WhatsApp Malware Campaign Used VBS Files and Unsigned MSI Backdoors
Microsoft reported a multi-stage malware campaign that used WhatsApp messages to trick targets into opening malicious Visual Basic Script (.vbs) files. The activity, observed from late February 2026, relied on social engineering and trusted cloud infrastructure including AWS S3, Tencent Cloud, and Backblaze B2 to host follow-on payloads. After execution, the malware created hidden folders under ProgramData, downloaded additional VBS components, and used renamed legitimate Windows utilities to blend into normal system activity.
The intrusion chain then attempted UAC bypass, registry changes for persistence, and deployment of unsigned MSI installers including Setup.msi, WinRAR.msi, LinkPoint.msi, and AnyDesk.msi, which provided remote access and backdoor capability on compromised systems. Microsoft said the attackers abused living-off-the-land techniques such as renaming curl.exe and bitsadmin.exe while leaving original PE metadata intact, giving defenders a detection opportunity; the company also linked the activity to command-and-control domains neescil.top and velthora.top and published indicators, file hashes, and hunting guidance for defenders.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
UK NCSC warns of state-backed targeting via WhatsApp and Signal
The UK National Cyber Security Centre issued an advisory warning that state-backed actors, including Russia-linked operators, are increasingly targeting high-risk individuals through WhatsApp and Signal using impersonation, phishing links, malicious QR codes, account-linking abuse, and theft of login or recovery codes. The advisory referenced prior activity associated with APT31 and Star Blizzard and recommended protections such as two-step verification, Signal Registration Lock, passkeys, and device security updates.
Microsoft publishes technical analysis and detection guidance
On March 31, 2026, Microsoft disclosed the campaign publicly and released indicators, file hashes, command-and-control domains including neescil.top and velthora.top, and hunting guidance highlighting retained PE metadata in renamed binaries as a detection opportunity.
Attackers deploy multi-stage MSI backdoor infection chain
After victims executed the VBS files, the malware created hidden ProgramData folders, used renamed legitimate Windows utilities, fetched additional payloads from cloud services including AWS S3, Tencent Cloud, and Backblaze B2, attempted UAC bypass and registry-based persistence, and installed unsigned MSI packages such as Setup.msi, WinRAR.msi, LinkPoint.msi, and AnyDesk.msi.
WhatsApp malware campaign begins delivering malicious VBS files
Microsoft Defender Experts observed a malware campaign beginning in late February 2026 in which attackers used WhatsApp messages and social engineering to send malicious Visual Basic Script files to victims.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
Alert: WhatsApp Phishing Campaign Delivers Malware
blog.knowbe4.com
Open sourceMicrosoft and NCSC issue alerts over hacker campaigns targeting WhatsApp, Signal messaging apps | IT Pro
itpro.com
Open sourceMicrosoft Warns of WhatsApp Attachments Spreading Backdoor on Windows PCs
hackread.com
Open sourceNew WhatsApp Attack Chain Uses VBS Scripts, Cloud Downloads, and MSI Backdoors
cybersecuritynews.com
Open sourceCampaign combines WhatsApp with legit cloud platforms to deliver malicious VBS files | news | SC Media
scworld.com
Open sourceMicrosoft: Hackers Are Using WhatsApp to Deliver Malware to Windows PCs
techrepublic.com
Open sourceDon't open that WhatsApp message, Microsoft warns • The Register
go.theregister.com
Open sourceWhatsApp malware campaign delivers VBS payloads and MSI backdoors | Microsoft Security Blog
microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Malicious VBScript Sent via WhatsApp Installs ManageEngine RMM Agent
Researchers reported an active campaign in which compromised WhatsApp accounts sent malicious `.vbs` attachments to targets in multiple countries, with most observed infections in Malaysia. The lures impersonated business, banking, tax, and debt-related documents and primarily targeted users of WhatsApp Desktop and WhatsApp Web. When opened, the VBScript launched through Windows Script Host, created hidden working directories, and fetched additional payloads from attacker-controlled infrastructure while using obfuscation and renamed native tools such as `curl.exe` and `bitsadmin.exe` to reduce detection. A second-stage script attempted to weaken Windows User Account Control by changing `ConsentPromptBehaviorAdmin`, then downloaded a ZIP archive containing a preconfigured ManageEngine Endpoint Central deployment package. The final stage silently installed the legitimate ManageEngine Endpoint Central agent via `msiexec.exe`, giving the attacker remote administration access to the compromised system. Attribution remains unconfirmed, but researchers noted simplified Chinese comments in the scripts and infrastructure overlap with IP addresses previously associated with ValleyRAT and Gh0st RAT activity, indicating with low confidence that a Chinese-speaking operator may be behind the campaign.
