WhatsApp Malware Campaign

Cybercriminals are using WhatsApp direct messages to distribute malicious Visual Basic Script (VBScript) files that ultimately install legitimate Remote Monitoring and Management (RMM) software on compromised systems. The campaign has targeted users of WhatsApp Desktop and WhatsApp Web in multiple countries, including Malaysia, Brazil, India, Mexico, Singapore, the United Kingdom, Spain, Taiwan, Australia, Russia, and Vietnam. Malaysia has recorded the highest number of affected users.

Researchers suspect that the attackers gained unauthorized access to several WhatsApp accounts and then leveraged these compromised profiles to send malicious files to people in their contact lists. However, the exact method used to hijack these accounts remains unknown.

Disguised as Business Documents

The attackers rely on social engineering to persuade victims to open the malicious files. The VBScript attachments are disguised as legitimate business and financial documents and use convincing filenames such as 'Financial Reports.vbs' and 'Account Statement.vbs.' To support the campaign's international reach, some files also appear in languages including Portuguese, French, German, and Malay.

The scripts are heavily obfuscated and contain extensive comments and metadata designed to imitate authentic Microsoft Windows Update components. Numerous comments are written in Chinese and reference functions such as:

• Windows Update modules
• Certificate validation procedures
• System integrity checks
• Deployment-related processes

These elements are intended to make the files appear legitimate and hinder security analysis.

Multi-Stage Infection Chain Enables Remote Access

Once executed through 'WScript.exe,' the malicious VBScript initiates a multi-stage infection process by downloading and executing additional VBScript components. The primary objective of the initial script is to retrieve two secondary payloads from a remote server. One payload attempts to manipulate Windows User Account Control (UAC) behavior, while the other downloads and launches a ZIP archive containing the installation package for ManageEngine RMM Central.

The successful installation of the legitimate RMM software grants attackers remote access capabilities, enabling them to control the victim's system.

Different Execution Paths on WhatsApp Web and Desktop

The infection process differs depending on the WhatsApp platform being used. On WhatsApp Web, victims are required to download the file and manually open it from the downloads folder or browser history, believing it to be a genuine document.

In contrast, the WhatsApp Desktop application allows the malware to execute directly within the client environment. Process analysis shows that 'WhatsApp.Root.exe,' the application's background process, is responsible for launching 'WScript.exe,' which then initiates the malicious chain.

Possible Connections to Earlier Malware Operations

Although the campaign has not been formally attributed to a specific threat group, investigators have identified infrastructure overlaps with previous malicious activity associated with the Gh0st RAT and ValleyRAT malware families. These similarities suggest that the operation may share resources or tactics with earlier cybercriminal campaigns.

Essential Precautions for WhatsApp Users

Security experts advise users to remain cautious when receiving unexpected attachments through WhatsApp, even if the messages appear to come from trusted contacts. The following file types should never be opened unless their legitimacy has been independently confirmed:

• VBS and VBE script files
• Executable files such as EXE, BAT, and CMD
• Script-based formats including JS and PS1

Verifying attachments before opening them remains one of the most effective defenses against malware campaigns that exploit trusted communication platforms.