MICROSOFT has highlighted a new WhatsApp-delivered malware campaign that uses Visual Basic Script files to hijack Windows via a UAC bypass and establish persistence for remote access. The activity began in late February 2026 and distributes malicious VBS files through WhatsApp messages, initiating a multi-stage infection chain.
It involves renaming legitimate Windows utilities—curl[.]exe as netapi[.]dll and bitsadmin[.]exe as sc[.]exe—and dropping payloads from trusted cloud services such as AWS, Tencent Cloud, and Backblaze B2, before installing malicious MSI packages to maintain control. Once footholds are gained, the attackers aim to persist and escalate privileges, with the malware tampering with UAC settings and using registry modifications under HKLM\\Software\\Microsoft\\Win to survive reboots.
The campaign also references the use of legitimate tools like AnyDesk to provide persistent remote access, and relies on social engineering and living-off-the-land techniques, according to Microsoft Defender Security Research Team. This combination of tactics, trusted cloud hosting, and unsigned MSI installers underscores the need for heightened vigilance against WhatsApp-delivered threats.