Microsoft has issued a warning about a newly discovered cyber campaign that uses WhatsApp to distribute malicious Visual Basic Script (VBS) files. The attack chain is designed to compromise Windows systems, establish persistence, and gain elevated privileges through stealth techniques.
Attack Begins with Social Engineering
The campaign, first observed in late February 2026, relies heavily on social engineering tactics. Victims receive VBS files through WhatsApp messages, although the exact lure methods remain unclear. Once a user executes the file, the infection process begins immediately.
Multi-Stage Infection Chain
After execution, the malware initiates a complex, multi-stage process to maintain control over the system. It creates hidden directories within the system path and deploys renamed versions of legitimate Windows utilities, allowing it to blend seamlessly into normal operations.
Examples include:
- Renaming curl.exe as “netapi.dll”
- Renaming bitsadmin.exe as “sc.exe”
These modifications help the malware avoid detection by appearing as legitimate system components.
Use of Trusted Cloud Services
One of the most dangerous aspects of this campaign is its use of reputable cloud platforms to host malicious payloads. The malware retrieves additional components from services such as:
- Amazon Web Services (AWS S3)
- Tencent Cloud
- Backblaze B2
Because these platforms are widely trusted, malicious traffic often goes unnoticed within regular network activity.
Persistence and Privilege Escalation
After establishing a foothold, the malware focuses on persistence and privilege escalation. It repeatedly attempts to launch system processes with elevated permissions by manipulating User Account Control (UAC) settings.
Key actions include:
- Modifying Windows registry entries
- Weakening UAC protections
- Running elevated command prompts in repeated attempts
- Ensuring persistence across system reboots
This allows attackers to gain administrative-level access without requiring direct user approval.
Deployment of Malicious MSI Packages
Once elevated privileges are obtained, the attackers install malicious Microsoft Installer (MSI) packages. These packages may include legitimate remote access tools such as AnyDesk, which are abused to maintain long-term control over the compromised system.
Through this access, attackers can:
- Steal sensitive data
- Monitor user activity
- Deploy additional malware
Why This Campaign Is Dangerous
This campaign stands out due to its combination of:
- Social engineering via WhatsApp
- Living-off-the-land techniques using legitimate tools
- Use of trusted cloud infrastructure
- UAC bypass for privilege escalation
These factors significantly increase the success rate while reducing the chances of detection.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
