Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass

Summary

Microsoft has identified a new malware campaign beginning in late February 2026 that distributes malicious Visual Basic Script (VBS) files via WhatsApp messages. The multi-stage infection chain uses renamed Windows utilities, payload hosting on AWS, Tencent Cloud, and Backblaze B2, and tampers with UAC settings to achieve privilege escalation and deploy unsigned MSI installers for persistent remote access.

Full text

Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass Ravie LakshmananApr 01, 2026Social Engineering / Malware Microsoft is calling attention to a new campaign that has leveraged WhatsApp messages to distribute malicious Visual Basic Script (VBS) files. The activity, beginning in late February 2026, leverages these scripts to initiate a multi-stage infection chain for establishing persistence and enabling remote access. It's currently not known what lures the threat actors use to trick users into executing the scripts. "The campaign relies on a combination of social engineering and living-off-the-land techniques," the Microsoft Defender Security Research Team said. "It uses renamed Windows utilities to blend into normal system activity, retrieves payloads from trusted cloud services such as AWS, Tencent Cloud, and Backblaze B2, and installs malicious Microsoft Installer (MSI) packages to maintain control of the system." The use of legitimate tools and trusted platforms is a deadly combination, as it allows threat actors to blend in normal network activity and increase the likelihood of success of their attacks. The activity begins with the attackers distributing malicious VBS files via WhatsApp messages that, when executed, create hidden folders in "C:\ProgramData" and drop renamed versions of legitimate Windows utilities like "curl.exe" (renamed as "netapi.dll") and "bitsadmin.exe" (renamed as "sc.exe"). Upon gaining an initial foothold, the attackers aim to establish persistence and escalate privileges, ultimately installing malicious MSI packages on victim systems. This is achieved by downloading auxiliary VBS files hosted on AWS S3, Tencent Cloud, and Backblaze B2 using the renamed binaries. "Once the secondary payloads are in place, the malware begins tampering with User Account Control (UAC) settings to weaken system defenses," Redmond said. "It continuously attempts to launch cmd.exe with elevated privileges, retrying until UAC elevation succeeds or the process is forcibly terminated, modifying registry entries under HKLM\Software\Microsoft\Win, and embedding persistence mechanisms to ensure the infection survives system reboots." These actions allow the threat actors to gain elevated privileges without user interaction via a combination of Registry manipulation with UAC bypass techniques, and ultimately deploy unsigned MSI installers. This includes legitimate tools like AnyDesk that provide attackers with persistent remote access, enabling the attackers to exfiltrate data or deploy more malware. "This campaign demonstrates a sophisticated infection chain combining social engineering (WhatsApp delivery), stealth techniques (renamed legitimate tools, hidden attributes), and cloud-based payload hosting," Microsoft said. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Cloud security, cybersecurity, Malware, Microsoft, privilege escalation, social engineering, Whatsapp, windows security Trending News Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks ThreatsDay Bulletin: PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits and 20 More Stories Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks FCC Bans New Foreign-Made Routers Over Supply Chain and Cyber Risk Concerns Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 via Trivy CI/CD Compromise FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams Apple Warns Older iPhones Vulnerable to Coruna, DarkSword Exploit Kit Attacks 54 EDR Killers Use BYOVD to Exploit 35 Signed Vulnerable Drivers and Disable Security New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data ⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers and More Popular Resources Detect AI-Driven Threats Faster With Full Network Visibility [Demo] Discover SaaS Risks and Monitor Every App in Your Environment [Guide] Learn How to Govern AI Agents With Proven Market Guidance SANS SEC401: Get Hands On Skills to Detect and Respond to Cyber Threats

Indicators of Compromise

• malware — VBS malware (unnamed campaign)
• malware — AnyDesk