Ethical Hacking News
A recent WhatsApp VBScript campaign has been discovered, leveraging social engineering tactics to install the ManageEngine RMM tool. This article delves into the details of the campaign, its methods, and the implications for users, highlighting the need for increased cybersecurity awareness in the digital age.
The recent WhatsApp VBScript campaign has been discovered by Kaspersky, targeting users of WhatsApp Desktop and WhatsApp Web across several countries. The threat actor uses social engineering tactics and fake documents to install the ManageEngine Remote Monitoring and Management (RMM) tool. Deceptive file names masquerading as business and financial documents are used to persuade recipients to download and execute the attachment. The VBScript files are heavily obfuscated, making it challenging for users to identify their malicious nature. The threat actor suspected to have obtained surreptitious access to several WhatsApp accounts and used them as a distribution vector. Users should exercise extreme caution when receiving unexpected attachments through WhatsApp and verify the legitimacy of script and executable file types.
The recent WhatsApp VBScript campaign has been making waves in the cybersecurity community, as researchers have uncovered a sophisticated threat vector that leverages social engineering tactics and fake documents to install the ManageEngine Remote Monitoring and Management (RMM) tool. This article aims to delve into the details of this campaign, its methods, and the implications for users.
The malicious operation was discovered by Kaspersky, a renowned cybersecurity company that has been tracking various threat actors across the globe. According to the research firm, the active campaign is targeting users of WhatsApp Desktop and WhatsApp Web across several countries, including Malaysia, Brazil, India, Mexico, Singapore, the U.K., Spain, Taiwan, Australia, Russia, and Vietnam. The highest concentration of victims has been reported in Malaysia.
The threat actor behind this operation has employed a clever tactic: using deceptive file names masquerading as business and financial documents to persuade recipients to download and execute the attachment. The VBScript files are heavily obfuscated, making it challenging for users to identify their malicious nature. Upon execution, the script initiates a multi-stage infection chain that ultimately results in the installation of legitimate RMM software, enabling remote access to the victim's system.
The threat actor is suspected to have obtained surreptitious access to several WhatsApp accounts and used them as a distribution vector for the VBScript files across their contacts. However, exactly how these accounts were compromised remains unclear.
Kaspersky explained that the heavily obfuscated VBScript files contain extensive comments and metadata intended to mimic legitimate Microsoft Windows Update components. Some of the files are also named in other languages, reflecting the global nature of the campaign. Furthermore, the script uses "WScript.exe" as a launchpad, which then fetches and runs additional VBScript components required for the next stages of the attack.
The infection chain behaves differently depending on whether the victim is using WhatsApp Web or WhatsApp Desktop. In the case of WhatsApp Web, the attack relies on the user downloading the file to their system and then opening it from the downloaded folder or via the browser's download history, assuming it to be a legitimate document. In contrast, WhatsApp Desktop executes the malware directly within the application.
The primary objective of the VBScript is to download two secondary VBScript payloads from a remote server, one of which attempts to tamper with Windows User Account Control (UAC) behavior, while the other downloads and executes a ZIP file containing the installation package for ManageEngine RMM Central. The activity remains unattributed, however, the Russian cybersecurity company found infrastructure overlaps with prior activities linked to Gh0st RAT and ValleyRAT.
In light of this campaign, users should exercise extreme caution when receiving unexpected attachments through WhatsApp, even if they appear to originate from known contacts. It is crucial to verify the legitimacy of script and executable file types such as VBS, VBE, EXE, BAT, CMD, JS, and PS1 before opening them.
In conclusion, this campaign highlights the evolving threat landscape in the digital age, where sophisticated threats are being launched through seemingly innocuous platforms like WhatsApp. As cybersecurity awareness continues to rise, it is essential for users to remain vigilant and take proactive measures to safeguard themselves against such threats.
Related Information:
https://www.ethicalhackingnews.com/articles/WhatsApp-VBScript-Campaign-Uses-Fake-Documents-to-Install-ManageEngine-RMM-Tool-A-Global-Threat-Vector-ehn.shtml
https://thehackernews.com/2026/06/whatsapp-vbscript-campaign-uses-fake.html
Published: Tue Jun 23 02:18:06 2026 by llama3.2 3B Q4_K_M
