Ethical Hacking News
A new and sophisticated campaign has been identified, which leverages WhatsApp messages to distribute malicious Visual Basic Script (VBS) files that hijack Windows systems via User Account Control (UAC) bypass techniques. Microsoft has issued a warning about this threat, emphasizing the importance of staying vigilant and taking proactive measures to protect Windows systems.
Microsoft has warned about a new campaign using WhatsApp messages to distribute malicious Visual Basic Script (VBS) files. The VBS files bypass User Account Control (UAC) and create hidden folders, blending in with normal system activity. The attackers aim to establish persistence, escalate privileges, and install malicious Microsoft Installer (MSI) packages. The malware weakens UAC settings, continuously attempts to launch cmd.exe with elevated privileges, and embeds persistence mechanisms. Organizations must take immediate action to secure their systems by ensuring software updates, implementing robust firewall rules, and monitoring system logs. Users should exercise caution when receiving unsolicited WhatsApp messages or links from unknown senders and verify authenticity before executing any links or files.
Microsoft has issued a warning about a new and sophisticated campaign that leverages WhatsApp messages to distribute malicious Visual Basic Script (VBS) files, which are being used to hijack Windows systems via User Account Control (UAC) bypass techniques. This campaign is considered particularly dangerous due to its use of social engineering tactics, stealthy techniques, and cloud-based payload hosting.
The campaign began in late February 2026 and has been leveraging WhatsApp messages to distribute the malicious VBS files. Once executed, these scripts create hidden folders in "C:\ProgramData" and drop renamed versions of legitimate Windows utilities like "curl.exe" (renamed as "netapi.dll") and "bitsadmin.exe" (renamed as "sc.exe"). These actions are designed to blend in with normal system activity and increase the likelihood of success for the attackers.
Upon gaining an initial foothold, the attackers aim to establish persistence and escalate privileges, ultimately installing malicious Microsoft Installer (MSI) packages on victim systems. This is achieved by downloading auxiliary VBS files hosted on AWS S3, Tencent Cloud, and Backblaze B2 using the renamed binaries.
The malware begins tampering with UAC settings to weaken system defenses, continuously attempting to launch cmd.exe with elevated privileges until UAC elevation succeeds or the process is forcibly terminated, modifying registry entries under HKLM\Software\Microsoft\Win, and embedding persistence mechanisms to ensure the infection survives system reboots. These actions allow the threat actors to gain elevated privileges without user interaction via a combination of Registry manipulation with UAC bypass techniques.
The campaign demonstrates a sophisticated infection chain combining social engineering (WhatsApp delivery), stealth techniques (renamed legitimate tools, hidden attributes), and cloud-based payload hosting. Microsoft has emphasized the importance of staying vigilant and taking proactive measures to protect Windows systems from this type of threat.
In response to this new threat, it is essential for organizations to take immediate action to secure their systems. This includes ensuring that all software and systems are up-to-date with the latest security patches, implementing robust firewall rules, and regularly monitoring system logs for suspicious activity. By taking these steps, individuals can significantly reduce the risk of falling victim to this sophisticated campaign.
Furthermore, it is crucial for users to be aware of the risks associated with WhatsApp messages and to exercise caution when receiving unsolicited messages or links from unknown senders. This includes verifying the authenticity of the message before executing any links or files, and reporting suspicious activity to the relevant authorities.
In conclusion, Microsoft's warning about this new campaign highlights the evolving nature of cybersecurity threats. As technology continues to advance, so too do the tactics used by attackers to compromise systems. By staying informed and taking proactive measures, individuals can significantly reduce their risk of falling victim to these types of attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Microsoft-Warns-of-Sophisticated-WhatsApp-Delivered-VBS-Malware-Campaign-Hijacking-Windows-via-UAC-Bypass-ehn.shtml
https://thehackernews.com/2026/04/microsoft-warns-of-whatsapp-delivered.html
https://www.theregister.com/2026/03/31/whatsapp_message_bad_msi_packages/
Published: Wed Apr 1 09:26:14 2026 by llama3.2 3B Q4_K_M
