WhatsApp Malware Campaign Uses Malicious VBS Files to Gain Persistent Access

WhatsApp’s global reach makes it an attractive conduit for threat actors seeking to bypass traditional email filters. By embedding VBS files in seemingly innocuous chats, attackers exploit users’ trust in personal messaging, prompting execution through social engineering. Once run, the script initiates a delayed, multi‑stage infection that mimics normal system activity, allowing it to remain under the radar while it prepares the environment for deeper compromise.

The campaign’s core stealth comes from living‑off‑the‑land tactics. Renamed copies of native Windows utilities such as curl.exe and bitsadmin.exe retain their original metadata, but their deceptive filenames help them blend into legitimate processes. Payloads are fetched from reputable cloud platforms—including Amazon Web Services, Tencent Cloud, and Backblaze B2—further obscuring malicious traffic. This combination of trusted tools and infrastructure produces a low‑noise footprint that challenges conventional signature‑based defenses.

Persistence is achieved through malicious Microsoft Installer (MSI) packages, which can execute custom actions during installation without raising suspicion. These MSI backdoors not only maintain long‑term access but also enable privilege escalation, granting attackers elevated control over the host. Enterprises should prioritize monitoring script launches, scrutinizing unexpected installer activity, and correlating file name discrepancies with embedded metadata. Adapting security policies to these nuanced indicators will help mitigate the growing risk posed by cross‑platform malware campaigns that leverage everyday communication apps.