WhatsApp Under Siege: Microsoft Uncovers Global VBS Malware Campaign

A new and highly sophisticated malware campaign is exploiting the trust users place in familiar communication platforms. Microsoft Defender Experts have detailed a widespread operation, active since late February 2026, that uses WhatsApp messages to deliver malicious Visual Basic Script (VBS) files, initiating a complex, multi-stage infection chain.

The attack begins with a classic social engineering tactic. Attackers deliver malicious VBS files directly through WhatsApp messages, banking on the platform’s perceived safety. Once a user executes the script, the malware immediately begins to work in the background.

As Microsoft researchers noted:

“The campaign relies on a combination of social engineering and living-off-the-land techniques”.

Upon execution, the scripts create hidden folders in C:\ProgramData and drop renamed versions of legitimate Windows utilities. For instance:

• curl.exe is renamed as netapi.dll.
• bitsadmin.exe is renamed as sc.exe.

These renamed binaries serve as a clever disguise, allowing the malicious activity to blend “seamlessly into the system environment”.

After establishing an initial foothold, the malware moves to its next phase: retrieving secondary payloads. To evade detection, the attackers host these files on highly trusted cloud platforms.

Secondary droppers, such as auxs.vbs and WinUpdate_KB5034231.vbs, are retrieved from services including:

• AWS S3
• Tencent Cloud
• Backblaze B2

By using these trusted platforms, attackers make it incredibly difficult for defenders to distinguish between routine enterprise traffic and a malicious download. This strategy highlights a “growing trend in cybercrime, where attackers weaponize trusted technologies to evade detection”.

Once the secondary payloads are active, the malware shifts its focus to weakening system defenses. It begins tampering with User Account Control (UAC) settings, continuously attempting to launch cmd.exe with elevated privileges until it succeeds.

The ultimate goal of the campaign is to establish long-term persistence and enable remote access, often by installing malicious Microsoft Installer (MSI) packages. This grants the attackers total control over the infected system, allowing them to exfiltrate data or deploy further malware.

Microsoft Defender and other security solutions can detect this campaign by monitoring for metadata discrepancies. While attackers rename files, they often forget to change the OriginalFileName in the file’s PE metadata, creating a clear signal for defenders.

To mitigate the impact of this campaign, security experts recommend:

• Restricting Script Hosts: Block or limit the execution of hosts like wscript and cscript in untrusted paths.
• Cloud Traffic Monitoring: Filter traffic to cloud services like AWS and Tencent Cloud to detect unauthorized payload downloads.
• Registry Auditing: Monitor changes under HKLM\Software\Microsoft\Win and flag any repeated tampering with UAC settings.
• User Education: Train employees to recognize suspicious WhatsApp attachments, even from “familiar” contacts.