80% of the victims in this WhatsApp-distributed campaign were located in Malaysia, exposing a concentrated impact inside a broadly opportunistic operation observed across more than a dozen countries and territories.
Delivery via compromised WhatsApp accounts
In June 2026, researchers observed a live campaign that distributes malicious VBScript (VBS/VBE) files through direct messages in WhatsApp. The messages contained only an attachment and no text; multiple victims reported that contacts on their lists sent the same file to several recipients. Evidence indicates the threat actor gained access to several WhatsApp accounts and used those accounts to deliver the attachments, but the method used to compromise the accounts remains unknown.
The campaign primarily targets WhatsApp Desktop and WhatsApp Web. On WhatsApp Desktop the process tree shows WhatsApp.Root.exe spawning Windows Script Host (WScript.exe) to run the downloaded script. One observed command line demonstrates execution directly from the app:
"C:\Windows\System32\WScript.exe" "C:\Users\\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\Sessions\\Transfers\\financial reports(s).vbs"
When opened via WhatsApp Web, the file is launched from the user’s Downloads folder or browser download history; its parent process in those cases is explorer.exe or the browser process.
How the VBScript infection chain works (Stages 1–3)
The campaign uses a multi-stage VBScript chain. Stage 1 is a downloader script delivered as a VBS or VBE file that creates a working directory under C:\Users\Public\Documents\ (randomized names such as Temp_ or MSUpdate_), downloads two secondary VBScript payloads from attacker-controlled infrastructure, and executes them via WScript.exe. Variants use obfuscation—string concatenation, encoded VBScript, randomized variable names and junk content—and some copy legitimate utilities (curl.exe, bitsadmin.exe) into the working folder and rename them before use.
Stage 2 delivers two different secondary scripts. One repeatedly attempts to modify Windows User Account Control (UAC) by setting HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin to 0, relaunching the command with ShellExecute and the runas verb so Windows prompts for elevation. The other downloads a ZIP archive, extracts it using the Shell.Application COM interface (CopyHere with flags to suppress prompts), and executes a setup VBScript (setup1.vbs). Download mechanisms include curl, bitsadmin, certutil, PowerShell, and direct HTTP requests; some variants strip Zone.Identifier alternate data streams from extracted files.
The RMM payload: ManageEngine Endpoint Central
The ZIP archive delivered in Stage 2 contains a preconfigured ManageEngine Endpoint Central deployment package: an MSI installer (UEMSAgent.msi), configuration files (UEMSAgent.mst, DCAgentServerInfo.json), certificates (DMRootCA.crt, DMRootCA-Server.crt), and installer scripts. The attacker’s launcher (setup1.vbs) requests administrative elevation and then silently installs the agent via msiexec.exe using the embedded configuration and certificates.
The embedded DCAgentServerInfo.json lists Endpoint Central management servers at these IP addresses:
- 202.61.160[.]208
- 202.61.160[.]202
- 202.61.160[.]201
- 202.61.160[.]160
- 202.61.160[.]137
- 38.55.151[.]63
Notably, 202.61.160[.]201 had previously been observed as command-and-control infrastructure associated with ValleyRAT and Gh0st RAT activity; the overlap could indicate infrastructure reuse but is insufficient to attribute the campaign to a known actor.
Victimology, attribution signals, and IOCs
Telemetry shows infections across Malaysia, Brazil, India, Mexico, Singapore, UK, Spain, Taiwan, Australia, Russia and Vietnam, with roughly 80% of observed victims in Malaysia. The operation appears broad and opportunistic, targeting individual users rather than specific industries or organizations. At the time of reporting the campaign remained active.
Several artifacts point toward a possible Chinese-speaking operator: multiple VBS samples contain comments and module descriptions written in simplified Chinese characters, repeated across variants. The report assesses with low confidence that a Chinese-speaking operator conducted the campaign; investigators note that further infrastructure or operational indicators would be required for stronger attribution.
Representative IOCs (samples, file names, domains and attacker-controlled servers) observed in the analysis include numerous VBS filenames such as Financial Reports.vbs, Debt confirmation.vbs, Statement of Debt(30K).vbs and localized names like Extrato de Conciliação.vbs and Sila semak bil anda.vbs, as well as domains and storage locations including:
- temu.baskwms[.]top
- invoice.msopsa[.]top
- baolongwes.oss-ap-southeast-1.aliyuncs[.]com
- several S3/backblaze buckets in ap-southeast-1 and us-east-005
Attacker-controlled UEMS server IP addresses include the six listed above.
What this means for technologists, procurement leaders, and end users
- Technologists and security teams: Verify EDR/antivirus coverage for script-based downloaders and monitor process trees that show WScript.exe launched by WhatsApp.Root.exe or by explorer/browser processes immediately after a WhatsApp download. Block or alert on silent MSI installations that use the listed management server IPs.
- Procurement and enterprise IT: The campaign installs a legitimate remote-monitoring product (ManageEngine Endpoint Central) as a persistence and remote access mechanism; ensure that legitimate supplier deployments and agent provisioning are authorized and that certificates and server endpoints are validated against procurement records.
- End users and the public: Treat unexpected attachments over messaging apps—especially VBS, VBE, EXE, BAT, CMD, JS and PS1 files—as high-risk, even when sent by known contacts, and avoid opening them unless their legitimacy is independently verified.
The campaign demonstrates how legitimate administrative tooling can be repackaged inside a scripted, multi-stage delivery chain launched from compromised messaging accounts. Key open questions remain: how WhatsApp accounts were compromised and whether infrastructure overlaps will yield stronger attribution. The campaign was active at the time of reporting, and the original analysis is available here:
