Microsoft Defender Experts have identified an active malware campaign, first observed in late February 2026, that uses WhatsApp messages to distribute malicious Visual Basic Script (VBS) files.
The attack chain combines social engineering with living-off-the-land techniques, using legitimate Windows tools in renamed form to hide payloads within normal system activity and to establish persistence and remote access.
According to the tech giant, the campaign begins when victims execute VBS files received via WhatsApp. These scripts create hidden directories, then drop renamed copies of standard Windows utilities (for example, disguising curl.exe as netapi.dll) to blend malicious activity into normal system operations.
The scripts then use these renamed tools to retrieve secondary payloads from trusted cloud platforms, including AWS S3, Tencent Cloud, and Backblaze B2, to make malicious downloads harder to find among routine enterprise traffic.
Remote Access and Privilege Escalation
Microsoft also says the malware tampers with User Account Control settings and attempts to launch elevated cmd.exe instances to try and obtain higher privileges.
The final phase delivers unsigned Microsoft Installer (MSI) packages, including files masquerading as real programs like AnyDesk and WinRAR. Once installed, these tools can enable persistent remote access, as well as enabling data theft or further malware deployment.
Microsoft recommended that organizations block script host execution (wscript, cscript) in untrusted paths, monitor for renamed binaries with mismatched Portable Executable (PE) metadata, and inspect cloud-bound traffic for unauthorized downloads.
Enabling Endpoint Detection and Response (EDR) in block mode, activating tamper protection, and applying attack surface reduction rules targeting obfuscated scripts and VBScript-launched executables can further harden environments.
Finally, security teams should also train employees to treat unexpected WhatsApp attachments with the same caution as email-borne threats, reinforcing that trusted messaging platforms are now exploited more frequently as initial access vectors.
