According to researchers at Kaspersky, an active campaign has been identified in which malicious Visual Basic Script (VBScript) files are distributed via WhatsApp direct messages, triggering a multi-stage infection chain that ultimately installs the legitimate remote management solution ManageEngine RMM Central. The campaign affects WhatsApp Desktop and WhatsApp Web users in 11 countries — Malaysia, Brazil, India, Mexico, Singapore, the United Kingdom, Spain, Taiwan, Australia, Russia and Vietnam — with the highest concentration of victims observed in Malaysia. Users of both WhatsApp versions are advised not to open script attachments, even if they are received from known contacts.
Initial infection mechanism
According to the report, the attackers allegedly obtained unauthorized access to a number of WhatsApp accounts and used them to send malicious files to the victims’ contact lists. The exact method used to compromise the accounts remains unknown at this time — a significant gap in understanding the campaign that prevents assessing the full scope of the initial vector.
The VBScript files are disguised as business and financial documents with names such as “Financial Reports.vbs” or “Account Statement.vbs”. Some samples have names in Portuguese, French, German and Malay, reflecting the global reach of the operation. The attackers are counting on the recipient mistaking the attachment for a legitimate document from a familiar sender and opening it.
Technical infection chain
The behavior of the infection chain varies depending on the platform:
- WhatsApp Web: the attack requires the user to manually download the file and open it from the downloads folder or via the browser’s download history.
- WhatsApp Desktop: the malicious code is executed directly inside the application — the WhatsApp.Root.exe process spawns WScript.exe, which runs the script.
The second scenario is of particular interest: the legitimate process of the WhatsApp desktop client effectively becomes the parent of the Windows script interpreter. This can complicate detection by monitoring tools that do not track the spawning of WScript.exe from messenger processes.
According to the researchers, the VBScript files themselves are heavily obfuscated and contain extensive comments and metadata that mimic legitimate Microsoft Windows update components. Notably, many of these comments are written in Chinese and include references to Windows Update modules, certificate verification, system integrity checks and deployment functions. This may indicate the origin of the tooling, or it may be a deliberate attempt at false attribution.
Execution stages
After being launched via WScript.exe, the initial VBScript downloads two secondary scripts from a remote server:
- UAC bypass module — attempts to alter the behavior of the Windows User Account Control (UAC) mechanism, which is necessary to elevate privileges without displaying the standard confirmation prompt.
- RMM loader — downloads and unpacks a ZIP archive containing the installation package for ManageEngine RMM Central, giving the attacker full remote access to the victim’s system.
The use of a legitimate remote administration tool is a common technique for evading antivirus detection: the RMM agent itself is not malware and is often included in lists of trusted software in corporate environments.
Threat context and attribution
The campaign has not yet been attributed to any specific group. Kaspersky notes an overlap in infrastructure — IP address 202.61.160[.]201 — with previous activity associated with Gh0st RAT and ValleyRAT. However, infrastructure overlap alone is insufficient for reliable attribution: IP addresses can be reused by different groups, rented from the same hosting providers, or intentionally employed to create a false trail.
It is worth noting that at the time of publication there is no official confirmation or comment from Meta (the owner of WhatsApp) or ManageEngine regarding this campaign. All technical details are based on Kaspersky’s research.
Impact assessment
The campaign poses an elevated risk for several reasons:
- Trust in the sender: messages come from compromised accounts of real contacts, which sharply increases the likelihood that attachments will be opened.
- Broad geography: coverage of 11 countries on four continents with multilingual lures indicates a large-scale, well-prepared operation.
- Legitimacy of the final tool: ManageEngine RMM Central is a commercial product that is not detected as malware, making compromise harder to spot.
- Specifics of WhatsApp Desktop: automatic spawning of WScript.exe from the messenger process creates a less obvious execution vector for the user.
Security recommendations
- Blocking script extensions: configure group policies or endpoint protection tools to block execution of files with the extensions .vbs, .vbe, .js, .bat, .cmd, .ps1, .exe when they are received via messengers.
- Process tree monitoring: configure EDR rules to detect cases where WhatsApp.Root.exe spawns WScript.exe or cscript.exe — this is abnormal behavior.
- RMM installation control: if ManageEngine RMM Central is not used in your organization, add its installation packages to the application blocklist. If it is used, monitor for unauthorized installations of new agents.
- Monitoring UAC changes: track modifications to registry keys related to User Account Control settings, in particular EnableLUA and ConsentPromptBehaviorAdmin.
- Attachment verification: when receiving unexpected files via WhatsApp — even from acquaintances — contact the sender through an alternative channel to confirm.
Organizations that use WhatsApp for work communications are advised to immediately check for unauthorized RMM agents on workstations and to configure detection rules for script interpreters being spawned from messenger processes. The compromise indicator — IP address 202.61.160[.]201 — should be added to the blocklists of network security tools to proactively block communication with the command infrastructure.
