, with Malaysia reporting the highest concentration of identified victims.
❌ There is currently no confirmed public attribution linking the operation directly to Gh0st RAT operators or ValleyRAT actors.
❌ The exact method used to compromise the WhatsApp accounts involved in distribution remains unknown.
❌ No evidence currently suggests a vulnerability within WhatsApp itself is responsible for the infections.
Prediction
(+1) Security vendors will increasingly classify suspicious RMM deployments as high-priority threat indicators rather than ordinary administrative activity.
(+1) Organizations will expand monitoring of messaging platforms such as WhatsApp, Telegram, and Signal as cybercriminal distribution channels continue to grow.
(+1) Endpoint detection solutions will improve behavioral analysis of script execution chains involving WScript.exe and related Windows components.
(-1) Threat actors will continue abusing trusted accounts because social trust remains highly effective against even well-trained users.
(-1) Legitimate remote management software will face growing misuse by cybercriminal groups seeking stealthier persistence methods.
(-1) Messaging-based malware campaigns are likely to become more common as email defenses continue to improve worldwide.
▶️ Related Video (80% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: thehackernews.com
Extra Source Hub (Possible Sources for article):
https://www.reddit.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube
