A new malware campaign is actively exploiting WhatsApp to target Windows users across multiple countries. The attack leverages malicious script files disguised as financial documents, tricking recipients into executing harmful code that grants attackers remote access to their systems.
First detected in June 2026, this campaign has impacted users in Malaysia, Brazil, India, Mexico, Singapore, the United Kingdom, Spain, Taiwan, Australia, Russia, and Vietnam. Malaysia accounts for approximately 80% of the reported infections. Security researchers have analyzed the campaign, revealing that attackers gain control of legitimate WhatsApp accounts to distribute malicious attachments to contacts, increasing the likelihood of recipients opening the files without suspicion.
The malware is delivered through VBScript files with names like “Financial Reports.vbs,” “Debt Statement.vbs,” and “Account Statement.vbs,” available in multiple languages, indicating a broad target audience. When a user opens the attachment via WhatsApp Desktop or WhatsApp Web, the script executes through Windows Script Host, initiating the infection process.
The initial script creates a hidden folder in the Public Documents directory with randomized names to evade detection. It then downloads additional scripts from attacker-controlled servers. One script attempts to disable User Account Control (UAC), a Windows security feature that prompts users before significant system changes. By setting UAC to zero, the malware can install software without user prompts.
Subsequently, the malware installs a legitimate remote management tool, granting attackers full control over the infected system. This approach allows attackers to operate stealthily, as the use of genuine software makes detection more challenging.
To protect against such threats, users should exercise caution when opening attachments, even from known contacts. It’s crucial to verify the authenticity of unexpected files and keep security software up to date. Additionally, users should regularly update their operating systems and applications to patch vulnerabilities that could be exploited by attackers.
This incident underscores the evolving tactics of cybercriminals who exploit trusted platforms like WhatsApp to distribute malware. Users must remain vigilant and adopt proactive security measures to safeguard their systems against such sophisticated attacks.
