Key Findings

• New malware campaign since late February 2026 distributes malicious VBS files through WhatsApp messages

• Attack chain uses renamed Windows utilities and legitimate cloud services to evade detection

• Malware exploits UAC bypass techniques to gain elevated privileges and install remote access tools like AnyDesk

• Campaign combines social engineering, living-off-the-land tactics, and registry manipulation for persistence

Background

Microsoft's Defender Security Research Team has identified a coordinated campaign leveraging WhatsApp as a delivery mechanism for malicious Visual Basic Script files. The operation represents a shift in tactics by incorporating trusted messaging platforms and cloud infrastructure to distribute malware while maintaining a low profile in network activity. The threat actors have effectively weaponized legitimate tools and services to increase their chances of successful infection.

Attack Delivery and Initial Compromise

The campaign begins when users receive WhatsApp messages containing malicious VBS files. While the specific social engineering lures remain unknown, victims who execute these scripts trigger the infection chain. Upon execution, the malware creates hidden folders within C:\ProgramData and deploys renamed versions of standard Windows utilities including curl.exe masquerading as netapi.dll and bitsadmin.exe disguised as sc.exe.

Payload Distribution and Privilege Escalation

The malware downloads secondary VBS payloads hosted on trusted cloud platforms including AWS S3, Tencent Cloud, and Backblaze B2. Using the renamed binaries, attackers retrieve these auxiliary files while blending into normal network traffic. The attackers then target the system's User Account Control settings, continuously attempting to launch cmd.exe with elevated privileges through registry manipulation under HKLM\Software\Microsoft\Win until successful elevation is achieved.

Persistence and Remote Access

Once elevated privileges are obtained, the malware deploys unsigned MSI installer packages that establish long-term control. This includes installation of legitimate remote access tools like AnyDesk, granting attackers persistent connectivity to victim systems. The persistence mechanisms ensure the infection survives system reboots, allowing for data exfiltration and deployment of additional malware as needed.

Sources

• https://thehackernews.com/2026/04/microsoft-warns-of-whatsapp-delivered.html

• https://x.com/CyberSysblue/status/2039417978777674190