An unknown actor has compromised multiple WhatsApp accounts and is using them to distribute malicious VBScript files through direct messages, with native execution on Windows via WhatsApp Desktop. The campaign has been active since June 2026 and affects at least 11 countries and territories, with the highest concentration of victims in Malaysia. This is documented in a technical analysis published by Kaspersky Securelist, the GReAT research team, based on sample analysis, telemetry, and dynamic analysis.
The attack exploits the "trust paradox" of messaging platforms: the message arrives from a known contact, lowering the guard of even technically savvy users. The attack surface is WhatsApp Desktop, not the mobile app: the Windows client executes VBScript via the integrated Windows Script Host, bypassing the sandboxing typical of Android and iOS.
- Compromised WhatsApp accounts send VBScript attachments to contacts from their lists, without accompanying text: the click happens because the source is trusted
- Native execution on Windows: WhatsApp.Root.exe spawns WScript.exe with a path inside WhatsApp Desktop's attachment storage container
- Three-stage chain: initial VBS → secondary VBS scripts with UAC modification and ZIP download → installation of legitimate RMM software for persistent remote access
- The final RMM software is technically legal and often whitelisted, complicating detection and incident response for organizations with employees using WhatsApp Desktop on corporate machines
How the Infection Chain Works
Infection requires two user interactions: downloading the attachment and clicking "Open" or the file icon. The VBS file is dropped into WhatsApp Desktop's local storage path:
C:\Users\
From the WhatsApp.Root.exe process, WScript.exe is spawned, confirmed by Kaspersky's process tree analysis. The initial script launches a three-stage chain: the first-stage VBS loads secondary VBS scripts that modify UAC configuration and download a ZIP archive, culminating in the installation of legitimate RMM software for remote access.
Filenames are themed as financial and business documents: invoices, statements, debt notices, payment records. Localization covers four languages: Portuguese, French, German, and Malay. Documented examples include 'Le formulaire de demande le plus récent.vbs' and 'Bitte füllen Sie das Formular für Umsatzsteuer-Nullsatz-Verkäufe aus.vbs'. Each attachment contains Chinese comments mimicking Windows Update components, a misdirection technique that does not constitute an attribution element.
Geography and Scale of the Operation
Kaspersky identified victims in 11 countries and territories: Malaysia, Brazil, India, Mexico, Singapore, United Kingdom, Spain, Taiwan, Australia, Russia, and Vietnam. The largest number of observed victims is concentrated in Malaysia. Evidence of account compromise comes from victims' social media posts and the pattern of sending the same attachment to multiple contacts from single accounts, documented in the security firm's telemetry.
No infrastructure overlaps linking the actor to known threat groups emerge in the dossier. The operator's identity remains unknown. The exact method of initial WhatsApp account compromise remains unknown: the dossier does not specify whether it involves credential stuffing, phishing, vulnerability exploitation, or another vector.
"In June 2026, we observed a malware campaign distributing malicious VBScript files through direct messages in WhatsApp" — Kaspersky Securelist
Why WhatsApp Desktop Is the Ideal Attack Surface
The vector is significant because it disrupts users' mental security model. Mobile platforms operate in rigid sandboxes: iOS and Android limit arbitrary code execution. WhatsApp Desktop on Windows instead inherits the operating system's native execution model, with Windows Script Host available by default.
This asymmetry is underestimated in corporate policies. Employees using WhatsApp Desktop on corporate machines introduce a direct delivery channel into the security perimeter, with execution occurring outside the browser and the typical web protection stack. The use of legitimate RMM as the final payload adds another evasion layer: the software is signed, recognized, and frequently whitelisted, making its presence indistinguishable from a legitimate technical support installation.
The dossier does not specify the name of the installed RMM software, nor the post-infiltration objective: remote access for data theft, ransomware, business email compromise, or other purpose is not documented. The total number of victims is not quantified beyond the observed geography and distribution.
What to Do Now
The following actions derive directly from the Kaspersky analysis and apply specifically to this VBScript/RMM campaign via WhatsApp Desktop:
Verify attachments from compromised contacts. Malicious messages contain only the attachment, without accompanying text. An account sending the same file to multiple contacts is a documented compromise pattern: treat every VBS attachment from a known contact with the same caution as an unknown attachment.
Inspect the WhatsApp Desktop storage path. The execution path is fixed: C:\Users\. .vbs files in this directory that do not correspond to intentional downloads are an indicator of ongoing infection.
Monitor the WhatsApp.Root.exe → WScript.exe process tree. The parent-child relationship between WhatsApp Desktop and Windows Script Host is the documented malicious execution signal. Its presence indicates the three-stage chain has been initiated.
Review RMM policy on corporate endpoints with WhatsApp Desktop. The final payload is legitimate RMM software, often whitelisted. Traditional signature-based malware detection fails: what's needed is control over unauthorized RMM installations, not detection of their malicious nature.
Restrict WhatsApp Desktop on machines with access to sensitive corporate data. The campaign requires two user clicks for full infection. Reducing the attack surface means separating consumer messaging platforms from endpoints with access to critical infrastructure.
Frequently Asked Questions
Is WhatsApp Desktop required to be at risk? The campaign documented by Kaspersky targets WhatsApp Desktop on Windows, with execution via Windows Script Host. The dossier does not describe equivalent mechanisms for WhatsApp Web or the mobile app, but the compromise of sender accounts exposes all contacts regardless of client platform.
Do Chinese comments in the VBS files indicate a Chinese actor? No. Kaspersky classifies the comments as misdirection, an obfuscation and decoy technique. The dossier does not advance geographic attribution hypotheses or links to known threat groups.
Is the campaign still active? Yes. According to the source, "the campaign is still active" at the time of the analysis publication.
Information is based on the cited source and current as of publication.