Malicious VBScript Campaign Exploits WhatsApp to Hijack Windows Systems

In the evolving landscape of modern cyber crimeware, threat actors are increasingly shifting away from high-friction entry points—such as cold-phishing emails—to exploit high-trust peer-to-peer communication networks. A prominent example of this operational shift is an active, highly evasive malicious VBScript campaign targeting Windows endpoints. First observed in detail by security researchers on June 22, 2026, this campaign leverages compromised WhatsApp accounts to distribute malicious files across established contacts on WhatsApp Web and WhatsApp Desktop. By utilizing native Windows scripting engines, living-off-the-land (LotL) techniques, and legitimate Remote Monitoring and Management (RMM) software, threat actors bypass traditional endpoint detection and response (EDR) platforms. This editorial article deconstructs the campaign’s social engineering mechanisms, multi-stage infection chain, and the defensive countermeasures required to protect modern enterprise environments.

The Social Engineering Engine: Leveraging Peer-to-Peer Trust on WhatsApp

Traditional phishing campaigns frequently rely on cold emails sent from lookalike or external domains, which are regularly neutralized by secure email gateways (SEGs) and modern behavioral filters. To circumvent these boundary controls, the threat actors orchestrating this active malicious VBScript campaign exploit established human-to-human trust networks. Rather than targeting users with cold outreach, the operators hijack legitimate, existing WhatsApp accounts through unknown mechanisms. Once inside, they silently broadcast malicious attachments directly to the compromised accounts’ contact lists. Because these files appear to originate from known, trusted business colleagues, friends, or family members, the psychological barrier of suspicion is heavily compromised, and the recipient is far more likely to download and execute them.

To further minimize the chance of detection, the threat actors distribute these attachments with absolutely no accompanying text. The absence of suspicious conversational patterns or typical phishing verbiage prevents automated natural-language-processing (NLP) security filters from flagging the interaction. Instead, the lure relies purely on the naming conventions of the files themselves, which are crafted to mimic routine corporate and financial documents. Common observed filenames include:

• Financial Reports.vbs
• Debt Statement.vbs
• Account Statement.vbs
• Outstanding Payment List.vbs

To maximize regional effectiveness, the operators localize these filenames into multiple languages, including English, Portuguese, French, German, and Malay. Telemetry indicates that the campaign has been particularly aggressive in Malaysia, where threat actors have also utilized fake recruitment lures. For instance, malicious posters advertising fake government job openings (“Jawatan Kosong”) are published on social media platforms like Threads. Clicking these advertisements redirects victims to a automated WhatsApp session where the malicious VBScript files are delivered directly by the threat actors, establishing a highly targeted localized distribution channel.

Deconstructing the Multi-Stage Infection Chain

<