WhatsApp Phishing Campaign Uses Compromised Accounts and ManageEngine to Deploy RATs
A global malware campaign is hijacking WhatsApp accounts to send malicious VBScript files disguised as business documents, ultimately installing remote access trojans via the legitimate ManageEngine Endpoint Central tool.
An ongoing malware campaign is targeting WhatsApp users across at least 11 countries, using compromised accounts to distribute malicious VBScript files disguised as business documents. According to telemetry from Kaspersky, the attack chain ultimately delivers remote access trojans (RATs) by abusing the legitimate ManageEngine Endpoint Central software, a tool used by IT administrators for centralized system management.
The attack begins when a victim receives a message from a compromised contact containing only a heavily obfuscated VBScript file. The file is given a name designed to appear as a financial report, billing statement, or account notice, often localized in the recipient's language. Kaspersky reports that the exact method used to compromise the initial WhatsApp accounts remains unknown, but the attackers have successfully leveraged these accounts to spread the malware to the victims' contact lists.
If the victim downloads and opens the file on Windows, the VBScript fetches two additional scripts from the attacker's infrastructure. These scripts disable User Account Control (UAC) protections through Registry modifications and download a ZIP archive containing the ManageEngine Endpoint Central program. The software is then silently installed in the background and configured to connect to attacker-controlled management servers, granting the threat actors remote administration access to the victim's computer.
Kaspersky notes that the delivery mechanism varies depending on the WhatsApp client used. When the VBScript file is sent via WhatsApp Web, the victim must manually download it. However, when opened in the WhatsApp Desktop client, the file can be executed directly via Windows Script Host (wscript.exe), lowering the barrier to infection.
The campaign has been observed spreading across Brazil, India, Mexico, Singapore, the UK, Spain, Taiwan, Australia, Russia, Vietnam, and Malaysia. While Kaspersky does not attribute the attacks to a specific threat actor with high confidence, researchers found signs of Chinese language use and infrastructure overlap with IPs previously associated with ValleyRAT and Gh0st RAT activity.
This campaign highlights a growing trend of attackers abusing legitimate remote management tools for malicious purposes, a technique known as "living off the land" (LotL). By using ManageEngine Endpoint Central, the attackers can blend in with normal administrative activity, making detection more difficult for security teams. WhatsApp users are advised to treat files sent by contacts, even trusted ones, with caution and to always verify them through secondary means before opening.