Active WhatsApp Phishing Campaign Drops VBScript Malware via Fake Business Documents
Security researchers have identified an ongoing malware campaign exploiting WhatsApp as a delivery vector, targeting users across multiple countries with messages that impersonate legitimate business communications. The campaign uses weaponized documents to deploy VBScript-based malware, ultimately granting attackers remote access to infected systems.
Campaign Overview
The attack chain begins with unsolicited WhatsApp messages crafted to appear as routine business correspondence — invoices, delivery confirmations, purchase orders, or contract documents. Recipients who open the attached files trigger a VBScript dropper that silently installs remote access tooling on the victim's machine.
The messages exploit the trust users place in WhatsApp as a communication platform, and the business document lure is designed to lower suspicion — particularly in regions where WhatsApp is a primary business communication tool.
How the Attack Unfolds
- Lure delivery: Victim receives a WhatsApp message with an attached file claiming to be a business document (invoice, contract, PO)
- File execution: The attachment is a VBScript (
.vbs) file, or contains an embedded VBScript that executes on open - Dropper stage: The VBScript reaches out to attacker-controlled infrastructure and downloads the second-stage payload
- Persistence: Malware establishes persistence via Windows registry modifications or scheduled tasks
- Remote access: Attacker gains a foothold — enabling keylogging, file exfiltration, or further lateral movement
Geographic Targeting
The campaign has been observed targeting users in multiple countries, with particular concentration in regions where WhatsApp is heavily used for professional communications. The geographic breadth suggests either a financially motivated threat actor using wide-net phishing or a targeted campaign with broad regional scope.
Why VBScript?
Despite Microsoft's ongoing efforts to deprecate VBScript, the scripting engine remains enabled on many Windows systems — particularly in enterprise environments running older configurations. VBScript-based droppers are attractive to attackers because:
- They blend in with legitimate administrative and business automation scripts
- They can bypass some email/messaging attachment filters that focus on executable extensions
- They require no compilation — rapid development and modification is trivial
- Many endpoint detection tools still have gaps in VBScript behavioural analysis
Indicators of Compromise (IOCs)
- Unsolicited WhatsApp messages with
.vbs,.zip, or double-extension attachments (e.g.Invoice.pdf.vbs) - VBScript files impersonating document types (invoice, order, delivery)
- Outbound connections to newly registered or obscure domains shortly after file execution
- Scheduled task creation or registry run key modifications post-execution
Protection Steps
| Action | Priority |
|---|---|
| Never open unsolicited attachments from unknown WhatsApp contacts | Critical |
| Disable or restrict VBScript execution via Group Policy | High |
| Enable Windows Defender Attack Surface Reduction (ASR) rules | High |
| Monitor for suspicious scripting engine activity (wscript.exe, cscript.exe) | Medium |
| Educate staff that WhatsApp is a common phishing vector | Medium |
Key Takeaways
This campaign is a reminder that messaging apps are a significant and often under-monitored phishing surface. Unlike email, WhatsApp messages frequently bypass corporate security controls, and the informal nature of the platform lowers users' guard. Organizations operating in regions where WhatsApp is used for business communications should explicitly include it in their social engineering awareness training.
Source: BleepingComputer