A VBScript campaign distributed through WhatsApp deploying RMM software

Summary

A global malware campaign is distributing malicious VBScript files through WhatsApp, targeting users of WhatsApp Desktop and Web. The threat actor uses deceptive financial-themed file names to trick recipients into executing the scripts, which then initiate a multi-stage infection chain. This ultimately installs legitimate Remote Monitoring and Management (RMM) software, granting the attacker remote access to the victim's system.

Full text

Table of Contents Social engineering through financial-themed file namesDelivery of the initial VBScript fileTechnical analysisStage 1: Initial VBScript executionStage 2: Execution of secondary VBScript payloadsVBS script 1: UAC configuration modificationVBS script 2: ZIP download and script executionStage 3: Installation of remote monitoring and management softwareVictimology and attributionConclusionIOCsVBScriptDomainsAttacker-controlled UEMS server IP Address Authors Fareed Radzi In June 2026, we observed a malware campaign distributing malicious VBScript files through direct messages in WhatsApp. The campaign affected users across multiple countries and territories, including Malaysia, Brazil, India, Mexico, Singapore, UK, Spain, Taiwan, Australia, Russia and Vietnam, with the highest number of victims observed in Malaysia. At the time of writing this article, the campaign is still active. Analysis shows that the campaign primarily targets users of WhatsApp Desktop and WhatsApp Web. The threat actor uses deceptive file names masquerading as business and financial documents to persuade recipients to download and execute the attachment. Once executed, the VBScript initiates a multi-stage infection chain that ultimately results in the installation of legitimate Remote Monitoring and Management (RMM) software, enabling remote access to the victim’s system. Overview of the WhatsApp-based VBScript infection chain We came across a number of social media posts reporting that the malware was being distributed by the users’ contacts. The messages contained only the malicious attachment and did not include any accompanying text. One account sent the same attachment to multiple contacts from their list. WhatsApp messages containing the malicious VBScript file observed across multiple accounts. Source: alleged victims’ posts on social media Based on evidence collected from multiple victims through social media reports and submitted samples, we can conclude that the threat actor had gained access to several WhatsApp accounts and used them to distribute the malicious VBScript files to contacts on the compromised users’ contact lists. At the time of writing, the exact method used to compromise these WhatsApp accounts remains unknown. Social engineering through financial-themed file names Analysis of the samples revealed that the threat actor relied heavily on social engineering through the use of deceptive file names designed to appear as legitimate business and financial documents. The file names frequently referenced invoices, account statements, debt notices, payment records, and bank statements. Examples of file names include: Financial Reports.vbs Debt confirmation.vbs Statement of Debt(30K).vbs Outstanding Payment List.vbs Account Statement.vbs Debt Statement.vbs Billing Statement (2).vbs Promissory_Note(b).vbs Several file names were also localized into different languages, including Portuguese, French, German, and Malay. Examples include: Extrato de Conciliação.vbs Aviso de dívida.vbs Le formulaire de demande le plus récent.vbs Bitte füllen Sie das Formular für Umsatzsteuer-Nullsatz-Verkäufe aus.vbs Penyata bank.vbs Sila semak bil anda.vbs The use of multiple languages further suggests that the campaign may be targeting victims across different geographic regions. In addition, the VBScript samples contain extensive comments and metadata intended to mimic legitimate Microsoft Windows Update components. Many of these comments are written in Chinese and include references to Windows Update modules, certificate validation, system integrity checks, and deployment-related functionality. The screenshot below shows an example of the Windows Update–themed comments and Chinese-language annotations embedded within one of the analyzed scripts. Windows Update–themed and Chinese-language comments observed across multiple Stage 1 VBScript variants Delivery of the initial VBScript file Analysis of telemetry collected from the systems where the malware was executed, conducted together with the dynamic analysis of the sample, showed that the VBScript is launched through Windows Script Host (WScript.exe), which subsequently retrieves and executes additional VBScript components required for the later stages of the attack. Two user interactions are needed to initiate the infection chain. When the user first clicks the attachment in either WhatsApp Desktop or WhatsApp web, it is downloaded to their machine. To launch the app, they need to open it. In WhatsApp Desktop, the malware is executed directly within the application by clicking once more the file icon or by choosing the option “Open” in the chat. The process tree analysis shows that WScript.exe is spawned by WhatsApp.Root.exe. The executed script was observed within WhatsApp Desktop’s attachment storage directory, with the following command line: "C:\Windows\System32\WScript.exe" "C:\Users\<username>\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\Sessions\<session_identifier>\Transfers\<YYYY-MM>\financial reports(s).vbs" 1 "C:\Windows\System32\WScript.exe" "C:\Users\<username>\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\Sessions\<session_identifier>\Transfers\<YYYY-MM>\financial reports(s).vbs" This process relationship confirms that the malicious VBScript was executed directly from the WhatsApp Desktop client. In contrast, when the attachment is accessed through WhatsApp Web, to launch the malware, the user should open the downloaded file from the Downloads folder or through the browser’s download history. In the first case, the malware’s parent process will be explorer.exe, while in the second, it will be executed by the browser where the web app was opened. Technical analysis Stage 1: Initial VBScript execution The first stage of the infection chain is a VBS or VBE file delivered through WhatsApp. Although multiple variants of the scripts were observed, their core functionality remains consistent: the script creates a working directory under C:\Users\Public\Documents\, downloads two additional VBScript payloads from a remote infrastructure, and executes them using Windows Script Host. Across the observed variants, the working directory is created using randomized names such as Temp_<random> or MSUpdate_<random>. Some variants also configure the directory and downloaded files with hidden and system attributes, likely to reduce visibility to the user during execution. Example of the code generating a random working directory and configuring it with hidden and system attributes The scripts employ several obfuscation techniques, including string concatenation, encoded VBScript, randomized variable names, and large amounts of junk content. One notable variant employs even heavier obfuscation than the other samples. The script reconstructs object names, file paths, utilities, and URLs through character-by-character string concatenation. Example of an obfuscated Stage 1 VBScript variant. Several variants copy curl.exe and bitsadmin.exe into the working directory and rename them using DLL-like filenames before downloading additional VBS files. Example of the Stage 1 downloader logic using renamed Windows utilities and multiple download mechanisms to retrieve additional VBS files The downloaded files are commonly staged using misleading file extensions before execution. For example, some variants download files using PDF or TXT extensions and then change them to VBS before launching them with wscript.exe. Other variants download the secondary VBScript payloads directly. Despite differences in infrastructure, file names, and obfuscation methods, all observed variants ultimately perform the same function: downloading and executing two secondary VBScript payloads that continue the infection chain. Stage 2: Execution of secondary VBScript payloads Following execution, the Stage 1 VBScript downloads and launches two additional VBScript files from attacker-controlled infrast

Indicators of Compromise

• malware — VBScript
• malware — UEMS RMM agent

Entities