Malicious actors have launched a global campaign using compromised WhatsApp accounts to deliver malware via direct messages, according to a recent report. This sophisticated social engineering scheme, active as of June 2026, primarily targets users in Malaysia, Brazil, India, and several other nations by distributing deceptive Visual Basic Script files.

- Advertisement -

The attack leverages hijacked accounts to send VBScript attachments masquerading as financial reports or account statements. Consequently, when executed, these heavily obfuscated scripts initiate a multi-stage infection process designed to install legitimate Remote Monitoring and Management software.

Security researcher Fareed Radzi from Kaspersky stated, “The threat actor uses deceptive file names masquerading as business and financial documents to persuade recipients to download and execute the attachment.” The scripts contain extensive comments written in Chinese, mimicking legitimate Windows Update components to evade detection.

However, the infection method differs slightly between WhatsApp Web and the WhatsApp Desktop application. In the desktop client, the malware is executed directly by the application’s background process, while web users must manually open the downloaded file.

The final payloads attempt to tamper with Windows User Account Control and fetch a ZIP file containing ManageEngine RMM Central. Meanwhile, infrastructure analysis revealed overlaps with previous malware campaigns, though the activity remains unattributed.

- Advertisement -

Kaspersky advises extreme caution with unexpected WhatsApp attachments, especially script or executable file types. Users should independently verify the legitimacy of any suspicious files before opening them.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.