Online Platform
Hacking

WhatsApp VBScript Malware Installs RMM Backdoors

Published  ·  7 min read

WhatsApp VBScript Malware

You receive a WhatsApp message from a contact you know. It includes an attachment named "Financial Reports.vbs." They don't explain what it is. They don't ask if you want it. It just arrives.

You open it, assuming it's a legitimate document. It's not. It's a VBScript that installs remote monitoring software on your system.

A newly released malware campaign via WhatsApp (VBScript) is creating widespread havoc around the world by sending out script files in various ways that are disguised as official documents or business/financial documents, using compromised user accounts on this platform. 

The goal is to install legitimate Remote Monitoring and Management software, giving attackers persistent remote access to infected systems.

Who Is Being Targeted?

The active campaign is targeting users of WhatsApp Desktop and WhatsApp Web across more than a dozen countries:
Malaysia (highest concentration of victims)
Brazil
India
Mexico
Singapore
United Kingdom
Spain
Taiwan
Australia
Russia
Vietnam

The attackers are casting a wide net. The script filenames are localized to match the target region. Some filenames appear in Portuguese, French, German, and Malay.

How the Attack Works

The WhatsApp VBScript malware campaign begins with a message containing an attachment. 

The attachment uses misleading file names, such as:

1. Financial Reports.vbs
2. Accounts Statement.vbs
3. Invoice_2026.vbs

The senders of the attachments look like people you know, which means the attacker would have had to compromise a legitimate account from WhatsApp to send these messages, but the exact method of compromise is unclear.

The structure of the VBScript is heavily obscured and contains a large number of comments and metadata that were added to make it look like the legitimate Microsoft Windows Update files. Some of the comments are in Chinese and refer to Windows Update modules, certificate validation, system integrity checks, etc.

The Chain of Infection

VBScript files will run via WScript.exe once a person opens them. In turn, the VBScript file downloads 2 "payloads" of secondary VBScript files from a remote location that are used in conjunction with the initial virus.

The method by which the user receives the file also affects how the infection happens:

WhatsApp Web: The user downloads the .vbs file to his/her computer from the browser and opens it from either the downloads folder or the search history within the browser, thinking that it is a legitimate document.

WhatsApp Desktop: The malware is run directly by the user within the WhatsApp Desktop Application. There is an associated background process that runs WhatsApp Desktop, which spawns WScript.exe to run the VBScript file on the user's computer.

Each of these secondary payloads has a different function:

1. Bypassing the UAC prompt used by the Windows operating system. The first secondary payload attempts to manipulate the UAC prompt for Windows to permit a program to run that will escalate the user's privileges without providing a security alert.

2. Downloading the RMM program's installation package. The second secondary payload will download to the infected computer a .zip file with the installation package for the ManageEngine RMM Central system, which is a "legitimate" remote monitoring and management tool/software application.

Thus, once the ManageEngine RMM software application is installed, the hacker has the ability to access the remote computer at any time and use the legitimate RMM software to do so.

Legitimate Uses of RMM Software

IT professionals use Remote Monitoring Management software to monitor the state of the IT systems they manage.It's legitimate software. It's signed. It has a trusted reputation.

That's exactly why attackers use it. Security tools are less likely to flag legitimate software. The installation appears normal. The remote access looks like IT administration.

The WhatsApp VBScript malware campaign abuses ManageEngine RMM Central specifically. Other campaigns have used different RMM tools, but the principle is the same: install legitimate software, use it for illegitimate purposes.

Attribution and Infrastructure

The activity remains unattributed. However, researchers identified infrastructure overlaps with prior activity linked to Gh0st RAT and ValleyRAT.In prior malice campaigns, these same IPs were utilized.

The reason for this is because the individuals responsible for creating this campaign likely have knowledge about other types of malware and how to establish effective distribution systems as well as evade detection.

What Makes This Campaign Successful

There are several factors that contribute to the success of this VBScript WhatsApp Malware Campaign:

1. Delivery that is Reliable. The message that was sent to the victim came from a person they know and have previously communicated with, but the person had their account compromised. This makes it more likely that the victim will open the message.

