Microsoft Defender researchers have identified a new targeted WhatsApp malware campaign that distributes malicious VBS scripts and establishes long-term remote access to compromised Windows systems. The activity, observed since late February 2026, relies on a multi‑stage infection chain, extensive use of legitimate tools and cloud services, and systematic weakening of built‑in security controls.
How the WhatsApp malware infection chain begins
The attack starts with social engineering via WhatsApp messages. Victims receive a file with a .vbs extension (VBScript), typically disguised as a document, invoice, courier notice or urgent update. According to multiple industry reports, including Verizon’s Data Breach Investigations Report (DBIR), human error or manipulation is involved in roughly 80–90% of successful breaches, and this campaign follows the same pattern.
Once the user executes the script, it creates hidden folders under C:\ProgramData and stores renamed copies of legitimate Windows components there. By masquerading as system files and operating from system directories, the malware decreases the likelihood of being flagged by traditional antivirus tools and casual manual inspection.
Living-off-the-Land: abusing Windows tools and cloud services
A defining feature of this campaign is its extensive use of the Living-off-the-Land (LotL) technique. In LotL attacks, adversaries minimize custom malware and instead abuse tools that are already present in the operating system or widely trusted infrastructure, making detection substantially harder.
In this case, the initial VBS script copies and renames legitimate Windows utilities such as curl.exe and bitsadmin.exe. For example, curl.exe may be renamed to netapi.dll, while bitsadmin.exe is presented as sc.exe. To an untrained eye, these files appear harmless and blend into normal system activity.
Using these renamed binaries, the malware connects to trusted cloud storage platforms, including AWS S3, Tencent Cloud and Backblaze B2. From there it downloads additional VBS scripts and payloads that form the next stages of the compromise. Because these services are widely used and generally considered safe, their traffic is rarely blocked by default, giving attackers a reliable and low‑friction distribution channel.
UAC bypass, registry modification and persistence on Windows
After retrieving its second‑stage components, the malware focuses on privilege escalation and persistence on the infected host. One of the primary objectives is to weaken User Account Control (UAC), the Windows mechanism that asks for confirmation before allowing changes that require administrative rights.
By modifying specific Windows registry keys — including under paths such as HKLM\Software\Microsoft\Win — the malware reduces the visibility of UAC prompts and increases its ability to run processes with elevated privileges without explicit user approval. This kind of configuration tampering is a common tactic in modern Windows intrusion playbooks.
The script repeatedly attempts to launch cmd.exe with administrator privileges, looping through UAC bypass techniques until privilege escalation succeeds or is blocked by security software or manual intervention. This persistent approach significantly increases the chance that attackers eventually gain full control of the system.
In parallel, the malware registers autorun mechanisms in both the registry and system directories to ensure it survives reboots. These persistence hooks convert a single successful execution of a VBS attachment into a long‑term presence within the victim’s environment.
Malicious MSI packages and abuse of AnyDesk for remote access
With administrative privileges in place, the attackers proceed to install malicious MSI packages. Some of these installers lack valid digital signatures, and combined with previously weakened UAC settings and registry manipulation, they can be deployed silently, without drawing user attention.
The campaign also abuses legitimate remote administration tools, with AnyDesk explicitly mentioned by Microsoft as a key component. While AnyDesk is widely used for legitimate remote support, when installed and controlled by attackers it effectively becomes a persistent, encrypted backdoor into the victim’s device.
Through this remote access channel, adversaries can fully control the compromised system, exfiltrate sensitive information, deploy additional malware such as ransomware, and pivot laterally to other systems within the same network. This combination of MSI‑based payload delivery and remote access tools is consistent with many modern hands‑on‑keyboard intrusions.
Why this WhatsApp VBS campaign is hard to detect
This operation combines several high‑risk elements: a popular messaging app (WhatsApp) as the delivery channel, reputable cloud services as hosting infrastructure, LotL techniques using built‑in Windows tools, and deliberate evasion of security controls through UAC and registry modification. As a result, detection is challenging for email gateways, web proxies and even some endpoint detection and response (EDR) platforms that still rely heavily on known malware signatures.
Security recommendations for organizations and users
To reduce exposure to similar WhatsApp malware campaigns, organizations and individuals should adopt a layered defense strategy. First, restrict script execution by hardening policies for VBS and PowerShell, especially for files originating from messaging applications or external media. On corporate endpoints, application control or allow‑listing for MSI installers can prevent unauthorized software deployment.
Second, implement tight governance around remote access tools such as AnyDesk, TeamViewer or similar products. Their installation and use should be centrally managed, monitored and explicitly prohibited for standard users without IT approval. Unexpected instances of these tools on endpoints must be treated as high‑priority security alerts.
Third, enable monitoring for suspicious use of curl, bitsadmin and other administrative utilities, especially when they communicate with external cloud storage providers. Behavioral EDR solutions that focus on abnormal process chains, privilege escalation attempts and registry tampering offer stronger protection against LotL‑based attacks than signature‑only antivirus.
Finally, continuous security awareness training remains essential. Users should be instructed not to open or execute script files (including .vbs) received via WhatsApp or other messengers, even if they appear to come from known contacts. A single careless click can provide attackers with the foothold they need to establish durable remote access and move deeper into the network.
