MICROSOFT has warned that WhatsApp users on Windows are being targeted by a new malware campaign that delivers malicious Visual Basic Script files and unsigned MSI packages through seemingly innocuous chat attachments. The activity was first observed in late February 2026 and intensified during the early days of April, prompting an urgent advisory from the company’s security researchers. The attack relies on social engineering to trick recipients into opening a file that appears harmless but executes code leading to full system compromise.
The infection chain begins when a user opens a WhatsApp attachment that is actually a .vbs file. Once executed, the script copies legitimate Windows utilities such as curl.exe and bitsadmin.exe to a hidden directory and renames them to evade detection, for example naming curl.exe as netapi.dll and bitsadmin.exe as sc.exe. These renamed binaries are then used to download second‑stage payloads from trusted cloud services including AWS, Tencent Cloud and Backblaze B2, making the traffic blend in with normal cloud access patterns.
After establishing a foothold, the malware elevates its privileges to administrator level by tampering with User Account Control settings and adding registry autorun keys under HKLM\Software\Microsoft\Windows\CurrentVersion\Run. It subsequently drops an unsigned MSI package that installs remote‑access tools and additional backups, ensuring persistence across reboots. The use of living‑off‑the‑land binaries and reputable cloud infrastructure helps the threat bypass many conventional network defenses.
Microsoft’s analysis indicates the campaign has been active since at least February 2026, although no specific threat actor has been publicly linked to the operation. The technique demonstrates how adversaries are increasingly abusing legitimate communication platforms and cloud storage to deliver malware while appearing benign to security tools that rely on reputation‑based filtering. This approach reduces the likelihood of detection by gateways that allow traffic to well‑known domains.
Defenders should treat unexpected WhatsApp attachments with the same scrutiny as email files, blocking the execution of VBS and MSI originating from unknown contacts. Enabling controlled folder access and restricting the execution of curl and bitsadmin to approved directories can prevent the abused binaries from being misused. Monitoring for the creation of unusual file names in system folders and for unauthorized changes to UAC or registry settings will help identify the compromise early.
Application control policies that permit only signed MSI files to run, coupled with restrictions on WScript and PowerShell unless explicitly required, add another layer of protection. Security teams should also review proxy and firewall logs for outbound connections to cloud storage buckets that are not part of normal business activity, looking for atypical user‑agent strings or irregular download patterns that may signal the retrieval of second‑stage payloads.
Keeping endpoint protection platforms up to date with the latest Microsoft Defender definitions and enabling network inspection for TLS traffic to known cloud domains can catch the malicious downloads before they execute. Finally, regular user awareness training that emphasises verifying unexpected file extensions, even inside trusted chat applications, remains a critical control to reduce the success of such social engineering tactics.