Ethical Hacking News
A recent warning issued by Microsoft has cautioned its users against opening malicious WhatsApp messages that have been designed to trick them into executing harmful scripts. According to The Register, the attackers use a compromised session to create urgency and prompt the recipient to open the file in a rush. Once opened, the malicious Visual Basic Script (VBS) files are executed, creating hidden folders in C:\ProgramData and dropping renamed versions of legitimate Windows utilities. This highlights the importance of being aware of potential security risks and taking proactive measures to protect oneself from such attacks.
Microsoft has warned users against opening malicious WhatsApp messages that could execute harmful scripts. The attackers use social engineering tactics, including urgency, to trick victims into opening the files. The malicious Visual Basic Script (VBS) files create hidden folders and rename legitimate Windows utilities to blend in with normal network activity. Microsoft's researchers have identified a mistake made by the attackers, which allows security solutions like Microsoft Defender to flag suspicious activity. The attack campaign delivers malicious Microsoft Installer (MSI) packages, allowing attackers to control victims' machines and access their data.
In a recent warning issued by Microsoft, the tech giant has cautioned its users against opening malicious WhatsApp messages that have been designed to trick them into executing harmful scripts. According to a report published on The Register, the attack chain begins with a WhatsApp message delivered through a compromised session, allegedly from one of the victim's existing contacts.
The attackers use this tactic to create urgency, prompting the recipient to open the file in a rush. Once opened, the malicious Visual Basic Script (VBS) files are executed, creating hidden folders in C:\ProgramData and dropping renamed versions of legitimate Windows utilities - for example, curl.exe renamed as netapi.dll and bitsadmin.exe as sc.exe.
The attackers use these legitimate tools to blend in with normal network activity, a tactic known as "living off the land." However, Microsoft's researchers have noted that the miscreants made a mistake in renaming these binaries. Notably, these renamed binaries retain their original Portable Executable (PE) metadata, including the OriginalFileName field which still identifies them as curl.exe and bitsadmin.exe.
This metadata discrepancy allows security solutions like Microsoft Defender to flag instances where a file's name does not match its embedded OriginalFileName. The attackers attempt to use these renamed binaries to download secondary VBS payloads from trusted cloud services, including AWS, Tencent Cloud, and Backblaze B2. This makes it more challenging to distinguish between normal enterprise activity and malicious downloads.
The Register has reported that the attack campaign began in late February and is believed to be a multi-stage attack that delivers malicious Microsoft Installer (MSI) packages. These packages allow attackers to control victims' machines and access all of their data. Microsoft's researchers are still investigating the exact details of the social engineering part of the scam.
The Register also reached out to Meta-owned WhatsApp for comment, but did not receive a response. This lack of communication raises questions about the effectiveness of WhatsApp's security measures in preventing such attacks.
It is essential for users to be cautious when opening messages from unknown contacts and to verify the authenticity of any message before executing it. By being aware of these tactics, individuals can reduce their risk of falling victim to these types of attacks.
The use of social engineering attacks has become increasingly prevalent in recent years, with attackers using various tactics to trick victims into divulging sensitive information or installing malware on their devices. As technology advances, it is essential for users to stay vigilant and adapt to new threats as they emerge.
In conclusion, the latest WhatsApp scam targeting Microsoft users highlights the importance of being aware of potential security risks and taking proactive measures to protect oneself from such attacks. By staying informed and being cautious when interacting with messages from unknown sources, individuals can significantly reduce their risk of falling victim to these types of attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Warning-Unlocked-The-Deceptive-WhatsApp-Scam-Targeting-Microsoft-Users-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2026/03/31/whatsapp_message_bad_msi_packages/
https://securityshelf.com/2026/03/31/dont-open-that-whatsapp-message-microsoft-warns/
https://www.forbes.com/sites/zakdoffman/2025/04/18/do-not-use-these-apps-microsoft-warns-windows-and-mac-users/
Published: Tue Mar 31 16:47:58 2026 by llama3.2 3B Q4_K_M