2. Software That Is Legitimate. The final payload is an RMM (Remote Monitoring and Management) tool that is digitally signed, therefore it will be regarded as “safe” by security technologies for endpoint devices.

3. Culturally Appropriate Messaging. With several names being contained in either Portuguese or French or German or Malay adds to the credibility for the intended recipient.

4. No Exploit is Needed. The execution of the attack does not require any vulnerability to be exploited; therefore, the attack is solely dependent upon the execution by the user as opposed to someone else (ie. passing along a file).

How to Protect Yourself

The WhatsApp VBScript malware campaign relies on users opening unexpected attachments. 

How to keep safe:

1. You should think twice about any unsolicited files you receive, even if it is a friend sending them. Your friend's account could be compromised.

2. Before opening a file, ask your friend or family member who sent it how they got it, using some means other than email or a text.

3. Never open any files having the extensions of VBS, VBE, EXE, BAT, CMD, JS or PS1 unless you have confirmed them to be legitimate prior to trying to open them on your own. They should ONLY be opened if verified legitimacy exists.

4. Always ensure WhatsApp (Desktop and Web versions) are on the latest build/software version.

5. Monitor for installations of remote management and monitoring. If you detect a ManageEngine RMM Central installation without your consent, you must assume that system has been compromised.

The Bottom Line

The WhatsApp VBScript malware campaign is a textbook example of how attackers abuse legitimate tools and trusted platforms. The lure is a business document. The vector is a compromised WhatsApp account. The payload is legitimate RMM software.

The result is persistent remote access to your system.

The attack requires no exploit. Just a click. Be skeptical of attachments. Verify with the sender. And remember: legitimate business documents do not come with .vbs file extensions.

FAQ Section

What is the WhatsApp VBScript malware campaign?

This is a current tactic being employed by bad actors using compromised WhatsApp accounts to deliver infected VBScript files disguised as business documents. When a target opens the file, it installs a remote access product called "ManageEngine RMM Central" on the victim's computer.

Which countries have been affected?

Countries targeted in this attack are Malaysia, Brazil, India, Mexico, Singapore, the United Kingdom, Spain, Taiwan, Australia, Russia, and Vietnam. There have been more attacks in Malaysia than in any other country.

What are the steps to becoming infected?

A user will receive a WhatsApp message containing a VBScript file as an attachment. Once opened, the VBScript executes, which downloads added payloads; one of the downloaded payloads removes the User Account Control (UAC); while the other payload installs the ManageEngine RMM on the target machine.

Why rely on legitimate RMM software?

Legitimate RMM tools are signed, trusted, and most unlikely to, if ever, be flagged as rogue by the security suite. Attackers exploit these tools to have remote access without a veil of suspicion.

How can I keep myself safe? 

You should be careful with any unsolicited attachments even from someone who appears to be known to you. Whenever possible, use a separate method of communication to verify the legitimacy of the sender before opening any files that are VBS, VBE, EX, BAT, CMD, JS, or PS1. 

Is there a specific organization that is connected to this operation? 

There has not been an identified organization as of this moment. However, it has been confirmed that there is a shared infrastructure with both Gothic RAT and ValleyRAT that is believed to be involved.

Source: The Hacker News
Keywords
Share LinkedIn
npm Malicious Packages Deploy Windows RAT Malware Hacking

npm Malicious Packages Deploy Windows RAT Malware

Jun 23, 2026
AryStinger Botnet Hijacks 4,300 Legacy Routers Hacking

AryStinger Botnet Hijacks 4,300 Legacy Routers

Jun 22, 2026
Best Practices for Conducting Ethical Hacking Experiments Hacking

Best Practices for Conducting Ethical Hacking Experiments

Apr 28, 2024
Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

Website Recovery Malware removal & incident response
Penetration Testing Authorised attack simulation
Vulnerability Assessment Identify & prioritise weaknesses
Secure Web Development OWASP-aligned, pen tested
Red Teaming Advanced adversary simulation

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067

This website uses cookies to ensure you get the best experience on our website. We need your consent to show personalized or non-personalized ads, and to use cookies for analytics purposes. By clicking "Accept", you consent to the use of cookies and the collection of data as per our Privacy Policy.