New Windows Malware Spreads Via WhatsApp, Grants Remote Access
Key Takeaways A novel malware campaign is actively exploiting WhatsApp to deliver remote access capabilities to Windows systems. The attack propagates through malicious VBScript files disguised as...
Key Takeaways
- A novel malware campaign is actively exploiting WhatsApp to deliver remote access capabilities to Windows systems.
- The attack propagates through malicious VBScript files disguised as financial documents, sent via compromised WhatsApp accounts.
- Victims have been identified in over a dozen countries, with Malaysia experiencing approximately 80% of reported infections.
- The malware installs legitimate remote management software, making detection more challenging for standard security tools.
- Indicators suggest a Chinese-speaking threat actor is behind the campaign.
A sophisticated and ongoing malware campaign is leveraging WhatsApp to compromise Windows users across at least 12 countries, granting attackers unauthorized remote access to their systems. Cyber intelligence firm Resecurity recently published an in-depth report detailing the intricate mechanisms and global reach of this operation.
Table Of Content
The attack employs social engineering tactics, utilizing malicious script files that mimic common financial documents. These files trick unsuspecting users into executing harmful code on their machines, initiating a covert infection chain.
Upon execution, the disguised script silently triggers a sequence of actions culminating in the attackers establishing full remote control over the victim’s computer.
First detected in June 2026, this campaign remains active. Resecurity’s analysis identified victims in diverse regions, including Malaysia, Brazil, India, Mexico, Singapore, the United Kingdom, Spain, Taiwan, Australia, Russia, and Vietnam. Notably, Malaysia has borne the brunt of the attacks, accounting for an estimated 80% of all recorded infections, as highlighted in a comprehensive analysis by Securelist.
According to the Securelist report shared with Cyber Security News (CSN), the threat actors gained control of legitimate WhatsApp accounts. They then exploited these compromised accounts to discreetly send malicious attachments to all contacts within the respective address books.
This method significantly increases the likelihood of successful compromise, as recipients are far more prone to open attachments from trusted, known contacts without suspicion.
Infection Chain Details
The malicious attachments are VBScript files, a type of script natively executable by Windows via the built-in Windows Script Host. These files are cleverly named to appear innocuous, such as “Financial Reports.vbs,” “Debt Statement.vbs,” and “Account Statement.vbs.” The campaign’s global targeting is further evidenced by the availability of these malicious files in multiple languages, including Portuguese, French, German, and Malay.
A distinguishing characteristic of this attack is its final payload: the installation of legitimate remote management software rather than conventional malware like viruses or data stealers. This approach allows attackers to operate with the same level of access as an IT support team, making detection significantly more challenging for conventional security solutions.
The infection process commences when a user opens the VBScript attachment, whether through the WhatsApp Desktop application or WhatsApp Web in a browser. The script executes silently via Windows Script Host, immediately preparing the system for subsequent stages of compromise. It establishes a hidden folder within the Public Documents directory, using randomized names like “MSUpdate_random” to evade detection.
Subsequently, the initial script downloads two additional script files from servers controlled by the attackers. The first of these secondary scripts attempts to modify User Account Control (UAC) settings in Windows, typically responsible for alerting users before significant system changes. By disabling or lowering UAC prompts, the path is cleared for the second script to install software without user intervention or on-screen notifications.
The second downloaded script retrieves a ZIP archive containing a fully pre-configured installation package for a remote management agent. Once extracted and executed, this package silently installs itself using Windows Installer. Upon successful installation, the agent establishes a persistent connection to the attacker’s command-and-control servers, granting them covert and ongoing remote access to the victim’s machine.
Signs Pointing to a Chinese-Speaking Operator
Security researchers have identified several clues within the script files that suggest the involvement of a Chinese-speaking developer. Multiple variants of the VBScript contained comments and annotations written in simplified Chinese characters. These comments included references to Windows Update modules and system integrity checks, appearing consistently across various script versions.
