A multi-stage social engineering campaign delivers malicious VBS files via WhatsApp messages, tricking recipients into executing them, often by appearing to come from a known contact. The script deploys renamed legitimate Windows utilities to download secondary payloads and ultimately installs malicious MSI packages for remote control. Security solutions can detect the renamed binaries by leveraging discrepancies in their PE metadata, such as the OriginalFileName field.
Research Don't open that WhatsApp message, Microsoft warns How to avoid social engineering attacks? Employee training tops the list Jessica Lyons Tue 31 Mar 2026 // 21:18 UTC Be careful what you click on. Miscreants are abusing WhatsApp messages in a multi-stage attack that delivers malicious Microsoft Installer (MSI) packages, allowing criminals to control victims' machines and access all of their data. The campaign began in late February, we're told, and the attack chain starts with a WhatsApp message that delivers malicious Visual Basic Script (VBS) files. We're not sure exactly how the social engineering part of the scam works - we've asked Redmond for additional details and will update this story if we receive any. The Register also reached out to Meta-owned WhatsApp for comment and did not hear back. But somehow the attacker tricks the message recipient into executing the malicious file on their system. They likely do this using a compromised WhatsApp session so that the message appears to come from one of the victim's existing contacts. Or they blast users with a lure that contains a sense of urgency, prompting the recipient to open the file in a rush. Once it's executed, the malicious script creates hidden folders in C:\ProgramData and drops renamed versions of legitimate Windows utilities - for example, curl.exe renamed as netapi.dll and bitsadmin.exe as sc.exe. Using legitimate Windows tools for evil purposes allows attackers to blend in with normal network activity - defenders call this " living off the land " - but the miscreants did make a mistake in renaming these binaries. "Notably, these renamed binaries retain their original PE (Portable Executable) metadata, including the OriginalFileName field which still identifies them as curl.exe and bitsadmin.exe," Microsoft's researchers wrote in a Tuesday blog. "This means Microsoft Defender and other security solutions can leverage this metadata discrepancy as a detection signal, flagging instances where a file's name does not match its embedded OriginalFileName." The crims use the renamed binaries to download secondary VBS payloads (auxs.vbs, 2009.vbs) from trusted cloud services including AWS, Tencent Cloud, and Backblaze B2. Again, this makes it more difficult to distinguish between normal enterprise activity and malicious downloads. Meta, international cops use handcuffs and AI to stop scammers Russian cybercrims phish their way into officials' Signal and WhatsApp accounts Paranoid WhatsApp users rejoice: Encrypted app gets one-click privacy toggle Poisoned WhatsApp API package steals messages and accounts Then the malware alters the User Account Control (UAC) settings, attempting to launch cmd.exe with elevated privileges until it either succeeds, meaning the malware will survive a system reboot, or the process is forcibly terminated. Finally, the attackers deploy malicious MSI installers, and Microsoft says that these include Setup.msi, WinRAR.msi, LinkPoint.msi, and AnyDesk.msi. Once again, the baddies use real tools like AnyDesk - not custom malware - to hide in plain sight. However, none of the final payloads are signed, and this should be another indication to defenders that they are dealing with malware, not legit enterprise software. These installers give the attackers remote access to victims' systems so they can steal data, deploy more malware - such as ransomware - on compromised systems, or use the infected machines as part of a larger network from which to launch other attacks. While Microsoft's blog includes several recommendations directing people to use their security products to avoid this type of compromise, one vendor-neutral tip that we especially like involves educating users on how to spot social engineering campaigns. "Train employees to recognize suspicious WhatsApp attachments and unexpected messages, reinforcing that even familiar platforms can be exploited for malware delivery," Redmond advises. ® Share More about Cybercrime Microsoft Security More like these × More about Cybercrime Microsoft Security WhatsApp Narrower topics 2FA Active Directory Advanced persistent threat Application Delivery Controller Authentication Azure BEC Bing Black Hat BSides BSoD Bug Bounty Center for Internet Security CHERI CISO Common Vulnerability Scoring System Cybersecurity Cybersecurity and Infrastructure Security Agency Cybersecurity Information Sharing Act Data Breach Data Protection Data Theft DDoS DEF CON Digital certificate Encryption End Point Protection Excel Exchange Server Exploit Firewall Google Project Zero Hacker Hacking Hacktivism HoloLens Identity Theft Incident response Infosec Infrastructure Security Internet Explorer Kenna Security LinkedIn Microsoft 365 Microsoft Build Microsoft Edge Microsoft Fabric Microsoft Ignite Microsoft Office Microsoft Surface Microsoft Teams NCSAM NCSC .NET Office 365 OS/2 Outlook Palo Alto Networks Password Patch Tuesday Personally Identifiable Information Phishing Pluton Quantum key distribution Ransomware Remote Access Trojan REvil RSA Conference SharePoint Skype Software Bill of Materials Spamming Spyware SQL Server Surveillance TLS Trojan Trusted Platform Module Visual Studio Visual Studio Code Vulnerability Wannacry Windows Windows 10 Windows 11 Windows 7 Windows 8 Windows Server Windows Server 2003 Windows Server 2008 Windows Server 2012 Windows Server 2013 Windows Server 2016 Windows Subsystem for Linux Windows XP Xbox Xbox 360 Zero trust Broader topics Bill Gates Messaging Meta Voice over IP More about Share POST A COMMENT More about Cybercrime Microsoft Security More like these × More about Cybercrime Microsoft Security WhatsApp Narrower topics 2FA Active Directory Advanced persistent threat Application Delivery Controller Authentication Azure BEC Bing Black Hat BSides BSoD Bug Bounty Center for Internet Security CHERI CISO Common Vulnerability Scoring System Cybersecurity Cybersecurity and Infrastructure Security Agency Cybersecurity Information Sharing Act Data Breach Data Protection Data Theft DDoS DEF CON Digital certificate Encryption End Point Protection Excel Exchange Server Exploit Firewall Google Project Zero Hacker Hacking Hacktivism HoloLens Identity Theft Incident response Infosec Infrastructure Security Internet Explorer Kenna Security LinkedIn Microsoft 365 Microsoft Build Microsoft Edge Microsoft Fabric Microsoft Ignite Microsoft Office Microsoft Surface Microsoft Teams NCSAM NCSC .NET Office 365 OS/2 Outlook Palo Alto Networks Password Patch Tuesday Personally Identifiable Information Phishing Pluton Quantum key distribution Ransomware Remote Access Trojan REvil RSA Conference SharePoint Skype Software Bill of Materials Spamming Spyware SQL Server Surveillance TLS Trojan Trusted Platform Module Visual Studio Visual Studio Code Vulnerability Wannacry Windows Windows 10 Windows 11 Windows 7 Windows 8 Windows Server Windows Server 2003 Windows Server 2008 Windows Server 2012 Windows Server 2013 Windows Server 2016 Windows Subsystem for Linux Windows XP Xbox Xbox 360 Zero trust Broader topics Bill Gates Messaging Meta Voice over IP TIP US OFF Send us news