Kaspersky researchers have uncovered an active malware campaign weaponizing WhatsApp direct messages to distribute malicious Visual Basic Script (VBScript) files that ultimately install legitimate Remote Monitoring and Management (RMM) software as a covert backdoor. The technique combines trusted messaging infrastructure with well-known living-off-the-land tactics to slip past endpoint defences.
How the Attack Works
The campaign begins with compromised WhatsApp accounts sending .vbs files to their contact lists. Because the messages arrive from known, trusted contacts rather than strangers, victims are far more likely to open them. The files carry business-sounding names designed to appear routine:
Financial Reports.vbsAccount Statement.vbs
Variants of these filenames appear in Portuguese, French, German, and Malay — a deliberate multilingual effort to cast a wider net across non-English-speaking targets.
Execution Behavior
The execution path differs depending on which WhatsApp client the victim is running:
- WhatsApp Web: Victims download the file and open it from their downloads folder or browser history, trusting it because it came from a known sender.
- WhatsApp Desktop: The infection can trigger more directly —
WhatsApp.Root.exespawnsWScript.exeto execute the malicious script without requiring manual file navigation.
Once launched, Windows Script Host (WScript.exe) takes over and begins a multi-stage infection chain:
- Download two secondary VBScript payloads from remote command-and-control (C2) servers
- Tamper with Windows UAC settings to suppress privilege prompts or elevate permissions silently
- Download and execute a ZIP archive containing the ManageEngine RMM Central installer
The scripts themselves are heavily obfuscated with extensive comments written in Chinese, referencing legitimate Windows Update modules — a misdirection technique designed to confuse analysts and automated sandboxes alike.
Why ManageEngine RMM?
Using legitimate RMM software as the final payload is a well-established living-off-the-land (LotL) strategy. Once ManageEngine RMM Central is installed, attackers gain persistent remote access to the victim machine while blending into normal IT operations traffic. Most endpoint detection tools whitelist legitimate RMM products, making this a particularly stealthy persistence mechanism.
Infrastructure and Attribution
The campaign has not been formally attributed, but Kaspersky identified meaningful infrastructure overlaps with previously documented threat activity. The IP address 202.61.160[.]201 has prior associations with:
- Gh0st RAT — a Chinese-language remote access trojan historically linked to espionage campaigns
- ValleyRAT — a malware family connected to Chinese-speaking threat actors
Combined with the Chinese-language embedded comments, these overlaps suggest a possible Chinese-speaking threat actor, though Kaspersky stops short of a definitive attribution call.
Scope and Targeting
The campaign has a global footprint with the heaviest concentration in Malaysia. Other significantly affected countries include Brazil, India, Mexico, Singapore, the United Kingdom, Spain, Taiwan, Australia, Russia, and Vietnam.
Dangerous File Types to Block
Kaspersky researcher Fareed Radzi emphasized that users should treat the following file extensions as high-risk when received through any messaging platform:
| Extension | Type |
|---|---|
.vbs / .vbe | VBScript |
.js | JavaScript |
.ps1 | PowerShell |
.bat / .cmd | Batch scripts |
.exe | Executables |
Organizations should consider blocking or sandboxing these file types at the email and messaging gateway level, and end-user security awareness training should specifically address the risk of executing files received via personal messaging apps — even from trusted contacts whose accounts may be compromised.
Indicators of Compromise
| Indicator | Detail |
|---|---|
| Malware type | VBScript (.vbs) |
| Execution engine | WScript.exe |
| Final payload | ManageEngine RMM Central |
| Infrastructure overlap | 202.61.160[.]201 (Gh0st RAT, ValleyRAT) |
| Obfuscation language | Chinese (Windows Update masquerade) |
The campaign highlights a recurring problem: trusted communication channels — in this case personal WhatsApp accounts — can be turned into effective malware delivery vectors the moment an account is compromised. Defenders should treat file attachments from messaging apps with the same scrutiny applied to email attachments, regardless of whether the sender is known.