A novel malware campaign targeting Windows users via WhatsApp has surfaced, leveraging the trust users place in messaging apps. Malicious Visual Basic Script (VBS) files are being distributed through WhatsApp messages, capitalizing on the tendency of users to overlook suspicious attachments from known platforms.
Stealth Techniques and Cloud Utilization
This attack is notable for its ability to remain concealed within a typical operating environment. Attackers employ ‘living-off-the-land’ strategies, utilizing built-in Windows tools instead of introducing foreign programs. Legitimate utilities such as curl.exe and bitsadmin.exe are disguised as ordinary system files and hidden within the C:ProgramData directory.
Further payloads are downloaded from reputable cloud services like AWS S3, Tencent Cloud, and Backblaze B2, making these downloads appear as normal system activity, thereby bypassing corporate firewalls and security measures.
Microsoft’s Findings and Analysis
In late February 2026, the Microsoft Defender Security Research Team identified this campaign, noting its combination of social engineering and stealthy infection techniques. The malware progresses through several stages, deploying malicious MSI packages that maintain persistence and establish remote access on compromised systems.
The unsigned MSI installer packages, such as Setup.msi and AnyDesk.msi, raise red flags due to their lack of a trusted publisher signature, a standard feature of legitimate enterprise software. Once executed, these installers enable attackers to steal data, launch further malware, or exploit the system for larger attacks.
Attack Execution and Mitigation Strategies
The attack initiates when a user opens the malicious VBS file sent via WhatsApp. This action triggers the creation of hidden folders and the deployment of renamed Windows tools, which retain their original metadata, providing a detectable signal for security systems.
Renamed tools facilitate the download of secondary VBS payloads from cloud-hosted infrastructures, with filenames mimicking legitimate Windows updates to evade detection. The malware alters User Account Control (UAC) settings, seeking administrative privileges to suppress security alerts and allow MSI installers to operate without interruption.
Microsoft advises blocking script hosts like wscript and cscript from untrusted paths, monitoring renamed utility executions, and inspecting traffic to cloud services. Tracking registry changes and flagging repeated UAC modifications are crucial for identifying active compromises.
Implementing Endpoint Detection and Response (EDR) in block mode, tamper protection, and attack surface reduction rules can thwart malicious activity. Educating users to be cautious of unexpected WhatsApp attachments, even from familiar contacts, provides a frontline defense against this threat.