Furthermore, an analysis of the attacker’s infrastructure revealed overlaps with previously documented malware families. One of the IP addresses used by the attacker-controlled servers had been associated with the ValleyRAT and Gh0st RAT malware in prior campaigns. While this correlation does not definitively confirm attribution, researchers assess with low confidence that the campaign is likely orchestrated by a Chinese-speaking operator.
What You Should Do
- Exercise Extreme Caution with Attachments: Never open attachments received via WhatsApp, even from known contacts, unless you have independently verified the file’s legitimacy through another communication channel (e.g., a phone call or email).
- Beware of Executable File Types: Be particularly suspicious of file types such as VBS, VBE, EXE, BAT, CMD, JS, and PS1. These should never be opened without explicit, independent confirmation.
- Maintain User Account Control (UAC): Ensure your Windows User Account Control (UAC) settings are kept at their default or higher security levels. This provides crucial alerts before unauthorized system changes.
- Keep Endpoint Protection Updated: Regularly update and run comprehensive endpoint detection and response (EDR) or antivirus software. Ensure real-time protection is enabled.
- Educate Yourself and Others: Stay informed about common social engineering tactics and phishing attempts. Share this knowledge with colleagues, friends, and family who use WhatsApp.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| IP Address | 202.61.160[.]208 | Attacker-controlled ManageEngine UEMS server |
| IP Address | 202.61.160[.]202 | Attacker-controlled ManageEngine UEMS server |
| IP Address | 202.61.160[.]201 | Attacker-controlled ManageEngine UEMS server (previously linked to ValleyRAT/Gh0st RAT) |
| IP Address | 202.61.160[.]160 | Attacker-controlled ManageEngine UEMS server |
| IP Address | 202.61.160[.]137 | Attacker-controlled ManageEngine UEMS server |
| IP Address | 38.55.151[.]63 | Attacker-controlled ManageEngine UEMS server |
| Domain | temu.baskwms[.]top | Malware distribution domain |
| Domain | invoice.msopsa[.]top | Malware distribution domain |
| Domain | baoxis[.]cc | Malware distribution domain |
| Domain | sdcwww.oss-ap-southeast-1.aliyuncs[.]com | Payload hosting (Alibaba Cloud) |
| Domain | baoyuw2s.s3.ap-southeast-1.amazonaws[.]com | Payload hosting (AWS S3) |
| Domain | sjdkjj23.s3.ap-southeast-1.amazonaws[.]com | Payload hosting (AWS S3) |
| Domain | xijkwm2.s3.ap-southeast-1.amazonaws[.]com | Payload hosting (AWS S3) |
| Domain | yifubafu.s3.ap-southeast-1.amazonaws[.]com | Payload hosting (AWS S3) |
| File Hash (MD5) | c7f38cbb99c8b74fa0465293feeba700 | Financial Reports.vbs |
| File Hash (MD5) | b7cd06c71465038b658a6dc1f273a507 | Debt confirmation.vbs |
| File Hash (MD5) | 9f13c7b8ba391b2f597874e54d310648 | Electronic statement(A).vbs |
| File Hash (MD5) | 993f4c0cadbc769a4b0ed62a918db58d | Financial Reports(s).vbs / FinancialReportsS.vbs |
