Microsoft warns of a new campaign that uses WhatsApp messages to distribute malicious Visual Basic Script (VBS) files that initiate a multi-stage infection chain. The attackers rename legitimate Windows utilities, retrieve secondary payloads from AWS, Tencent Cloud, and Backblaze B2, tamper with UAC and registry settings, and install unsigned MSI packages (including AnyDesk) to gain persistent, elevated remote access. #WhatsApp #VBS
Keypoints
- Attackers deliver malicious VBS files via WhatsApp to start a multi-stage infection chain.
- The scripts create hidden folders in C:ProgramData and drop renamed Windows utilities like curl.exe and bitsadmin.exe to blend in.
- Secondary payloads are downloaded from cloud services including AWS S3, Tencent Cloud, and Backblaze B2 using the renamed binaries.
- Threat actors modify UAC settings and registry keys under HKLMSoftwareMicrosoftWin to escalate privileges and establish persistence.
- Unsigned MSI installers (including legitimate tools like AnyDesk) are deployed to maintain remote access and enable data exfiltration or further malware deployment.
Read More: https://thehackernews.com/2026/04/microsoft-warns-of-whatsapp-delivered.html