Microsoft has issued a warning about a newly identified cyber campaign that uses WhatsApp messages to spread malicious Visual Basic Script (VBS) files. This attack, first observed in late February 2026, demonstrates how threat actors continue to exploit trusted communication platforms to bypass traditional security defenses.
To begin with, attackers initiate the campaign by sending VBS files through WhatsApp. Once a user executes the file, the malware launches a multi-stage infection chain designed to establish persistence and enable remote access. Although researchers have not yet identified the exact lures used, the attack clearly relies on user interaction, making social engineering a critical component.
“The campaign relies on a combination of social engineering and living-off-the-land techniques,” the Microsoft Defender Security Research Team said. “It uses renamed Windows utilities to blend into normal system activity, retrieves payloads from trusted cloud services such as AWS, Tencent Cloud, and Backblaze B2, and installs malicious Microsoft Installer (MSI) packages to maintain control of the system.”
Notably, the attackers cleverly disguise their activity by renaming legitimate Windows tools. For instance, they rename “curl.exe” as “netapi.dll” and “bitsadmin.exe” as “sc.exe.” These modified files then create hidden directories within “C:\ProgramData,” allowing the malware to operate quietly without raising suspicion.
Furthermore, once the attackers gain initial access, they move quickly to strengthen their foothold. They download additional malicious scripts from reputable cloud platforms such as AWS, Tencent Cloud, and Backblaze B2. Because these platforms are widely trusted, this tactic helps the attackers blend malicious traffic with normal network activity, making detection significantly harder.
“Once the secondary payloads are in place, the malware begins tampering with User Account Control (UAC) settings to weaken system defenses,” Redmond said. “It continuously attempts to launch cmd.exe with elevated privileges, retrying until UAC elevation succeeds or the process is forcibly terminated, modifying registry entries under HKLM\Software\Microsoft\Win, and embedding persistence mechanisms to ensure the infection survives system reboots.”
As a result, the attackers successfully bypass UAC protections and gain elevated privileges without requiring additional user approval. They then deploy unsigned MSI installers, including legitimate remote access tools such as AnyDesk, to maintain persistent control over the compromised system. This enables them to exfiltrate sensitive data or deploy further malicious payloads.
“This campaign demonstrates a sophisticated infection chain combining social engineering (WhatsApp delivery), stealth techniques (renamed legitimate tools, hidden attributes), and cloud-based payload hosting,” Microsoft said.
Overall, this campaign highlights the increasing sophistication of modern malware attacks. By combining social engineering, trusted cloud services, and system-level evasion techniques, attackers can significantly increase their success rates. Therefore, organizations must strengthen endpoint monitoring, restrict unnecessary tool usage, and educate users about suspicious file executions to mitigate such threats effectively.
Recommended Cyber Technology News:
- EvilTokens Fuels Microsoft Device Code Phishing Attacks
- Exabeam Expands Agent Behavior Analytics to Secure Enterprise AI Usage
- Nacha Names Abrigo as Preferred Partner for ACH Fraud Prevention
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