| File Hash (MD5) | 7f81c1bc8cfd588e8998968e2621456e | Outstanding Payment List.vbs |
| File Hash (MD5) | 7403cbcc5a9c32384d431856dc48fcc9 | Statement of debt (4).vbs |
| File Hash (MD5) | 68c16c46f8afb9e00bbaba0207fb0a46 | Debt Note (2).vbs |
| File Hash (MD5) | 66442f2457eca8f47385b1fb2c6fcab8 | Statement of Debt(30K).vbs |
| File Hash (MD5) | 6359e6236471cbe434d0ef4c42b7f879 | Applicationform1.vbs |
| File Hash (MD5) | 5b6bbcc06cf08cc99e1afeda486d42fb | Extrato de Conciliação.vbs |
| File Hash (MD5) | 5002eca748205d544618e3bd2dedc223 | Statement of Debt(29K).vbs |
| File Hash (MD5) | 4f0593e8e0e8fac49429e9b45ebf7fa1 | Outstanding Payment List.vbs |
| File Hash (MD5) | 4044e4b6471c9de7b0a4ba37d9d9df9a | billing statement (2).vbs |
| File Hash (MD5) | 20209b3a32769afc6a75694b8d8839dd | Statement of Debt(A).vbs |
| File Hash (MD5) | 0ba93109757776a44de9d8c88baa4963 | Financial Reports(C1).vbs |
| File Hash (MD5) | 02bb20455cc592a69c080abac770ce90 | Le formulaire de demande le plus récent.vbs |
| File Hash (MD5) | 6c39900d77dcba158e1d27c7619cb06d | Outstanding Balance Sheet(A).vbs |
| File Hash (MD5) | dad708e050632a4280cabf98ac1376b7 | Outstanding Balance Sheet.vbs |
| File Hash (MD5) | 05d188f071d097f5b6bd8138749b4b14 | Penyata bank.vbs |
| File Hash (MD5) | 2c6f05f1f309d89b2236e6c8b59c88f9 | Account Statement (13K) (2).vbs |
| File Hash (MD5) | 3b1aba44dd3d9b6339b6f56e2f42034b | Statement of Account.txt |
| File Hash (MD5) | d43fdaa1f0ee09d7e5f0f94ee9df7b6c | Bitte füllen Sie das Formular…aus.vbs |
| File Hash (MD5) | df4fa0369eaca5cec348be293890d4af | Account Statement.vbs |
| File Hash (MD5) | 63ac85195b73753333316a889cf5880f | Statement of Account(O).vbs |
| File Hash (MD5) | 74fd9f91fc93b6288b4fc253ea5b3e20 | Sila semak bil anda.vbs |
| File Hash (MD5) | d06333c360b51456f427e616c3c5f8bd | Sila semak bil anda.vbs (variant) |
| File Hash (MD5) | 1d94fbe9cab21278cc3f104bea334d08 | Promissory_Note(b).vbs |
| File Hash (MD5) | 9d9ac85765e4a818a3ccabe2cf4fef82 | Debt Statement.vbs |
| File Hash (MD5) | 6fb6a55424adfb61e31f06aef33273e5 | dfjieya.vbs |
| File Hash (MD5) | f90ed4b2d0b67114aa89ddfed658e5c0 | dfjieya.vbs (variant) |
| File Hash (MD5) | 8c3322009b8982663c0cbecd9492e7eb | 0lf.vbs |
| File Hash (MD5) | 66705384a7ad81d14c34fc6c054a0ecf | iowepv.vbs |
| File Hash (MD5) | 8c6d9fc389ad3f20ccbc71d77eb39bfa | btksfmsi.vbs |
| File Hash (MD5) | 1a3cc75466ffb1971482f7abf7aabc3f | home3.vbs |
| File Hash (MD5) | 1c47c63e5ed25060d95359c57c77b107 | zipats.vbs |
| File Hash (MD5) | 31037a42ca048e06e69a78f55bc2eff5 | 1122.vbs |
| File Hash (MD5) | 7f16449cd0c4862d1eadf8a5742bf09a | payload_1.vbs |
| File Hash (MD5) | 79ecd61b09b0f2d54b34586c916c4ec9 | sac8.vbs |
| File Hash (MD5) | 7849061c536a3efb05a56d504694e7e7 | 6oy.vbs |
| File Hash (MD5) | ddaffe9849f7f3c79f8804adb9a6b3d5 | kof.vbs |
| File Hash (MD5) | d01cad98dd0d01b75e04e784953c5e2b | sleestak_payload_1.vbs |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.