WhatsApp Malware Campaign Targets Users With Fake Business Documents

A large-scale malware campaign is targeting WhatsApp users across several countries, using compromised accounts to distribute malicious files disguised as legitimate business and financial documents.

According to cybersecurity researchers at Kaspersky, the campaign has affected users in Brazil, India, Mexico, Singapore, the United Kingdom, Spain, Taiwan, Australia, Russia, Vietnam, and Malaysia. The attackers send deceptive WhatsApp messages that appear to come from trusted contacts, increasing the likelihood that recipients will open the attached files.

How the WhatsApp Malware Campaign Operates

The malicious attachments are VBScript files disguised as reports, billing statements, account notices, and other business-related documents. Researchers observed the files in multiple languages, suggesting that the operation targets victims worldwide rather than focusing on a single region.

Kaspersky believes the campaign spreads through compromised WhatsApp accounts. Once an account gets taken over, attackers use it to send malicious files to the victim’s contacts. The exact method used to compromise the WhatsApp accounts remains unknown.

If a Windows user downloads and opens one of the VBScript files, the malware infection chain begins. The script contacts attacker-controlled infrastructure and downloads additional malicious components. These secondary scripts then modify Windows Registry settings to weaken User Account Control (UAC) protections, making it easier for attackers to execute further actions on the compromised system.

The malware subsequently downloads a ZIP archive containing ManageEngine Endpoint Central, a legitimate remote management tool commonly used by IT administrators. In this campaign, however, attackers abuse the software to establish remote access to infected computers.

Researchers found that the software installs silently and communicates with attacker-controlled management servers, effectively giving threat actors control over the victim’s machine.

The infection method differs slightly depending on which WhatsApp client is used. Kaspersky noted that WhatsApp Web requires users to download the malicious file before it can execute. In contrast, the WhatsApp Desktop application may allow the file to launch directly through Windows Script Host, potentially reducing the number of steps required for infection.

Attribution Remains Unclear

Kaspersky has not linked the campaign to a specific threat actor. While researchers discovered indications of Chinese-language usage and some infrastructure overlaps with activity previously associated with ValleyRAT and Gh0st RAT operations, they emphasized that the available evidence is insufficient for confident attribution.

As a result, the campaign’s operators remain unidentified.

Users Urged To Verify Unexpected Files

Security experts recommend treating unexpected file attachments with caution, even when they appear to come from trusted contacts. Users should verify suspicious files through a separate communication channel before opening them and ensure that their security software remains fully updated.

In related cybersecurity developments, Microsoft recently patched the AutoGen Studio “AutoJack” vulnerability chain and attributed the Mastra AI npm supply chain attack to foreign threat actors. Meanwhile, researchers have also warned about the Prinz Eugen ransomware operation, which has been targeting businesses through manual intrusion techniques.

Via BleepingComputer