Global alert: WhatsApp malware campaign targets computer users worldwide

Kaspersky researchers have uncovered a large-scale malware campaign spreading through WhatsApp across multiple countries, including Vietnam. Attackers are leveraging compromised WhatsApp accounts to distribute malicious VBScript files disguised as business documents, ultimately installing remote administration tools that allow them to take control of victims' computers.

WhatsApp has become one of the latest platforms exploited by cybercriminals to distribute malware. According to a recent report from Kaspersky, threat actors are using compromised WhatsApp accounts to send malicious files directly to contacts. By disguising these files as legitimate business documents, attackers increase the likelihood that recipients will open them and unknowingly compromise their systems.

How does the whatsApp malware campaign work?

According to Kaspersky, the attacks begin with messages sent from previously compromised WhatsApp accounts. These messages typically contain a single VBScript file disguised as a familiar business-related document, such as a financial report, invoice, billing statement, or account notification.

The filenames have been observed in multiple languages, indicating that the campaign targets users across various regions worldwide. Kaspersky's telemetry data shows activity in Brazil, India, Mexico, Singapore, the United Kingdom, Spain, Taiwan, Australia, Russia, Vietnam, and Malaysia.

What happens after the victim opens the file?

Once a victim downloads and executes the VBScript file on a Windows device, a multi-stage infection process begins.

The initial script downloads additional payloads from attacker-controlled infrastructure. These scripts modify Windows Registry settings to weaken certain security protections and then retrieve a ZIP archive containing ManageEngine Endpoint Central.

ManageEngine Endpoint Central is a legitimate IT administration tool widely used by organizations for centralized device management. In this campaign, however, attackers abuse the software by configuring it to connect to servers under their control, effectively granting them remote administrative access to the victim's computer.

Why is this attack particularly dangerous?

One of the most concerning aspects of the campaign is that the malicious messages originate from legitimate WhatsApp accounts that have already been compromised.

Because the files appear to come from trusted contacts, colleagues, or business partners, recipients are more likely to open them without suspicion. This trust-based approach significantly increases the success rate of the attack compared to traditional phishing campaigns.

Kaspersky also notes that when the malicious file is delivered through WhatsApp Desktop, it may be executed directly through Windows Script Host (wscript.exe), potentially accelerating the infection process.

What clues have researchers found about the threat actors?

At the time of publication, Kaspersky has not attributed the campaign to any specific threat group.

Researchers identified indications of Chinese-language usage within parts of the operation and observed infrastructure overlaps with IP addresses previously associated with ValleyRAT and Gh0st RAT activity. However, Kaspersky emphasizes that there is currently insufficient evidence to confidently attribute the campaign to a particular actor.

How can users protect themselves?

Security experts recommend exercising caution when receiving files through WhatsApp, even if they come from trusted contacts.

Before opening any unexpected attachment, users should verify its legitimacy through an alternative communication channel whenever possible. Additionally, all downloaded files should be scanned using up-to-date security software before execution.

Users should be especially cautious with executable file types and scripts, including .vbs, .exe, .bat, and other files that can run code on a system.

Frequently Asked Questions

What is a VBScript File?

VBScript is a scripting language supported by Windows that can automate various tasks. Cybercriminals often abuse VBScript files to execute malicious code when users open them.

Has WhatsApp itself been compromised?

Based on the information available, Kaspersky has only confirmed that individual WhatsApp accounts were compromised and then used to distribute malicious files. There is no evidence in the report suggesting that WhatsApp's core infrastructure was breached.

Are users in Vietnam affected?

Yes. Vietnam is among the countries where Kaspersky observed activity related to this malware campaign.

The newly discovered WhatsApp malware campaign highlights how cybercriminals continue to exploit popular communication platforms to distribute malicious software and expand their reach. By leveraging compromised accounts and disguising malware as routine business documents, attackers increase the likelihood of successful infections. Maintaining a cautious approach toward file attachments and verifying unexpected messages remain essential steps in reducing the risk of device compromise.

References:

• Kaspersky: https://www.kaspersky.com/about/press-releases/kaspersky-uncovers-a-new-massive-campaign-spreading-malware-via-whatsapp

• BleepingComputer: https://www.bleepingcomputer.com/news/security/whatsapp-phishing-attack-uses-fake-business-docs-to-hack-pcs/