Microsoft is warning of a new campaign that uses WhatsApp messages to distribute malicious Visual Basic Script (VBS) files.
The campaign, which begins in late February 2026, utilizes these scripts to establish persistence and initiate a multi-step infection chain to enable remote access. At this time, it is unclear what lures an attacker would use to trick a user into running the script.
“This campaign relies on a combination of social engineering and off-world techniques,” the Microsoft Defender security research team said. “The virus uses renamed Windows utilities to infiltrate normal system activity, obtain payloads from trusted cloud services such as AWS, Tencent Cloud, and Backblaze B2, and install malicious Microsoft Installer (MSI) packages to maintain control of the system.”
The use of legitimate tools and trusted platforms is a deadly combination as it allows threat actors to blend into normal network activity and increases the chances of a successful attack.
The activity begins with the attacker distributing a malicious VBS file via a WhatsApp message that, when executed, creates a hidden folder in ‘C:\ProgramData’ and drops renamed versions of legitimate Windows utilities such as ‘curl.exe’ (renamed to ‘netapi.dll’) and ‘bitsadmin.exe’ (renamed to ‘sc.exe’).
Once the attacker gains an initial foothold, the attacker aims to establish persistence, escalate privileges, and ultimately install a malicious MSI package on the victim’s system. This is accomplished by using renamed binaries to download auxiliary VBS files hosted on AWS S3, Tencent Cloud, and Backblaze B2.
“Once the secondary payload is in place, the malware begins to tamper with User Account Control (UAC) settings, weakening the system’s defenses,” Redmond said. “It continually attempts to launch cmd.exe with elevated privileges, retries until UAC elevation succeeds or the process is killed, modifies registry entries under HKLM\Software\Microsoft\Win, and embeds a persistence mechanism to ensure the infection persists across system reboots.”
These actions allow threat actors to gain elevated privileges and ultimately deploy unsigned MSI installers without user interaction through a combination of registry manipulation and UAC bypass techniques. This includes legitimate tools such as AnyDesk that provide persistent remote access to attackers, allowing them to steal data or deploy further malware.
“This campaign demonstrates a sophisticated infection chain that combines social engineering (WhatsApp distribution), stealth techniques (renamed legitimate tools, hidden attributes), and cloud-based payload hosting,” Microsoft said.
Source link
