- WhatsApp files deliver VBS malware that installs silently and gains full control
- Hidden folders and renamed Windows tools allow attackers to integrate into normal operations
- Malware retrieves secondary scripts from trusted cloud services to avoid detection
Microsoft has identified a multi-stage malware campaign that uses WhatsApp to deliver Visual Basic Script (VBS) files and exploits the trust users place in familiar messaging platforms.
Attackers send harmless-looking files through WhatsApp, but opening them triggers a silent installation that gives adversaries hidden control of the system.
Once executed, the scripts create hidden folders in C:ProgramData and delete renamed versions of legitimate Windows utilities, such as curl.exe renamed to netapi.dll and bitsadmin.exe renamed to sc.exe.
Article continues below.
By embedding these tools into normal system paths, attackers ensure that the tools blend into routine operations, while security solutions can still detect the original metadata.
The malware alters system settings so that it starts automatically after each reboot, ensuring survival even when users believe they have eliminated the threat.
Microsoft warns that this approach combines social engineering with subsistence techniques and increases successful execution without generating immediate alerts.
“By combining trusted platforms with legitimate tools, the threat actor reduces visibility and increases the likelihood of a successful execution,” Microsoft said in a blog post.
After initial infection, the malware retrieves secondary payloads from cloud services, including AWS S3, Tencent Cloud, and Backblaze B2.
These droppers, distributed as auxs.vbs and WinUpdate_KB5034231.vbs, exploit trusted cloud infrastructure and disguise malicious downloads as legitimate network traffic.
The malware also modifies User Account Control settings and repeatedly attempts to run cmd.exe with elevated privileges until it succeeds.
The malware alters registry entries in HKLMSoftwareMicrosoftWin to suppress UAC prompts and grant administrative rights without the user knowing.
In the final stage, attackers deploy malicious Microsoft Installer (MSI) files such as Setup.msi, WinRAR.msi, LinkPoint.msi, and AnyDesk.msi to compromised systems.
These unsigned installers provide attackers with persistent remote access and allow data theft, deployment of additional malware, or integration of infected machines into botnets.
Microsoft recommends monitoring for repeated UAC manipulation and registry modifications as key indicators of compromise.
Organizations should restrict hosts from running scripts, monitor renamed system utilities, and educate users about social engineering tactics.
Microsoft emphasizes the importance of cloud protection, tamper protection, and detecting and responding to endpoints operating in lockdown mode.
Security teams must closely monitor cloud traffic, as conventional detection methods may have difficulty distinguishing these operations from routine business activity.
AI tools can help analyze behavioral anomalies, correlate telemetry, and identify suspicious WhatsApp attachments.
Failure to exercise caution can result in permanent data loss as attackers gain full control of the device and access to sensitive personal information.
Microsoft emphasizes that even a single careless click could allow this malware to bypass common endpoint protections.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
