CP
cyberpings
Malware & RansomwareHIGH

WhatsApp Malware - Campaign Delivers VBS Payloads and MSI Backdoors

Featured image for WhatsApp Malware - Campaign Delivers VBS Payloads and MSI Backdoors
MSMicrosoft Security Blog
WhatsAppVBSMSImalware campaignMicrosoft Defender
🎯

Basically, a malware campaign uses WhatsApp to send harmful files that take control of your computer.

Quick Summary

A new malware campaign exploits WhatsApp to deliver harmful VBS scripts. This attack targets users and organizations, compromising systems and maintaining access. Stay vigilant and protect your devices.

What Happened

In late February 2026, a sophisticated malware campaign emerged, utilizing WhatsApp messages to deliver malicious Visual Basic Script (VBS) files. These scripts initiate a multi-stage infection chain, designed to establish persistence and enable remote access to compromised systems. By exploiting the trust users have in familiar communication platforms, attackers effectively bypass initial defenses.

The campaign employs a combination of social engineering and living-off-the-land techniques. Attackers rename legitimate Windows tools to blend into normal system activity, and they retrieve payloads from trusted cloud services like AWS and Tencent Cloud. This method reduces visibility and increases the likelihood of successful execution, making it a concerning trend in cybercrime.

Who's Being Targeted

The primary targets of this malware campaign are individuals and organizations that use WhatsApp for communication. By leveraging a widely used platform, attackers can reach a broad audience. Victims may not suspect malicious intent when receiving messages from familiar contacts, making them more likely to execute the harmful scripts.

Once the VBS files are executed, the malware creates hidden folders in the system, dropping renamed versions of legitimate Windows utilities. This tactic ensures that malicious activities blend seamlessly with normal operations, complicating detection efforts for security solutions.

Signs of Infection

Indicators of infection include unexpected changes in system behavior, such as the presence of hidden folders in C:\ProgramData and the execution of renamed Windows utilities like curl.exe and bitsadmin.exe. Users may notice unusual network activity as the malware downloads additional payloads from cloud services.

Furthermore, the malware attempts to tamper with User Account Control (UAC) settings, which could manifest as unexpected prompts or system behavior. Monitoring registry changes and unusual command line flags can help identify potential infections before they escalate.

How to Protect Yourself

To defend against this malware campaign, organizations should implement several key strategies. First, they should strengthen endpoint controls by blocking or restricting the execution of script hosts in untrusted paths. Monitoring for renamed or hidden Windows utilities is crucial for early detection.

Additionally, enhancing cloud traffic monitoring can help identify malicious payload downloads, even when hosted on trusted platforms. Educating users about the risks of social engineering and suspicious WhatsApp attachments can further reduce the likelihood of successful attacks. By combining these measures, organizations can better protect themselves against evolving malware threats.

🔒 Pro insight: This campaign exemplifies the increasing use of trusted platforms for malware delivery, complicating detection and response efforts for security teams.

Original article from

MSMicrosoft Security Blog· Microsoft Defender Security Research Team
Read Full Article

Share

Related Pings

HIGHMalware & Ransomware

Axios Supply Chain Attack - Malicious Packages Discovered

A supply chain attack on Axios has led to malicious npm packages being distributed. Developers may have unknowingly installed a Remote Access Trojan. It's crucial to assess and secure your development environments to prevent exploitation.

Malwarebytes Labs·
HIGHMalware & Ransomware

Venom Stealer - Continuous Credential Harvesting Threatens Users

Venom Stealer is a new malware that continuously steals credentials and cryptocurrency. Its advanced tactics pose a serious risk to users. Understanding its methods is vital for safeguarding sensitive data.

SecurityWeek·
HIGHMalware & Ransomware

Ransomware - New Service Promises to Monetize Stolen Data

A new service called Leak Bazaar aims to monetize stolen data from ransomware attacks. This could lead to increased threats and exploitation of personal data. Experts are watching closely as this model unfolds.

The Record·
HIGHMalware & Ransomware

EtherHiding - Covert Malware Threat in Developer Toolchain

A new malware campaign, EtherHiding, targets developers by hiding malicious code in their tools. This stealthy threat risks sensitive data and system integrity. Stay alert and secure your coding environment against these attacks.

Canadian Cyber Centre News·
HIGHMalware & Ransomware

Malware - Backdoored LiteLLM Package Exposed by Trivy

A backdoored LiteLLM Python package was published by TeamPCP after compromising PyPI credentials via Trivy. Millions of users could be affected. It's crucial to check your installations and stay updated.

Snyk Blog·
HIGHMalware & Ransomware

Malware - Axios npm Supply Chain Attack Unleashes RAT

A major supply chain attack on the Axios npm package has introduced a remote access trojan. Millions of users are at risk, prompting urgent security measures. Check your systems for malicious updates and take immediate action.

SC Media·