Cybersecurity researchers have uncovered an ongoing malware campaign targeting WhatsApp users across multiple countries with deceptive messages disguised as business and financial documents.
According to researchers at Kaspersky, the attackers are sending malicious VBScript (VBS) files through compromised WhatsApp accounts. The files are designed to appear as legitimate documents such as invoices, billing statements, financial reports, and account notices, increasing the likelihood that recipients will open them.
The campaign has been observed in several countries, including Brazil, India, Mexico, Singapore, the United Kingdom, Spain, Taiwan, Australia, Russia, Vietnam, and Malaysia, indicating a broad global reach.
Kaspersky says the attacks begin when victims receive a message from a trusted contact whose WhatsApp account has already been compromised. The message typically contains only an attached VBS file with a convincing document-related filename. Researchers found that filenames are often localized into different languages to better target users in specific regions.
Once downloaded and opened on a Windows system, the malicious script initiates a multi-stage infection process. The VBS file downloads additional scripts from attacker-controlled servers, which then modify Windows settings to weaken security protections and retrieve a ZIP archive containing a legitimate remote management tool called ManageEngine Endpoint Central.
The software is silently installed on the victim’s device and configured to connect to infrastructure controlled by the attackers. This effectively gives the threat actors remote administrative access to the compromised computer, allowing them to manage the system from a distance.
Researchers noted that the attack behaves differently depending on how the file is received. Users accessing the attachment through WhatsApp Web must first download the file, while those using the WhatsApp Desktop application may be able to execute it directly through Windows Script Host, making the attack even more dangerous.
Although Kaspersky has not attributed the campaign to a specific threat group, investigators discovered indicators suggesting possible links to Chinese-speaking operators. The researchers also identified infrastructure overlaps with servers previously associated with ValleyRAT and Gh0st RAT malware activity. However, they stressed that the available evidence is insufficient for a definitive attribution.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Security experts advise WhatsApp users to exercise caution when receiving files, even from trusted contacts. Users should verify unexpected attachments through another communication channel before opening them and scan downloaded files with updated antivirus software to reduce the risk of infection.
