A familiar chat app is being used as a malware delivery channel
A long-running phishing campaign is abusing WhatsApp messages to push malicious files that look like business paperwork. The lure is simple and effective: a file name that suggests invoices, billing statements, account notices, or other routine documents, sent from an account the victim already knows.
That trust is the real payload. The campaign is targeting users in multiple countries, and the files are not harmless attachments. They are VBScript files designed to start an infection chain that ends with remote administration access on the victim’s Windows PC.
Security researchers say the messages are being distributed through compromised WhatsApp accounts, which gives the attack a convincing starting point. In some cases, the initial script has to be downloaded first, while in others it can run directly depending on whether the file is opened through WhatsApp Web or the desktop app.
How the infection chain works
The attack begins with a heavily obfuscated VBS file attached to a chat message. Once opened on Windows, that script reaches out to attacker-controlled infrastructure and pulls down two more scripts.
Those follow-up scripts make registry changes that weaken User Account Control protections, then fetch a ZIP archive containing the legitimate ManageEngine Endpoint Central software. From there, the program is installed quietly in the background and configured to connect to management servers controlled by the attacker.
That matters because ManageEngine Endpoint Central is a real IT administration tool used to manage endpoints from a central dashboard. In the wrong hands, it can give an intruder remote control over the machine while blending into normal system activity.
Where the campaign has been seen
Telemetry tied to the campaign shows activity across Brazil, India, Mexico, Singapore, the UK, Spain, Taiwan, Australia, Russia, Vietnam, and Malaysia. The file names are also localized in several languages, which suggests the operator is trying to make the lure feel native to each target region.
Researchers have not pinned the operation on a specific threat actor. They did find signs of Chinese-language use and infrastructure overlap with IPs linked in the past to ValleyRAT and Gh0st RAT activity, but that is not enough for a confident attribution.
Why this technique works so well
Messaging apps create a different kind of trust problem than email. People are more likely to open a file from a contact they recognize, especially if the filename sounds like something they were expecting in a work conversation.
That makes this campaign a good example of how social engineering keeps evolving without needing flashy exploits. The malware does not have to break into WhatsApp itself. It only needs one compromised account and a convincing attachment to start the chain.
| Stage | What happens | Why it matters |
|---|---|---|
| 1 | A compromised WhatsApp account sends a file attachment | The message looks trusted because it comes from a real contact |
| 2 | The victim opens a VBScript file on Windows | The script starts the attack chain |
| 3 | Additional scripts are downloaded | Attackers gain more control over the device |
| 4 | UAC protections are reduced through registry changes | Security prompts become easier to bypass |
| 5 | ManageEngine Endpoint Central is installed | Attackers get remote administration access |
What users should do right now
The safest move is also the least exciting one, which usually means it is the right one. Treat any file received through WhatsApp with the same caution you would give an unexpected email attachment, even if the message comes from someone you know.
- Verify suspicious files through a second channel before opening them.
- Scan all downloaded files with up-to-date antivirus software.
- Avoid running VBS or other script files unless you are sure they are legitimate.
- Be extra cautious with files that claim to be invoices, statements, or account notices.
- Keep Windows and security tools updated so script-based attacks have less room to work.
This campaign is a reminder that the weakest link is often not the software itself, but the trust built around it. A familiar profile picture and a convincing filename can be enough to make a dangerous attachment feel routine.
For Windows users, that is the part worth remembering: a file sent in chat is still a file, and script files can do far more than display text.