A malware campaign has been identified that distributes malicious VBScript files via WhatsApp, primarily targeting users of WhatsApp Desktop and Web in multiple countries including Malaysia, Brazil, and India. The attack employs social engineering tactics, using fake file names resembling business documents to trick users into executing the scripts.
The infection unfolds in stages, starting with the execution of a VBScript that downloads secondary scripts, modifies system settings, and ultimately installs Remote Monitoring and Management (RMM) software. Most victims are individuals, with a broad targeting approach evident from the diverse language used in the malicious file names. The campaign has connections to earlier threats, suggesting a possible link to Chinese-speaking threat actors, but no definitive attribution has been made.