The Latest WhatsApp Attack Targeting Business Users

June 23, 2026 Faeem BLOGS 0

Overview

A new phishing campaign is targeting WhatsApp users across multiple countries by abusing compromised accounts to distribute malicious files disguised as business and financial documents.

Unlike traditional phishing attacks that rely on suspicious links, this campaign uses trusted contacts to deliver heavily obfuscated VBScript files that appear to be invoices, financial reports, billing statements, or account documents.

Once opened on a Windows device, the attack can provide threat actors with remote access to the victim’s computer using legitimate enterprise management software.

Attack Breakdown

Researchers at Kaspersky identified the campaign impacting users in multiple regions, including:

  • Australia
  • Brazil
  • India
  • Malaysia
  • Mexico
  • Singapore
  • Spain
  • Taiwan
  • United Kingdom
  • Vietnam

The attacks begin when a victim receives a message from a legitimate WhatsApp contact whose account has already been compromised.

The message contains a file masquerading as a business document. Because the file appears to come from someone the recipient knows and trusts, there is a greater likelihood that it will be opened.

Once executed, the VBScript downloads additional payloads from attacker-controlled infrastructure and begins modifying the local system.

How the Infection Works

The attack chain follows several stages:

  • A compromised WhatsApp account sends a malicious VBScript file.
  • The victim downloads and executes the file.
  • Additional scripts are retrieved from attacker-controlled servers.
  • User Account Control (UAC) protections are weakened through Registry changes.
  • A ZIP archive containing ManageEngine Endpoint Central is downloaded.
  • The software is silently installed and configured.
  • The victim’s device connects to attacker-controlled management servers.

At this point, the attacker effectively gains remote administration capabilities over the compromised system.

An interesting aspect of the campaign is the abuse of legitimate software. ManageEngine Endpoint Central is widely used by IT administrators for endpoint management, making its presence less likely to raise immediate suspicion.

Why This Attack Is Concerning

The most dangerous aspect of this campaign is not the malware itself but the delivery method.

Many users have become cautious about links from unknown senders. However, receiving what appears to be a financial document from a trusted colleague, customer, or supplier is far more convincing.

The attackers are also leveraging legitimate administrative software rather than deploying traditional malware or ransomware immediately. This allows them to blend into normal system activity and potentially evade security controls that focus solely on malicious executables.

Researchers also noted indicators suggesting possible links to infrastructure previously associated with ValleyRAT and Gh0st RAT activity. However, there is currently insufficient evidence to confidently attribute the campaign to a specific threat actor.

Defensive Recommendations

Organisations and users should consider the following precautions:

  • Treat unexpected files with caution, even when received from trusted contacts.
  • Verify sensitive files through a secondary communication channel before opening them.
  • Block or restrict execution of VBScript files where possible.
  • Ensure endpoint protection solutions are up to date.
  • Monitor for unauthorised installations of remote management software.
  • Enable multi-factor authentication on WhatsApp and other messaging platforms.
  • Educate users about phishing attacks delivered through messaging applications.

For business environments, application control and endpoint detection solutions can help identify suspicious script execution before the attack progresses.

Expert in the Cloud Insight

This campaign highlights a growing trend in cybercrime: attackers are increasingly targeting trust rather than technology.

Instead of exploiting software vulnerabilities, threat actors are exploiting relationships. A message from a trusted contact immediately lowers suspicion, making users more likely to bypass the security instincts they would normally apply to unknown senders.

The use of legitimate remote management tools is equally important. Security teams can no longer assume that every threat arrives as obvious malware. Increasingly, attackers are using the same tools administrators rely on every day.

Organisations should focus not only on detecting malicious software but also on monitoring unusual behaviour, unexpected software deployments, and abnormal remote administration activity. In today’s threat landscape, trust is often the first security control attackers attempt to compromise.

Expert in the Cloud – The Future Is Now

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.