New WhatsApp Attack Chain Uses VBS Scripts, Cloud Downloads, and MSI Backdoors

A new malware campaign is actively using WhatsApp to deliver harmful files directly to Windows users, exploiting the widespread trust placed in everyday messaging apps.

The threat actors send malicious Visual Basic Script (VBS) files through WhatsApp messages, knowing that users rarely question attachments from familiar platforms.

Once a recipient runs one of these files, a silent infection process takes hold in the background, with no visible warning to alert the user.

This campaign stands out because of how cleverly it hides within a normal operating environment. The attackers use “living-off-the-land” techniques — a method where threat actors rely on tools that Windows already has, instead of bringing in unfamiliar programs.

Legitimate utilities like curl.exe and bitsadmin.exe are renamed to look like standard system files, then planted inside hidden folders in C:ProgramData.

Secondary payloads are then fetched from trusted cloud services such as AWS S3, Tencent Cloud, and Backblaze B2, making the malicious downloads appear as routine system traffic.

The Microsoft Defender Security Research Team first identified this campaign in late February 2026.

Researchers noted that the operation combines social engineering with stealth-based infection techniques, working through multiple stages to install malicious MSI packages, maintain persistence across system reboots, and open remote access channels that give attackers full, ongoing control over any machine they successfully compromise.

The campaign ultimately delivers a set of unsigned MSI installer packages, including Setup.msi, WinRAR.msi, LinkPoint.msi, and AnyDesk.msi.

The absence of a valid code-signing certificate on all four files is a clear warning sign, since legitimate enterprise software typically carries a trusted publisher signature.

Once these installers run, they establish persistent remote access, giving attackers the ability to steal data, deploy additional malware, or use the compromised system as part of a broader attack operation.

How the Attack Unfolds: From VBS to Full System Compromise

The attack begins when a user executes the malicious VBS file received through WhatsApp. The script immediately creates hidden folders inside C:ProgramData and drops renamed versions of legitimate Windows tools — curl.exe becomes netapi.dll, and bitsadmin.exe is disguised as sc.exe.

Despite the name changes, both files still carry their original PE metadata, specifically the OriginalFileName field. This mismatch between the visible name and the embedded metadata is a detectable signal that security tools can use to flag the threat.

Those renamed tools then download secondary VBS payloads from cloud-hosted attacker infrastructure, including files named auxs.vbs and WinUpdate_KB5034231.vbs.

Hosting these files on well-known platforms like AWS S3 and Backblaze B2 is a deliberate move, as corporate firewalls rarely block traffic to these services.

The file names are also crafted to resemble legitimate Windows update packages, reducing the chance that anyone will notice the downloads or question their origin.

Once the secondary scripts land on the system, the malware begins tampering with User Account Control (UAC) settings.

It continuously attempts to run cmd.exe with elevated privileges, modifying registry entries under HKLMSoftwareMicrosoftWin until administrative rights are secured.

With those rights in hand, it suppresses security prompts entirely, ensuring that the final MSI installers run without triggering any alerts or interruptions that might tip off the user or an IT administrator.

Microsoft recommends that organizations block script hosts such as wscript and cscript from running in untrusted paths, and monitor for renamed Windows utilities executing with uncommon command-line flags.

Security teams should inspect and filter traffic to cloud platforms like AWS S3, Tencent Cloud, and Backblaze B2, since attackers rely on these services to deliver secondary payloads undetected.

Registry changes under HKLMSoftwareMicrosoftWin must be tracked in real time, and any repeated UAC tampering should be flagged as an active indicator of compromise.

Enabling EDR in block mode stops malicious artifacts even if the primary antivirus solution misses them, while turning on tamper protection prevents attackers from disabling security services post-compromise.

Configuring attack surface reduction rules to block VBScript from launching downloaded executables adds a further critical layer.

Training end users to question unexpected WhatsApp attachments — even from known contacts — remains one of the most direct ways to stop this attack before it begins.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.