Ethical Hacking News
WhatsApp Malware Campaign Hijacks Trust, Installs Legitimate Admin Tools: A Case Study
A recent WhatsApp malware campaign used deceptive file names masquerading as business and financial documents to spread a malicious VBScript that installed legitimate-looking remote management tools. The threat actor targeted users in multiple countries, including Malaysia, Brazil, India, Mexico, Singapore, the UK, Spain, Taiwan, Australia, Russia, and Vietnam. Kaspersky assesses with low confidence that the operator is Chinese-speaking, based on simplified Chinese comments embedded throughout the scripts. Users are advised to be cautious when receiving unexpected attachments through WhatsApp, even from trusted contacts.
Phishing campaigns targeting WhatsApp users have increased, hijacking accounts and spreading malware. Attackers use deceptive file names and compromised accounts to trick victims into downloading attachments. The infection runs in three stages, with the final stage installing a legitimate-looking remote management tool. Users should be cautious of unexpected attachments and verify script and executable files before opening them. User awareness is crucial in preventing phishing attacks and falling victim to sophisticated malware campaigns.
In recent months, there has been a rise in sophisticated phishing campaigns that target WhatsApp users, hijacking their accounts and spreading malware that installs legitimate-looking remote management tools. According to Kaspersky, the Russian security firm that published a technical analysis of the campaign, this particular threat actor used deceptive file names masquerading as business and financial documents to persuade recipients to download and execute attachments.
The messages contained only one attachment – a VBScript file with a misleading name like "Statement of Debt(30K).vbs" or "Outstanding Payment List.vbs." These files were sent from contacts the victim already knew, which was the whole point. The attackers used compromised WhatsApp accounts to distribute the malicious files to their contacts on the compromised users' contact lists.
The infection runs in three stages. In the first stage, a VBScript creates a hidden working directory under C:\Users\Public\Documents and downloads two more scripts from attacker-controlled servers. These scripts use heavy obfuscation techniques, including randomized variable names, string concatenation built character by character, and chunks of junk content.
The second stage scripts handle two things separately: one tries to disable Windows' UAC prompt by modifying a registry key so administrative actions stop asking for confirmation, and the other downloads a ZIP archive containing the actual payload. The UAC-modification script runs the registry change in a loop with short delays between attempts, trying repeatedly until it either succeeds or the user dismisses enough prompts to give up.
What’s inside that ZIP is a pre-configured ManageEngine Endpoint Central deployment package, a legitimate enterprise remote management tool. The setup script installs it silently so the user sees nothing, then connects the newly installed agent to attacker-controlled management servers.
Kaspersky assesses with low confidence that the operator is Chinese-speaking, based on the simplified Chinese comments embedded throughout the scripts. However, they conclude that the available evidence is insufficient to confidently attribute the campaign to a known threat actor.
Users should be cautious when receiving unexpected attachments through WhatsApp, even when they appear to originate from known contacts. Script and executable file types such as VBS, VBE, EXE, BAT, CMD, JS, and PS1 should not be opened unless their legitimacy has been independently verified.
This incident highlights the importance of user awareness in preventing phishing attacks and falling victim to sophisticated malware campaigns. By being more vigilant and informed about potential threats, users can protect themselves from falling prey to such malicious activities.
Related Information:
https://www.ethicalhackingnews.com/articles/WhatsApp-Malware-Campaign-Hijacks-Trust-Installs-Legitimate-Admin-Tools-A-Case-Study-ehn.shtml
https://securityaffairs.com/194031/malware/whatsapp-malware-campaign-hijacks-trust-installs-legitimate-admin-tools.html
Published: Mon Jun 22 16:12:25 2026 by llama3.2 3B Q4_K_M
