A newly uncovered malware campaign is abusing compromised WhatsApp accounts to spread malicious files that can give attackers remote access to victims’ computers.
Quick Summary – TLDR:
- Kaspersky researchers discovered an active WhatsApp malware campaign targeting desktop users.
- Attackers use compromised WhatsApp accounts to send malicious VBScript files to contacts.
- The malware disguises itself as invoices, bank statements, and payment documents to trick victims.
- Once opened, it installs ManageEngine Endpoint Central, a legitimate remote management tool that can be abused for remote access.
What Happened?
Security researchers at Kaspersky’s Global Research and Analysis Team (GReAT) have uncovered an ongoing malware campaign that spreads through WhatsApp using malicious VBScript attachments. The campaign has affected users across multiple countries, with the highest concentration of victims found in Malaysia.
The attackers appear to be leveraging previously compromised WhatsApp accounts to distribute the malicious files directly to contacts, making the messages appear more trustworthy and increasing the chances that recipients will open them.
Active WhatsApp campaign uses compromised accounts to push VBScript files that silently install ManageEngine Endpoint Central, giving attackers persistent RMM access. 80% of victims are in Malaysia 🇲🇾, with reach across Brazil 🇧🇷, India 🇮🇳, the UK 🇬🇧, and beyond.
— DFIR Radar (@DFIR_Radar) June 22, 2026
– Compromised… pic.twitter.com/epXqf7CBzC
Attackers Exploit Trust on WhatsApp
Unlike traditional phishing attacks that rely on messages from unknown senders, this campaign takes advantage of trusted relationships. Researchers observed compromised WhatsApp accounts sending malicious attachments without any accompanying text.
Because the files arrive from known contacts, recipients may be less suspicious and more likely to open them.
According to Kaspersky researcher Fareed Radzi:
Researchers have not yet determined how the WhatsApp accounts were initially compromised.
Fake Business Documents Used as Bait
The campaign relies heavily on social engineering techniques. The malicious files are designed to look like routine financial and business documents.
Examples of file names include:
- Financial Reports.vbs
- Account Statement.vbs
- Outstanding Payment List.vbs
- Debt Statement.vbs
- Billing Statement.vbs
Researchers also discovered localized versions of these files in Portuguese, French, German, and Malay, indicating that the attackers are targeting users across multiple regions and languages.
To make the files appear more legitimate, many of the scripts contain comments and metadata that mimic Microsoft Windows Update components. Several samples also include Chinese language comments embedded within the code.
How the Malware Infects Victims?
The attack primarily targets users of WhatsApp Desktop and WhatsApp Web.
The infection requires user interaction. Victims must first download the attachment and then manually open it. Once executed, the VBScript launches through Windows Script Host and begins a multi stage infection process.
Researchers found that the malware creates hidden folders on the system and downloads additional payloads from attacker controlled servers. The scripts use various obfuscation methods, including:
- Encoded VBScript code.
- Randomized variable names.
- Junk code insertion.
- Character by character string reconstruction.
Some variants also abuse legitimate Windows tools such as curl, bitsadmin, certutil, and PowerShell to download additional components.
One of the secondary scripts attempts to modify Windows User Account Control settings, potentially reducing security prompts if the victim grants administrative access.
Remote Access Tool Installed on Infected Systems
The final stage of the attack installs ManageEngine Endpoint Central, a legitimate enterprise endpoint management platform commonly used by IT teams for software deployment, remote support, and system administration.
The malware package contains installation files, certificates, configuration data, and a malicious launcher script that silently installs the Endpoint Central agent using Microsoft’s installer service.
Once installed, the software can provide attackers with persistent remote access capabilities through standard administrative functions.
Researchers also identified management server infrastructure that overlaps with IP addresses previously associated with ValleyRAT and Gh0st RAT activity. However, Kaspersky said there is currently insufficient evidence to confidently link the campaign to a known threat actor.
Global Reach With Malaysia Most Affected
The campaign has been observed in multiple countries and territories, including:
- Malaysia
- Brazil
- India
- Mexico
- Singapore
- United Kingdom
- Spain
- Taiwan
- Australia
- Russia
- Vietnam
According to Kaspersky’s findings, approximately 80% of observed infections were located in Malaysia.
While some evidence points toward a possible Chinese speaking operator due to Chinese language comments found in the scripts, researchers only assess this connection with low confidence.
SQ Magazine Takeaway
I think this campaign highlights a growing trend where attackers no longer need sophisticated exploits to compromise users. Instead, they are abusing something far more powerful: trust. When a file comes from a friend, colleague, or known contact, many people lower their guard immediately.
What makes this campaign particularly concerning is its use of a legitimate remote management platform. Security tools may not automatically flag software that businesses commonly use every day. That makes user awareness even more important. If you receive an unexpected file on WhatsApp, especially a script or executable file, verify it through another communication channel before opening it.
