A VBScript campaign distributed through WhatsApp deploying RMM software

[harlan4096]

In June 2026, we observed a malware campaign distributing malicious VBScript files through direct messages in WhatsApp. The campaign affected users across multiple countries and territories, including Malaysia, Brazil, India, Mexico, Singapore, UK, Spain, Taiwan, Australia, Russia and Vietnam, with the highest number of victims observed in Malaysia. At the time of writing this article, the campaign is still active.
 
Analysis shows that the campaign primarily targets users of WhatsApp Desktop and WhatsApp Web. The threat actor uses deceptive file names masquerading as business and financial documents to persuade recipients to download and execute the attachment. Once executed, the VBScript initiates a multi-stage infection chain that ultimately results in the installation of legitimate Remote Monitoring and Management (RMM) software, enabling remote access to the victim’s system.
 
Overview of the WhatsApp-based VBScript infection chain
 
We came across a number of social media posts reporting that the malware was being distributed by the users’ contacts. The messages contained only the malicious attachment and did not include any accompanying text. One account sent the same attachment to multiple contacts from their list.
 
WhatsApp messages containing the malicious VBScript file observed across multiple accounts. Source: alleged victims’ posts on social media
 
Based on evidence collected from multiple victims through social media reports and submitted samples, we can conclude that the threat actor had gained access to several WhatsApp accounts and used them to distribute the malicious VBScript files to contacts on the compromised users’ contact lists. At the time of writing, the exact method used to compromise these WhatsApp accounts remains unknown.

Continue Reading...