Recent reports indicate that attackers are exploiting WhatsApp messages to execute a multi-stage malware campaign that delivers malicious Microsoft Installer (MSI) packages. This tactic allows criminals to gain control over victims’ machines and access sensitive data.
Attack Methodology
The campaign reportedly began in late February 2026. It initiates with a WhatsApp message that contains malicious Visual Basic Script (VBS) files. While the exact social engineering techniques employed remain unclear, it is suspected that attackers either use compromised WhatsApp accounts of existing contacts or create a sense of urgency to prompt victims to execute the malicious files.
Malware Execution and Behavior
Upon execution, the malicious script creates hidden folders in C:ProgramData and drops renamed versions of legitimate Windows utilities, such as curl.exe renamed to netapi.dll and bitsadmin.exe as sc.exe. This approach, known as “living off the land,” allows attackers to blend in with normal network activity. However, the renamed binaries retain their original Portable Executable (PE) metadata, which can be leveraged by security solutions to detect discrepancies.
Downloading Additional Payloads
The attackers utilize these renamed binaries to download secondary VBS payloads, such as auxs.vbs and 2009.vbs, from trusted cloud services like AWS and Tencent Cloud. This further complicates the detection of malicious activity, as these downloads may appear to be legitimate enterprise actions.
Final Payloads and Recommendations
The malware modifies User Account Control (UAC) settings to attempt launching cmd.exe with elevated privileges, ensuring persistence across system reboots. Ultimately, the attackers deploy various malicious MSI installers, including Setup.msi, WinRAR.msi, LinkPoint.msi, and AnyDesk.msi. Notably, these installers are not signed, which should alert defenders to their malicious nature.
Microsoft has recommended that users employ their security products to mitigate these risks. Additionally, a vendor-neutral suggestion emphasizes the importance of training employees to recognize suspicious WhatsApp attachments and unexpected messages, highlighting that even familiar platforms can be exploited for malware delivery.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
