Microsoft says a campaign that began in late February 2026 has used WhatsApp messages to spread malicious Visual Basic Script files, starting an infection chain that can establish persistence and remote access on victim systems.
KEY FACTS
- Delivery method Malicious VBS files were sent through WhatsApp messages.
- Initial activity The scripts create hidden folders in C:\ProgramData and drop renamed Windows utilities.
- Infrastructure Payloads are fetched from AWS, Tencent Cloud and Backblaze B2.
- Impact The chain can weaken UAC settings and install MSI packages for persistent access.
A technical analysis from Microsoft Defender Security Research Team said the activity relies on social engineering and living-off-the-land techniques. It described renamed Windows tools, including curl.exe and bitsadmin.exe, being used to blend in with normal system activity.
The report said the campaign creates hidden folders in C:\ProgramData and uses those renamed binaries to download additional VBS files from cloud services. It is not yet known what lures the attackers used to persuade people to run the scripts.
Once the secondary payloads are in place, the malware attempts to tamper with User Account Control settings, repeatedly launches cmd.exe with elevated privileges and modifies registry entries under HKLM\Software\Microsoft\Win. Microsoft said those steps help the infection survive reboots.
The disclosure said the campaign can also deploy unsigned MSI installers and tools such as AnyDesk, which can give attackers persistent remote access and a path to steal data or install more malware.
WHY IT MATTERS
The activity combines a common messaging app, legitimate Windows utilities and cloud hosting in a way that can make detection harder. That can increase the chance that malicious files are opened and that infected systems remain under attacker control.