A new WhatsApp malware campaign has been observed sending malicious VBScript files to users, primarily in Malaysia, hijacking accounts to spread the payload according to SecurityOnline. The attack uses social engineering to disguise scripts as financial documents and leads to silent installation of remote management tools.
The VBScript is obfuscated and when executed downloads additional scripts that alter system settings to bypass Windows security mechanisms. It then drops a legitimate Remote Monitoring and Management (RMM) application, granting attackers full control over the infected machine without raising alarms.
No CVE identifiers are associated with this campaign as the abuse relies on script execution rather than a software vulnerability. The initial payload is delivered via WhatsApp Desktop or Web, taking advantage of the platform's file sharing feature to reach victims across multiple countries including Brazil and India.
Researchers note the activity has been ongoing since mid June 2026 and shows connections to earlier threats that point to Chinese speaking actors, although no specific group has been named as reported by SecureList. The broad use of localized file names indicates a widespread, opportunistic approach targeting private individuals rather than enterprises.
The campaign leverages legitimate RMM software to blend in with normal admin tools, making detection harder for traditional antivirus solutions. Victims may notice unusual network connections or unexpected changes to registry keys that allow the RMM to maintain persistence.
Users should treat any unexpected script attachment received via WhatsApp with suspicion and refrain from opening files with extensions such as .vbs or .js unless they are absolutely certain of the sender's intent. Keeping endpoint protection up to date and enabling script blocking features can reduce the chance of successful execution.
Administrators are advised to monitor for the installation of unknown RMM binaries and to enforce application control policies that only allow trusted remote management tools. Regular review of autorun entries and network logs can help identify compromised machines before attackers gain full control.