Active VBScript Malware Campaign via WhatsApp Targets Windows Users Globally

In June 2026, a malware campaign distributing malicious VBScript files through WhatsApp was detected, affecting users in multiple countries including Malaysia, Brazil, and India. The campaign exploits WhatsApp Desktop and Web, using deceptive file names that mimic business documents to trick users into executing the malware. Once activated, the VBScript initiates a multi-stage infection leading to the installation of Remote Monitoring and Management (RMM) software, granting attackers remote access to victims' systems. The campaign is still active, with reports indicating that compromised WhatsApp accounts are being used to distribute the malware. Victims have reported receiving messages with only the malicious attachment, indicating a social engineering tactic. The threat actor has localized file names in various languages to broaden the attack's reach. The exact method of compromising WhatsApp accounts remains unknown.

Key Points: • Malware campaign targets WhatsApp users with malicious VBScript files disguised as documents. • The campaign is active across multiple countries, with the highest number of victims in Malaysia. • Attackers gain remote access through the installation of legitimate RMM software.