A widespread phishing campaign is targeting WhatsApp users across multiple countries with malicious files disguised as legitimate business documents. The attackers are leveraging compromised WhatsApp accounts to send heavily obfuscated VBScript (VBS) files to contacts, increasing the likelihood that recipients will trust and open the attachments. The campaign has been observed in countries including Brazil, India, Mexico, Singapore, the United Kingdom, Taiwan, Australia, and several others.
The malicious files are disguised as financial reports, invoices, billing statements, and account notifications, often using localized filenames tailored to the victim’s language. According to researchers at Kaspersky, the threat actors appear to have gained access to multiple WhatsApp accounts and are using those trusted relationships to distribute malware, although the method used to compromise the accounts remains unknown.
When a victim downloads and executes the VBS file on a Windows system, it triggers a multi-stage infection chain. The script retrieves additional payloads that disable User Account Control (UAC) protections and download a ZIP archive containing ManageEngine Endpoint Central, a legitimate IT administration tool. The software is then silently installed and configured to connect to attacker-controlled servers, effectively granting remote access to the compromised machine.
While researchers have identified signs suggesting possible links to Chinese-speaking operators and infrastructure previously associated with ValleyRAT and Gh0st RAT activity, there is currently insufficient evidence for definitive attribution. Security experts advise WhatsApp users to exercise caution with unexpected files—even those received from trusted contacts—and to verify suspicious messages through secondary channels before opening attachments.
