New Malware Attack Via WhatsApp Attacking Windows System to Enable Remote Access For Attackers

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

A new and active malware campaign is spreading through WhatsApp, targeting everyday Windows users across more than a dozen countries.

The threat uses malicious script files disguised as routine financial documents, tricking people into running harmful code on their own machines.

Once opened, the file quietly sets off a chain of events that ends with attackers gaining full remote access to the victim’s system.

The campaign was first observed in June 2026 and remains active at the time of reporting. Victims have been identified in Malaysia, Brazil, India, Mexico, Singapore, the United Kingdom, Spain, Taiwan, Australia, Russia, and Vietnam.

Malaysia has been hit the hardest, accounting for roughly 80 percent of all recorded infections.

According to Securelist report shared with Cyber Security News (CSN), the threat actor behind this campaign gained access to real WhatsApp accounts and used them to silently send malicious attachments to everyone in the compromised contact lists.

Since the messages appeared to come from known contacts, recipients were far more likely to open them without suspicion.

Overview of the WhatsApp-based VBScript infection chain (Source – Securelist)

The attachments are VBScript files, a type of script that Windows can run automatically through a built-in tool called Windows Script Host.

The files carried names like “Financial Reports.vbs,” “Debt Statement.vbs,” and “Account Statement.vbs,” along with versions written in Portuguese, French, German, and Malay.

This multi-language approach strongly suggests the campaign was designed to reach victims in several regions at once.

What makes this attack stand out is its use of legitimate software as the final payload. Rather than deploying a traditional virus or data stealer, the attacker installs a genuine remote management tool on the victim’s machine.

This allows the attacker to control the infected system just like a corporate IT team would, making detection far more difficult.

New Malware Attack Via WhatsApp Attacking Windows System

The infection begins the moment a user opens the VBScript attachment in WhatsApp Desktop or through a browser using WhatsApp Web.

WhatsApp messages containing the malicious VBScript file observed across multiple accounts (Source – Securelist)

The script launches silently through Windows Script Host and immediately begins preparing the system for further compromise.

It creates a hidden folder under the Public Documents directory using randomized names like “MSUpdate_random” to avoid attracting attention.

From there, the first script downloads two additional script files from attacker-controlled servers. The first of these tries to modify a Windows security setting known as User Account Control, which normally alerts users before any major system changes are made.

By setting this protection to zero, the attacker clears the path for the second script to install software without any prompts appearing on screen.

The second downloaded script fetches a ZIP archive containing a fully pre-configured installation package for a remote management agent.

Once extracted and executed, this package installs itself silently using Windows Installer and connects back to attacker-controlled servers. At that point, the attacker has persistent and quiet remote access to everything on the victim’s machine.

Signs Pointing to a Chinese-Speaking Operator

Security researchers noted several details within the script files that point toward a Chinese-speaking developer.

Multiple variants of the VBScript contained comments and annotations written in simplified Chinese characters, including references to Windows Update modules and system integrity checks. These comments appeared consistently across different versions of the script.

Infrastructure overlaps also raised flags. One of the attacker-controlled server addresses had previously appeared in connection with malware families known as ValleyRAT and Gh0st RAT.

Extracted Stage 3 Endpoint Central installation ZIP package (Source – Securelist)

While this does not confirm a definitive link, researchers assess with low confidence that the campaign was likely conducted by a Chinese-speaking operator.

Users are strongly advised to avoid opening any attachments received through WhatsApp, even from known contacts, unless the file has been verified through another channel.

Endpoint Central agent installation via msiexec.exe (Source – Securelist)

File types such as VBS, VBE, EXE, BAT, CMD, JS, and PS1 should never be opened without independent confirmation.

Keeping Windows security settings intact and running current endpoint protection can significantly reduce the risk of falling victim to campaigns like this one.

