VBScript Malware Campaign Spreads via WhatsApp Messages to Deploy RMM Software

In June 2026, a widespread malware campaign was observed distributing malicious VBScript files through direct messages on WhatsApp, affecting users across 11 countries and territories. According to a report from Securelist, the campaign has hit Malaysia hardest, with additional victims in Brazil, India, Mexico, Singapore, the UK, Spain, Taiwan, Australia, Russia, and Vietnam. The attack remains active at the time of writing, primarily targeting users of WhatsApp Desktop and WhatsApp Web.

The threat actor relies on social engineering, using deceptive file names that masquerade as legitimate business and financial documents. Examples include "Financial Reports.vbs," "Debt confirmation.vbs," and "Account Statement.vbs." Many file names are localized into Portuguese, French, German, and Malay, suggesting the campaign is tailored to different geographic regions. The messages contain only the malicious attachment with no accompanying text, and evidence from social media posts indicates that compromised WhatsApp accounts are used to distribute the files to the victim's contact list.

Execution of the VBScript file requires two user interactions: first, clicking the attachment in WhatsApp Desktop or Web to download it, and then opening the file to launch it. In WhatsApp Desktop, the malware is executed directly within the application, with the process tree showing that WScript.exe is spawned by WhatsApp.Root.exe. In WhatsApp Web, the file is opened from the Downloads folder or browser history. Once executed, the VBScript initiates a multi-stage infection chain that ultimately installs legitimate Remote Monitoring and Management (RMM) software, granting the attacker remote access to the victim's system.

The first stage of the infection chain involves a VBS or VBE file that creates a working directory under C:\Users\Public\Documents\ using randomized names such as "Temp_<random>" or "MSUpdate_<random>." The script then downloads two additional VBScript payloads from a remote infrastructure and executes them using Windows Script Host. Some variants configure the directory and downloaded files with hidden and system attributes to reduce visibility. The scripts employ obfuscation techniques, including extensive comments and metadata written in Chinese that mimic legitimate Microsoft Windows Update components, referencing modules, certificate validation, and system integrity checks.

At the time of writing, the exact method used to compromise the WhatsApp accounts remains unknown. However, the campaign's reliance on compromised accounts to spread the malware highlights the effectiveness of social engineering in bypassing traditional security measures. The use of RMM software, which is legitimate and often whitelisted by security tools, makes detection more challenging for antivirus and endpoint protection solutions.

The campaign's broad geographic reach and localization efforts indicate a sophisticated threat actor with resources to target multiple regions simultaneously. Users are advised to exercise caution when receiving unexpected file attachments via WhatsApp, even from known contacts, and to verify the authenticity of such messages through alternative communication channels. Organizations should consider implementing policies that restrict the execution of VBScript files and monitor for unusual RMM software installations.

Securelist researchers have now attributed the campaign to a Chinese-speaking operator with low confidence, based on simplified Chinese comments in the VBScript code and infrastructure overlaps with ValleyRAT and Gh0st RAT. The analysis also reveals that the attack has expanded to 13+ countries, with Malaysia accounting for roughly 80% of infections, and that the final payload is a legitimate remote management agent (Endpoint Central) installed silently via msiexec.exe after disabling User Account Control.