Kaspersky‘s Global Research and Analysis Team (GReAT) has uncovered a large-scale crimeware campaign distributing malicious VBScript files through WhatsApp, with victims identified across Malaysia, Singapore, Vietnam, Taiwan, and Brazil. Malaysia recorded the highest concentration of affected users.
The campaign targets WhatsApp Desktop and WhatsApp Web users and was disclosed in June 2026. It represents a notable escalation in the abuse of trusted consumer messaging platforms for enterprise-grade malware delivery.
How the Campaign Operates
Attackers gain initial access by compromising WhatsApp accounts, then use those accounts to send malicious file attachments to existing contacts. Because the messages appear to originate from known individuals, recipients are significantly more likely to open them.
The malicious files are disguised as routine business documents — invoices, bank statements, payment records, and debt notices. File names are localised into multiple languages including English, Portuguese, French, German, and Malay, indicating deliberate targeting across both Southeast Asia and Europe. The VBScript samples themselves contain comments and metadata crafted to impersonate legitimate Microsoft Windows Update components, adding a further layer of deception.
“Attackers are exploiting trust within messaging platforms by using compromised WhatsApp accounts to deliver malicious attachments that appear to originate from known contacts, making recipients far more inclined to engage with them,” said Fareed Radzi, security researcher at Kaspersky GReAT. “Once opened, they trigger a staged infection chain that silently retrieves and executes additional malicious components from external infrastructure.”
Multi-Stage Infection Chain
Once a victim opens the attachment, the VBScript creates a working directory under C:\Users\Public\Documents\ and retrieves additional script files from external attacker-controlled infrastructure, executing them via Windows Script Host. Follow-up scripts perform further system actions before downloading a compressed archive containing an installation package for remote monitoring and management (RMM) software — granting the attacker persistent remote access through tools designed for legitimate IT administration.
The use of RMM software as a payload is a technique increasingly favoured by crimeware operators as it allows remote access without deploying conventional malware binaries that endpoint security tools are tuned to detect.
Recommendations
Kaspersky GReAT advises users to exercise caution with unexpected WhatsApp attachments even from known contacts, and to avoid opening script or executable file types — including .vbs, .vbe, .exe, .bat, .cmd, .js, and .ps1 — without independent verification of their legitimacy. The full technical report is available on Securelist.com.
