WhatsApp Malware Campaign Exploits VBS and MSI for Remote Access

Severity: High (Score: 69.0)

Sources: Theregister, Blogs.Microsoft

Summary

A new malware campaign is exploiting WhatsApp messages to deliver malicious Visual Basic Script (VBS) files, leading to a multi-stage attack that installs Microsoft Installer (MSI) backdoors. The attack began in late February 2026 and targets users by tricking them into executing malicious files that appear to come from trusted contacts. Once executed, the VBS scripts create hidden folders and drop renamed legitimate Windows utilities, which are used to download additional payloads from cloud services. The attackers alter User Account Control (UAC) settings to gain elevated privileges and deploy MSI installers, including Setup.msi and AnyDesk.msi, which provide remote access to victims' systems. Microsoft has noted that these installers are not signed, indicating they are malicious. The campaign poses a significant risk as it allows attackers to steal data and deploy further malware, including ransomware. Security professionals are advised to be vigilant against suspicious WhatsApp messages. Key Points: • Attackers use WhatsApp to deliver VBS scripts for multi-stage malware installation. • Renamed legitimate Windows tools are leveraged to evade detection during the attack. • Malicious MSI installers provide attackers with remote access to compromised systems.

Key Entities

• Malware (attack_type)
• T1036 - Masquerading (mitre_attack)
• T1059.005 - Visual Basic (mitre_attack)
• WhatsApp (platform)
• Windows (platform)