MICROSOFT researchers found a campaign that abuses WhatsApp attachments to sneak a script onto Windows machines, which will lead to the attacker gaining remote control, according to Microsoft. The attack chain starts with a WhatsApp attachment that looks harmless but is actually a .vbs file that Windows can execute; when run, it copies built‑in Windows tools into a hidden folder and renames them to look innocuous.
The malware then downloads further payloads from popular cloud providers, so network traffic appears like normal access to AWS, Tencent Cloud, or Backblaze. It also elevates privileges to administrator, tweaks UAC prompts and registry settings to persist across reboots, and finally installs an unsigned MSI that sets up remote‑access software and other payloads for ongoing access.
Last year, Meta closed a vulnerability that allowed arbitrary code execution on Windows in all WhatsApp versions before 2.2450.6, but the current campaign relies on social engineering rather than exploiting that flaw. Home users and small businesses are advised to avoid unsolicited attachments, enable file name extensions in Explorer, and keep Windows and security software up to date.