WhatsApp Malware Campaign Exploits VBS Files for Remote Access

Severity: High (Score: 71.0)

Sources: Csoonline, Blogs.Microsoft, Theregister, Scworld

Summary

A new malware campaign targeting WhatsApp users has been identified, utilizing malicious Visual Basic Script (VBS) files to gain persistent access to victims' systems. Microsoft reported that the campaign began in late February 2026, employing social engineering tactics to trick users into executing these scripts. Once activated, the VBS files create hidden directories and deploy renamed legitimate Windows utilities to blend in with normal system activity. The attackers then download additional payloads from trusted cloud services like AWS and Tencent Cloud, ultimately installing malicious Microsoft Installer (MSI) packages to maintain control over the infected devices. The campaign's stealthy approach, relying on living-off-the-land techniques, makes it difficult for traditional security measures to detect the malicious activity. Microsoft has recommended using Defender for Endpoint in block mode to mitigate the risks associated with this attack. Key Points: • Attackers use WhatsApp to deliver malicious VBS files, leveraging social engineering. • The campaign employs living-off-the-land techniques, using legitimate Windows tools to evade detection. • Malicious MSI packages are installed to maintain persistent access and control over compromised systems.

Key Entities

• Malware (attack_type)
• Phishing (attack_type)
• T1036 - Masquerading (mitre_attack)
• T1059.005 - Visual Basic (mitre_attack)
• T1105 - Ingress Tool Transfer (mitre_attack)
• T1566 - Phishing (mitre_attack)
• AWS (company)
• Backblaze B2 (platform)
• Blackblaze B2 (platform)
• Tencent Cloud (platform)
• WhatsApp (platform)
• Windows (platform)
• Bitsadmin.exe (tool)
• Curl.exe (tool)