Microsoft Warns of WhatsApp Attachments Spreading Backdoor on Windows PCs

Summary

Microsoft's Defender Security Research Team discovered a social engineering campaign active since late February 2026 that distributes Visual Basic Script (VBS) files via WhatsApp attachments. Once executed, the malware uses living-off-the-land techniques, renames legitimate Windows tools (curl.exe, bitsadmin.exe), and downloads additional payloads from cloud services (AWS S3, Tencent Cloud, Backblaze B2) to gain administrative privileges and establish remote access. The attack chain exploits user trust in messaging platforms and legitimate infrastructure, bypassing traditional security controls by modifying UAC settings and installing unsigned malicious packages disguised as legitimate software.

Full text

Security Malware Scams and FraudMicrosoft Warns of WhatsApp Attachments Spreading Backdoor on Windows PCs Microsoft warns of a WhatsApp attachments spreading VBS malware that installs backdoors on Windows PCs, giving hackers remote access and control systems. byDeeba AhmedApril 2, 20263 minute read Microsoft Defender Security Research Team is warning the public about a new social engineering scam that has been targeting users since late February 2026. The scam arrives as a simple message on WhatsApp, but it carries a hidden danger designed to take over personal computers. According to Microsoft researchers, the trouble starts when a user receives a message containing a Visual Basic Script (VBS) file. For your information, this is a type of computer code that can run various tasks on Windows. If a person clicks on this file, it starts a chain reaction that allows hackers to control the computer from a distance. “The campaign relies on a combination of social engineering and living-off-the-land techniques. By combining trusted platforms with legitimate tools, the threat actor reduces visibility and increases the likelihood of successful execution,” researchers wrote in Microsoft’s blog post. Tactics to Bypass Security People often feel safe using WhatsApp, so they might not think twice before opening an attachment, and once executed, the malware creates hidden folders in the C:\ProgramData directory to hide its tracks. A particularly clever part of this attack involves renaming standard Windows tools to look like harmless files. For example, a tool called curl.exe is renamed to netapi.dll, and another called bitsadmin.exe is disguised as sc.exe. By doing this, the hackers can download more viruses while appearing to be normal system activity. Researchers noted that the malware retrieves these extra payloads from trusted cloud services like AWS S3, Tencent Cloud, and Backblaze B2, which makes the malicious traffic blend in with regular internet use. Taking Full Control of Your PC The goal of this attack is to gain administrative privileges, which means the hackers want the same power over the computer as the actual owner. Further probing revealed that the malware tries to change the User Account Control (UAC) settings, which is the security feature that usually asks for permission before a program makes changes. By modifying registry entries under HKLM\Software\Microsoft\Win, the malware can silence these alerts and stay on the computer even after it is restarted. In the final stage, the hackers install malicious software packages that look like regular installers, such as WinRAR.msi, Setup.msi, or AnyDesk.msi. “These installers enable attackers to establish remote access,” researchers explained in the blog post. This allows them to steal private data or use the infected computer for further attacks. It is worth noting that these installers are unsigned; this means they lack a valid security certificate. To stay safe, Microsoft recommends being very careful with unexpected WhatsApp attachments and ensuring that your antivirus is always active. Infection chain illustrated (Source: Microsoft) Expert Commentary: Sharing his insights with hackread.com, Yagub Rahimov, CEO of Polygraf AI, noted that this attack is built entirely on the trust we have in common tools and messaging apps. “The attack chain here is built entirely around trust towards tools, cloud services, and messaging platforms… curl.exe becomes netapi.dll. bitsadmin.exe becomes sc.exe. Payloads come down from AWS, Tencent Cloud, and Backblaze B2 – infrastructure defenders are conditioned to allow, not inspect. Nothing in this chain looks wrong until it’s too late. WhatsApp makes it worse.” Rahimov, whose company focuses on zero-trust solutions for national intelligence and defence, added that the use of personal apps on work devices is the real weak spot. “A .vbs file delivered there bypasses DLP, email security, attachment scanning – the entire layer of controls enterprises have spent years building… The broader issue this campaign points to is simple: the threat perimeter expanded the moment employees started using personal messaging apps on work devices. Most security stacks haven’t caught up.” Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts CybersecurityFraudMalwareMicrosoftScamSocial EngineeringVBSWhatsApp Leave a Reply Cancel reply View Comments (0) Related Posts Science Security Technology Are ‘Artificially Intelligent’ Hackers The New Thing? The Artificial intelligent hackers coming sooner than you imagined The Darpa’s Cyber Grand Challenge which will be taking… byAli Raza Read More Gaming Malware Security Modern Warfare 2 Servers Were Offline Amid Malware Attack The servers for classic games like Modern Warfare 2, Modern Warfare 3, and Call of Duty Black Ops 1 and 2 were recently brought back online by Activision due to increasing demand from gamers. byDeeba Ahmed Security John McAfee supports his pal who found security flaw, hacked an aircraft Summary: An official statement issued by an FBI agent reveals that InfoSec researcher Chris Roberts has confessed to hacking… byWaqas Read More Security Hackers can hijack your Bosch Thermostat and Install Malware Firmware Vulnerability Found in Bosch Thermostat Model BCC100: Patch Now or Freeze. byWaqas

Indicators of Compromise

• malware — VBS backdoor
• malware — curl.exe (renamed to netapi.dll)
• malware — bitsadmin.exe (renamed to sc.exe)
• malware — WinRAR.msi, Setup.msi, AnyDesk.msi (malicious)

Entities