Jun 23, 2026
Windows Malware Campaigns Abusing Trusted Tools and Cloud Hosting for Stealthy Execution
Multiple Windows-focused malware campaigns were reported leveraging *trusted distribution and execution paths* rather than exploiting software vulnerabilities. One campaign attributed to **Larva-25012** disguised proxyware as legitimate *Notepad++* installers distributed via fake cracked-software portals and deceptive ads, primarily impacting South Korea. The payloads were hosted on GitHub and delivered as MSI/ZIP packages containing legitimate components plus malicious DLLs, using **DLL side-loading** and process injection into **Windows Explorer** to deploy proxyware (e.g., **Infatica** and **DigitalPulse**) for **proxyjacking**—monetizing victims’ internet bandwidth by reselling access through their networks. A separate multi-stage Windows malware operation used business-themed lures and weaponized archives containing **LNK** shortcuts to run hidden **PowerShell** with execution-policy bypass, pulling an obfuscated loader from GitHub and using legitimate services (e.g., **Dropbox**) to blend into normal traffic. Fortinet-reported tradecraft included persistence, decoy document generation, and beaconing via the **Telegram Bot API**, followed by defense evasion through abuse of **Defendnot** to disable Microsoft Defender before dropping follow-on payloads such as ransomware, banking trojans, and surveillance tooling. Additional reporting highlighted a broader trend of attackers abusing legitimate infrastructure and admin tooling (including **RMM** software after credential theft) to establish persistent access, while generic “common threats” content provided no incident-specific intelligence.
Mar 21, 2026
Windows Malware Campaigns Using Social Engineering and Legitimate Platforms to Deliver RATs, Stealers, and Proxyware
Multiple research reports detailed **Windows-focused malware delivery chains** that rely on social engineering and abuse of legitimate services to blend into normal enterprise traffic. FortiGuard Labs described a **multi-stage campaign targeting users in Russia** that starts with business-themed decoy documents and scripts, then escalates to security-control bypass and surveillance before deploying **Amnesia RAT** and ultimately **ransomware** with widespread file encryption. A notable technique in that intrusion is the abuse of **Defendnot** (a Windows Security Center trust-model research tool) to **disable Microsoft Defender**, while payloads are hosted modularly across public cloud services (e.g., **GitHub** for scripts and **Dropbox** for binaries) to improve resilience and complicate takedowns. Separately, ReliaQuest reported attackers using **LinkedIn private messages** to build trust with targets and deliver a **WinRAR SFX** that triggers **DLL sideloading** via a legitimate PDF reader, then establishes persistence (Registry `Run` key) and executes **Base64-encoded shellcode in-memory** to load a RAT-like payload. Trend Micro and Koi Security documented **Evelyn Stealer**, which weaponizes **malicious VS Code extensions** to drop a downloader DLL (e.g., `Lightshot.dll`), run hidden PowerShell to fetch `runtime.exe`, and inject the stealer into `grpconv.exe`, exfiltrating data (credentials, cookies, wallets, screenshots, Wi‑Fi credentials) to `server09.mentality[.]cloud` over FTP. AhnLab ASEC also reported **proxyjacking** activity in South Korea attributed to **Larva‑25012**, distributing **proxyware disguised as a Notepad++ installer** and evolving evasion (e.g., injecting into Windows Explorer and using Python-based loaders) to monetize victims’ bandwidth via unauthorized proxyware installation.
Mar 21, 2026