Telemetry data from Kaspersky shows the campaign spreading across Brazil, India, Mexico, Singapore, the UK, Spain, Taiwan, Australia, Russia, Vietnam, and Malaysia — a single malspam strategy carrying a remote-administration payload into desktops around the world.
How the messages arrive: compromised WhatsApp contacts and deceptive filenames
Kaspersky says the campaign begins with messages sent from compromised WhatsApp accounts that contain “nothing but a heavily obfuscated VBS file.” The attachments are given filenames meant to look like business and financial documents — billing statements, account notices, and financial reports — and are localized into multiple languages to increase the chance a recipient will open them. Based on social-media reports and submitted samples, Kaspersky concludes the threat actor “had gained access to several WhatsApp accounts and used them to distribute the malicious VBScript files to contacts on the compromised users’ contact lists.” At the time of Kaspersky’s reporting, the exact method used to compromise those WhatsApp accounts remains unknown.
What happens on a Windows machine: VBScript to remote administration
If a recipient downloads and opens the VBS file on Windows, the initial script fetches two additional scripts from the attacker’s infrastructure. Those follow-up scripts modify the Registry to disable User Account Control protections and then download a ZIP archive containing the ManageEngine Endpoint Central software. The program — a legitimate remote-management product “used by IT administrators to manage systems from a centralized dashboard,” in Kaspersky’s words — is silently installed and configured to connect to attacker-controlled management servers, giving the intruder remote administration access to the victim’s computer.
Kaspersky also points out a client-dependent execution difference: when the VBScript is delivered via WhatsApp Web it must be downloaded before execution, whereas the WhatsApp Desktop client can allow direct execution via Windows Script Host (wscript.exe), raising the risk that a desktop client will run the payload more quickly.
Attack infrastructure and attribution signals
The researchers did not attribute the campaign with high confidence, but they recorded two noteworthy indicators: signs of Chinese language use in some artifacts and overlap between infrastructure IPs and addresses previously linked to activity by ValleyRAT and Gh0st RAT. Kaspersky explicitly states there is insufficient evidence for high-confidence attribution, leaving the actor identity unresolved.
What this means for technologists, procurement teams, and end users
- Technologists and security teams: the public chain shows a legitimate remote-management product being abused as a post-compromise control channel. Teams will need to watch for unexpected ManageEngine Endpoint Central installations or unusual connections from endpoints to unknown management servers.
- Procurement and enterprise IT leaders: because the campaign leverages a legitimate administrative product, procurement and asset inventories should confirm where ManageEngine Endpoint Central is authorized and how installations are provisioned and authenticated within the environment.
- End users and general public: Kaspersky’s advisory is direct — treat files sent by contacts, even trusted ones, with caution; verify suspicious attachments through a secondary channel; and scan all downloaded files with an up-to-date antivirus before executing them.
Closing observation
The campaign uses social trust — compromised contacts and believable, localized filenames — to convert a messaging vector into a full remote-administration foothold on Windows machines. The operator’s choice to deliver a legitimate remote-management product as the persistence mechanism complicates simple detection, and the reported Registry changes that disable UAC underline how quickly a single click can shift control. Kaspersky’s telemetry maps a geographically broad footprint, but the actor remains unconfirmed; meanwhile the concrete defensive steps Kaspersky recommends — verification of files and antivirus scanning — are the practical actions left to users and defenders today.
Read the original Kaspersky-based report on BleepingComputer
