A new campaign is leveraging WhatsApp messages to deliver malicious Visual Basic Script (VBS) files in a multi-stage infection chain designed to establish persistence on victim systems and enable remote access. Microsoft’s threat hunting team says it wasn’t able to determine specific lures used to trick users.
The campaign combines social engineering with “living-off-the-land” techniques that involves renaming trusted Windows utilities and using cloud platforms such as AWS, Tencent Cloud, and Backblaze B2.
The attack begins when victims receive a WhatsApp message containing a malicious VBS file. Once executed, the script creates hidden directories within the “C:ProgramData” path and deploys renamed versions of legitimate tools, including curl.exe and bitsadmin.exe, disguised as system files. The tools are then used to retrieve additional payloads hosted on trusted cloud infrastructure.
The attackers then attempt to maintain persistence and escalate privileges by downloading and executing secondary VBS scripts, ultimately leading to the installation of malicious Microsoft Installer (MSI) packages containing legitimate remote access tools.
Researchers note that the malware tampers with User Account Control (UAC) settings and modifies registry keys. It repeatedly attempts to execute commands with elevated privileges, persisting until successful or interrupted. This approach allows attackers to bypass security controls and embed mechanisms that survive system reboots.