A new malware campaign is using WhatsApp to send fake business documents that install ManageEngine Endpoint Central on victims’ computers according to Kaspersky’s analysis. The operation was first spotted on 22 June 2026 and has already affected users in several countries, with Malaysia seeing the bulk of the infections. Researchers note that the attackers hijack existing chat threads, making the malicious messages appear to come from trusted contacts. This social‑engineering tactic increases the likelihood that recipients will open the attachment without suspicion.
The malicious files arrive as VBScript attachments that mimic invoices, debt notices or routine purchase orders as detailed by Socradar. When a user double‑clicks the file, the script launches and begins a multi‑stage infection chain. First, it contacts an external server to download additional payloads, including a small downloader that prepares the system for the next step. Second, it modifies specific registry keys under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System to reduce the frequency of User Account Control prompts. Finally, it silently executes the installer for ManageEngine Endpoint Central, a legitimate remote‑management tool, giving the attacker full control over the host.
This gives attackers persistent remote access without raising typical security alerts as noted by Security Affairs. Because ManageEngine is a legitimate utility commonly used by IT departments, many endpoint protection products do not flag its installation as malicious. The attackers also leverage living‑off‑the‑land techniques, using native Windows utilities such as PowerShell and reg.exe to carry out the registry tweaks and file transfers. These actions blend with normal administrative activity, making detection more difficult for security monitors. The use of a trusted communication platform further aids the abuse, as users are less likely to scrutinise files received via WhatsApp.
Kaspersky’s analysis, published on Securelist, shows the campaign has been active for at least a day and continues to evolve with minor variations in the lure documents. No specific threat‑actor group has been linked to the activity, but the concentration of infections in Malaysia suggests a regional focus or a testbed for broader operations. The abuse of a trusted administration utility highlights how attackers can blend malicious behaviour with authorised software to evade detection. This method fits into a growing trend of living‑off‑the‑land and legitimate‑tool hijacking observed in recent cyber‑crime campaigns.
The incident highlights the risk posed by seemingly innocuous files shared over messaging platforms, especially when they appear to come from known contacts. It also demonstrates how legitimate remote‑management tools can be repurposed for covert control, a tactic that is increasingly seen in supply‑chain and living‑off‑the‑land attacks. Organisations that rely on ManageEngine for internal IT management should review their monitoring policies to detect unusual usage patterns.
Security teams should consider restricting the execution of script hosts such as wscript.exe and cscript.exe unless explicitly required for business processes.
Defenders should treat any unexpected attachment received via WhatsApp or other chat apps as suspicious regardless of the sender. Enforce strict controls on the execution of VBScript and other script hosts, block unsigned scripts from running, and monitor for changes to registry keys that control User Account Control. Ensure endpoint protection is configured to detect abnormal use of ManageEngine, such as atypical service starts or unusual network connections to unfamiliar IP addresses.
Consider implementing application‑control policies that only allow approved remote‑management tools from verified sources and regularly review logs for signs of lateral movement or credential access attempts.