Active Malware Campaign Distributes VBScript via Compromised WhatsApp Accounts

In June 2026, a malware campaign was identified that spreads malicious VBScript files through WhatsApp direct messages. The campaign primarily targets users of WhatsApp Desktop and WhatsApp Web, with the highest number of victims in Malaysia. Attackers exploit compromised WhatsApp accounts to send deceptive messages containing attachments that appear as legitimate business documents, such as invoices and payment records. Once executed, the VBScript initiates a multi-stage infection chain that installs Remote Monitoring and Management (RMM) software, granting attackers remote access to the victims' systems. The campaign has affected users across multiple countries, including Brazil, India, Mexico, Singapore, the UK, Spain, Taiwan, Australia, Russia, and Vietnam. The threat actor's method of operation remains under investigation, with evidence suggesting extensive social engineering tactics. The campaign is still active as of the latest reports.

Key Points: • Malware campaign targets WhatsApp Desktop and Web users with VBScript files. • Attackers use compromised accounts to distribute malicious attachments disguised as business documents. • The campaign has affected users in multiple countries, with Malaysia reporting the highest victim count.