A malware campaign, first observed in June 2026, is actively distributing malicious VBScript files through WhatsApp direct messages. This campaign primarily targets users of WhatsApp Desktop and Web across numerous countries, with Malaysia experiencing the highest number of victims. Threat actors leverage compromised WhatsApp accounts and employ social engineering tactics, using deceptive financial-themed file names to persuade recipients to download and execute the malicious attachments.
The attack unfolds in a multi-stage infection chain. Initially, the VBScript creates a hidden working directory, downloads additional obfuscated VBScript payloads, and then proceeds to modify Windows User Account Control (UAC) settings. Subsequently, a ZIP archive containing a preconfigured ManageEngine Endpoint Central deployment package is downloaded and silently installed. This legitimate Remote Monitoring and Management (RMM) software provides attackers with persistent remote access to the compromised systems.
While the method of WhatsApp account compromise is yet to be determined, the campaign appears broad and opportunistic, targeting individual consumers. Analysis of the VBScripts revealed Chinese-language comments and metadata, alongside infrastructure overlaps with known malware families like ValleyRAT and Gh0st RAT, suggesting a possible (low confidence) attribution to a Chinese-speaking threat actor. Users are strongly advised to exercise extreme caution with unexpected attachments, particularly script and executable file types, even from known contacts.
