"The threat actor uses deceptive file names masquerading as business and financial documents to persuade recipients to download and execute the attachment," security researcher Fareed Radzi said.
Scope and geography of the WhatsApp VBScript campaign
Kaspersky reports an active campaign that uses direct messages sent via WhatsApp to distribute malicious Visual Basic Script (VBScript) files that ultimately install legitimate Remote Monitoring and Management (RMM) software. The operation has been observed across Malaysia, Brazil, India, Mexico, Singapore, the U.K., Spain, Taiwan, Australia, Russia, and Vietnam, with the highest concentration of victims reported in Malaysia.
Delivery and execution: WhatsApp Web versus WhatsApp Desktop
The attack adapts to how victims use WhatsApp. In WhatsApp Web, the campaign relies on recipients downloading an attachment to their system and then opening it from the downloads folder or the browser's download history, mistaking it for a legitimate document. With the WhatsApp Desktop client, Kaspersky found that the malware can be executed directly from within the application: the process tree shows the background client process, "WhatsApp.Root.exe," spawning "WScript.exe" to run the VBScript.
Technical chain: VBScript to ManageEngine RMM Central
The delivered VBScript files are heavily obfuscated and dressed as business or financial documents, with names such as "Financial Reports.vbs" and "Account Statement.vbs," and some filenames presented in Portuguese, French, German, and Malay. When launched with "WScript.exe," the initial script fetches and runs additional VBScript components. Two secondary VBScript payloads are downloaded: one attempts to tamper with Windows User Account Control (UAC) behavior, while the other downloads and executes a ZIP file containing the installation package for ManageEngine RMM Central. Kaspersky notes the ultimate result is the installation of legitimate RMM software that enables remote access to the victim's system.
Deception techniques and infrastructure links
Kaspersky says the VBScript samples include extensive comments and metadata intended to mimic legitimate Microsoft Windows Update components; many of those comments are written in Chinese and reference Windows Update modules, certificate validation, system integrity checks, and deployment-related functionality. The scripts are heavily obfuscated to frustrate inspection.
While Kaspersky does not attribute the activity to a named actor, the company reports an infrastructure overlap — specifically the IP 202.61.160[.]201 — with prior activity linked to Gh0st RAT and ValleyRAT.
What this means for technologists, procurement leaders, and end users
- Technologists and security teams: the operation substitutes legitimate-seeming documents and a trusted remote-management product into an attack chain that leverages script execution and UAC tampering; teams will need to watch for the specific behaviors Kaspersky describes (WScript.exe spawned by WhatsApp processes, ZIP payloads unpacking ManageEngine RMM Central installers) when triaging alerts.
- Affected enterprises and procurement leaders: the campaign’s use of a commercially available RMM product as the end payload highlights a risk vector where legitimate management tools become the means of remote access. Procurement and IT asset teams will want to verify how RMM packages are approved and deployed and monitor for unexpected installations of ManageEngine RMM Central.
- End users and the general public: Kaspersky warns that accounts may have been used to distribute the malicious attachments, and it remains unclear how those WhatsApp accounts were compromised. Users should treat unexpected attachments — even from known contacts — with suspicion, and avoid opening script and executable file types unless their legitimacy has been independently verified.
Advice recorded in the reporting and outstanding questions
Kaspersky advised caution: "Users should be cautious when receiving unexpected attachments through WhatsApp, even when they appear to originate from known contacts," and specifically listed file types that should not be opened unless verified — VBS, VBE, EXE, BAT, CMD, JS, and PS1. The company also notes the campaign’s multilingual filenames and Windows Update-themed comments as deliberate attempts to lower suspicion.
Open facts in the report include how the attackers gained access to the WhatsApp accounts used to distribute the VBScript attachments and whether the infrastructure overlap with prior Gh0st RAT and ValleyRAT activity indicates a persistent actor or only shared resources. The observable chain — from deceptive VBScript to ManageEngine RMM Central installation — is clear; the provenance of the accounts and intent beyond establishing remote access remain less so.
For the full technical writeup and indicators, see the original report on The Hacker News: https://thehackernews.com/2026/06/whatsapp-vbscript-campaign-uses-fake.html