Indicators of Compromise (IoCs):-

Type Indicator Description
IP Address 202.61.160[.]208 Attacker-controlled ManageEngine UEMS server
IP Address 202.61.160[.]202 Attacker-controlled ManageEngine UEMS server
IP Address 202.61.160[.]201 Attacker-controlled ManageEngine UEMS server (previously linked to ValleyRAT/Gh0st RAT)
IP Address 202.61.160[.]160 Attacker-controlled ManageEngine UEMS server
IP Address 202.61.160[.]137 Attacker-controlled ManageEngine UEMS server
IP Address 38.55.151[.]63 Attacker-controlled ManageEngine UEMS server
Domain temu.baskwms[.]top Malware distribution domain
Domain invoice.msopsa[.]top Malware distribution domain
Domain baoxis[.]cc Malware distribution domain
Domain sdcwww.oss-ap-southeast-1.aliyuncs[.]com Payload hosting (Alibaba Cloud)
Domain baoyuw2s.s3.ap-southeast-1.amazonaws[.]com Payload hosting (AWS S3)
Domain sjdkjj23.s3.ap-southeast-1.amazonaws[.]com Payload hosting (AWS S3)
Domain xijkwm2.s3.ap-southeast-1.amazonaws[.]com Payload hosting (AWS S3)
Domain yifubafu.s3.ap-southeast-1.amazonaws[.]com Payload hosting (AWS S3)
File Hash (MD5) c7f38cbb99c8b74fa0465293feeba700 Financial Reports.vbs
File Hash (MD5) b7cd06c71465038b658a6dc1f273a507 Debt confirmation.vbs
File Hash (MD5) 9f13c7b8ba391b2f597874e54d310648 Electronic statement(A).vbs
File Hash (MD5) 993f4c0cadbc769a4b0ed62a918db58d Financial Reports(s).vbs / FinancialReportsS.vbs
File Hash (MD5) 7f81c1bc8cfd588e8998968e2621456e Outstanding Payment List.vbs
File Hash (MD5) 7403cbcc5a9c32384d431856dc48fcc9 Statement of debt (4).vbs
File Hash (MD5) 68c16c46f8afb9e00bbaba0207fb0a46 Debt Note (2).vbs
File Hash (MD5) 66442f2457eca8f47385b1fb2c6fcab8 Statement of Debt(30K).vbs
File Hash (MD5) 6359e6236471cbe434d0ef4c42b7f879 Applicationform1.vbs
File Hash (MD5) 5b6bbcc06cf08cc99e1afeda486d42fb Extrato de Conciliação.vbs
File Hash (MD5) 5002eca748205d544618e3bd2dedc223 Statement of Debt(29K).vbs
File Hash (MD5) 4f0593e8e0e8fac49429e9b45ebf7fa1 Outstanding Payment List.vbs
File Hash (MD5) 4044e4b6471c9de7b0a4ba37d9d9df9a billing statement (2).vbs
File Hash (MD5) 20209b3a32769afc6a75694b8d8839dd Statement of Debt(A).vbs
File Hash (MD5) 0ba93109757776a44de9d8c88baa4963 Financial Reports(C1).vbs
File Hash (MD5) 02bb20455cc592a69c080abac770ce90 Le formulaire de demande le plus récent.vbs
File Hash (MD5) 6c39900d77dcba158e1d27c7619cb06d Outstanding Balance Sheet(A).vbs
File Hash (MD5) dad708e050632a4280cabf98ac1376b7 Outstanding Balance Sheet.vbs
File Hash (MD5) 05d188f071d097f5b6bd8138749b4b14 Penyata bank.vbs
File Hash (MD5) 2c6f05f1f309d89b2236e6c8b59c88f9 Account Statement (13K) (2).vbs
File Hash (MD5) 3b1aba44dd3d9b6339b6f56e2f42034b Statement of Account.txt
File Hash (MD5) d43fdaa1f0ee09d7e5f0f94ee9df7b6c Bitte füllen Sie das Formular…aus.vbs
File Hash (MD5) df4fa0369eaca5cec348be293890d4af Account Statement.vbs
File Hash (MD5) 63ac85195b73753333316a889cf5880f Statement of Account(O).vbs
File Hash (MD5) 74fd9f91fc93b6288b4fc253ea5b3e20 Sila semak bil anda.vbs
File Hash (MD5) d06333c360b51456f427e616c3c5f8bd Sila semak bil anda.vbs (variant)
File Hash (MD5) 1d94fbe9cab21278cc3f104bea334d08 Promissory_Note(b).vbs
File Hash (MD5) 9d9ac85765e4a818a3ccabe2cf4fef82 Debt Statement.vbs
File Hash (MD5) 6fb6a55424adfb61e31f06aef33273e5 dfjieya.vbs
File Hash (MD5) f90ed4b2d0b67114aa89ddfed658e5c0 dfjieya.vbs (variant)
File Hash (MD5) 8c3322009b8982663c0cbecd9492e7eb 0lf.vbs
File Hash (MD5) 66705384a7ad81d14c34fc6c054a0ecf iowepv.vbs
File Hash (MD5) 8c6d9fc389ad3f20ccbc71d77eb39bfa btksfmsi.vbs
File Hash (MD5) 1a3cc75466ffb1971482f7abf7aabc3f home3.vbs
File Hash (MD5) 1c47c63e5ed25060d95359c57c77b107 zipats.vbs
File Hash (MD5) 31037a42ca048e06e69a78f55bc2eff5 1122.vbs
File Hash (MD5) 7f16449cd0c4862d1eadf8a5742bf09a payload_1.vbs
File Hash (MD5) 79ecd61b09b0f2d54b34586c916c4ec9 sac8.vbs
File Hash (MD5) 7849061c536a3efb05a56d504694e7e7 6oy.vbs
File Hash (MD5) ddaffe9849f7f3c79f8804adb9a6b3d5 kof.vbs
File Hash (MD5) d01cad98dd0d01b75e04e784953c5e2b sleestak_payload_1.vbs

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant UpdatesSet CSN as a Preferred Source in Google.