Kaspersky telemetry traces this campaign across 11 countries: Brazil, India, Mexico, Singapore, the UK, Spain, Taiwan, Australia, Russia, Vietnam, and Malaysia. Every infection starts with a VBScript file masquerading as a financial report or billing statement sent from a compromised WhatsApp account.
The Attack Chain Starts With a VBS File
The attacker first compromises a target's WhatsApp account through an unknown method. Then they send a VBS file to every contact in that account's address book. The filenames are localized to the victim's language: "invoice.vbs", "statement.vbs", "notice.vbs". On WhatsApp Desktop, opening the file executes it directly via Windows Script Host (wscript.exe). On WhatsApp Web, the victim must manually download and run it.
Once executed, the VBScript fetches two additional scripts from attacker infrastructure. The first script disables User Account Control (UAC) protections by modifying Registry keys. The second download a ZIP archive containing ManageEngine Endpoint Central, a legitimate remote management tool used by IT admins. The tool installs silently and connects back to attacker-controlled management servers.
Why ManageEngine Makes a Perfect Backdoor
ManageEngine Endpoint Central is designed for centralized system administration. It can push software, execute commands, transfer files, and modify system settings across a fleet of machines. By abusing this legitimate tool, the attacker bypasses many endpoint detection and response systems because the binary is signed and trusted. Kaspersky notes that the threat actor configured the installed instance to report to their own management server, giving them full remote admin access on the victim's machine.
Kaspersky found signs of Chinese language use in the code and IP infrastructure that overlaps with previous ValleyRAT and Gh0st RAT activity. But they stop short of high-confidence attribution. The exact method of initial WhatsApp account compromise remains unknown, but social engineering and SMS fraud are strong candidates.
WhatsApp users should treat any file sent by a known contact as suspicious if it arrives unexpectedly, especially VBScript files. Verify with the sender via a separate channel before opening attachments. Running an up-to-date antivirus scan on downloaded files is baseline hygiene. As attackers weaponize legitimate admin tools like ManageEngine, defenders need to monitor for unexpected installation of remote management software, even from signed publishers.
Source: WhatsApp phishing attack uses fake business docs to hack PCs
Domain: bleepingcomputer.com
Comments load interactively on the live page.