- WhatsApp files deliver VBS malware that installs silently and takes full control
- Hidden folders and renamed Windows tools allow attackers to blend in with normal operations
- Malware harvests secondary scripts from trusted cloud services to avoid detection
Microsoft has identified a multi-stage malware campaign that uses WhatsApp to deliver Visual Basic Script (VBS) files and exploits users’ trust in familiar messaging platforms.
Attackers send seemingly harmless files via WhatsApp, but opening them triggers a silent installation that grants hidden system control to adversaries.
When executed, the scripts create hidden folders under C:ProgramData and remove renamed versions of legitimate Windows utilities, such as curl.exe renamed netapi.dll and bitsadmin.exe renamed sc.exe.
Article continues below
By integrating these tools into normal system paths, attackers ensure that the tools fit into routine operations while security solutions can still detect the original metadata.
The malware modifies system settings to launch automatically after each reboot, ensuring survival even when users think they have removed the threat.
Microsoft warns that this approach combines social engineering with land-based techniques and increases execution success without triggering immediate alerts.
“By combining trusted platforms with legitimate tools, the threat actor reduces their visibility and increases the chances of successful execution,” Microsoft said in a blog post.
After the initial infection, the malware grabs secondary payloads from cloud services including AWS S3, Tencent Cloud, and Backblaze B2.
These droppers, provided under the names auxs.vbs and WinUpdate_KB5034231.vbs, leverage trusted cloud infrastructure and disguise malicious downloads as legitimate network traffic.
The malware also modifies User Account Control settings and repeatedly attempts to run cmd.exe with elevated privileges until it succeeds.
The malware modifies registry entries under HKLMSoftwareMicrosoftWin to suppress UAC prompts and grant administrative rights without the user’s knowledge.
In the final stage, attackers deploy malicious Microsoft Installer (MSI) files such as Setup.msi, WinRAR.msi, LinkPoint.msi, and AnyDesk.msi on compromised systems.
These unsigned installers provide attackers with persistent remote access and enable data theft, deployment of additional malware, or integration of infected machines into botnets.
Microsoft recommends monitoring for repeated tampering with UAC and registry changes as key indicators of compromise.
Organizations should restrict the execution of script hosts, monitor renamed system utilities, and train users on social engineering tactics.
Microsoft emphasizes the importance of cloud-delivered protection, tamper protection, and block-based endpoint detection and response.
Security teams should closely monitor cloud traffic because conventional detection methods can have difficulty distinguishing these operations from routine business activities.
AI tools can help analyze behavioral anomalies, correlate telemetry, and identify suspicious WhatsApp attachments.
Failure to exercise caution can result in permanent data loss as attackers gain full control of the device and access sensitive personal information.
Microsoft points out that even a careless click could allow this malware to bypass ordinary endpoint protections.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
