WhatsApp phishing attack uses fake business docs to hack PCs

Summary

A malware campaign is targeting WhatsApp users globally by sending VBScript files disguised as business documents. These malicious attachments, distributed from compromised WhatsApp accounts, lead to the installation of legitimate remote management software (ManageEngine Endpoint Central) controlled by attackers, granting them system access. The campaign's exact origin is unknown, but some infrastructure overlaps with past Chinese-linked RAT activity.

Full text

WhatsApp phishing attack uses fake business docs to hack PCs By Bill Toulas June 22, 2026 06:42 PM 0 An ongoing malware campaign is targeting WhatsApp users in multiple countries with deceptive messages that push VBScript files, leading to remote system access. The threat actor is using file names that indicate business and financial documents delivered by the victim's contacts, whose accounts had been compromised. By downloading and executing the malicious attachments, the recipient starts an infection chain that leads to installing the legitimate ManageEngine Endpoint Central, which is used by IT administrators to manage systems from a centralized dashboard. Telemetry data from cybersecurity company Kaspersky shows that the campaign spreads across Brazil, India, Mexico, Singapore, the UK, Spain, Taiwan, Australia, Russia, Vietnam, and Malaysia. Attack chain Kaspersky reports that the attacks begin with messages sent from compromised accounts that contain nothing but a heavily obfuscated VBS file. These files are given names that make them appear to be financial reports, billing statements, account notices, and similar documents likely to draw the target’s attention and prompt them to open the file. The filenames are also localized in multiple languages, further confirming the campaign’s global reach. Samples of the malicious messagesSource: Kaspersky “Based on evidence collected from multiple victims through social media reports and submitted samples, we can conclude that the threat actor had gained access to several WhatsApp accounts and used them to distribute the malicious VBScript files to contacts on the compromised users’ contact lists,” Kaspersky explains. “At the time of writing, the exact method used to compromise these WhatsApp accounts remains unknown.” If the victim downloads and opens the file on Windows, the VBScript fetches two additional scripts from the attacker's infrastructure, which, in turn, disable UAC protections through Registry modifications and download a ZIP archive containing the ManageEngine Endpoint Central program. Content of the ZIP fileSource: Kaspersky The software is silently installed in the background and configured to connect to attacker-controlled management servers, giving them remote administration access on the victim’s computer. Kaspersky notes that when the initial VBScript file is delivered via WhatsApp Web, it must be downloaded, but when opened in the WhatsApp Desktop client, it can be executed directly via Windows Script Host (wscript.exe). Overview of the attack chainSource: Kaspersky While Kaspersky does not attribute the attacks to a specific threat actor, the researchers found signs of Chinese language use and infrastructure overlap with IPs previously associated with ValleyRAT and Gh0st RAT activity. However, there is insufficient evidence for high-confidence attribution to be possible. WhatsApp users are advised to treat files sent by contacts, even trusted ones, with caution and to always verify them through secondary means. All downloaded files should be scanned with an up-to-date antivirus before executing them. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: New TCLBanker malware self-spreads over WhatsApp and OutlookAryStinger botnet infected thousands of D-Link routers worldwideUSB worm spreads crypto-stealing malware via Windows shortcut filesPolice cleans nearly 15,000 SocGholish-infected sites tied to Evil CorpNew Rokarolla Android malware targets 217 banking, crypto apps

Indicators of Compromise

• malware — VBScript
• malware — ValleyRAT
• malware — Gh0st RAT

Entities