Global WhatsApp Malware Campaign Exploits Compromised Accounts to Spread Remote Access Tools
An active malware campaign is targeting WhatsApp users across at least 11 countries, including Brazil, India, Mexico, Singapore, the UK, Spain, Taiwan, Australia, Russia, Vietnam, and Malaysia. The attack leverages hijacked WhatsApp accounts to distribute malicious VBScript files disguised as business or financial documents such as billing statements or account notices sent by trusted contacts.
Once executed, the VBScript initiates a multi-stage infection chain. It disables User Account Control (UAC) protections via Registry modifications and downloads a ZIP archive containing ManageEngine Endpoint Central, a legitimate IT management tool. The software is silently installed and configured to connect to attacker-controlled servers, granting threat actors remote administrative access to the victim’s system.
Kaspersky’s telemetry reveals that the campaign’s infrastructure overlaps with IPs previously linked to ValleyRAT and Gh0st RAT activity, with traces of Chinese language use. However, attribution remains inconclusive. The method used to compromise the initial WhatsApp accounts also remains unclear.
The attack exploits both WhatsApp Web (requiring manual file downloads) and the WhatsApp Desktop client (where files can execute automatically via Windows Script Host). While the campaign’s scope is global, its reliance on social engineering particularly through localized filenames highlights its adaptability to regional targets.
ManageEngine TPRM report: https://www.rankiteo.com/company/manageengine
WhatsApp TPRM report: https://www.rankiteo.com/company/whatsapp.
"id": "manwha1782174233",
"linkid": "manageengine, whatsapp.",
"type": "Cyber Attack",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'location': ['Brazil',
'India',
'Mexico',
'Singapore',
'UK',
'Spain',
'Taiwan',
'Australia',
'Russia',
'Vietnam',
'Malaysia'],
'name': 'WhatsApp Users',
'type': 'Individuals'}],
'attack_vector': ['Compromised WhatsApp Accounts',
'Malicious VBScript Files',
'Social Engineering'],
'data_breach': {'file_types_exposed': ['VBScript', 'ZIP']},
'description': 'An active malware campaign is targeting WhatsApp users across '
'at least 11 countries, leveraging hijacked WhatsApp accounts '
'to distribute malicious VBScript files disguised as business '
'or financial documents. The attack initiates a multi-stage '
'infection chain, disabling UAC protections and installing '
'ManageEngine Endpoint Central to grant remote administrative '
'access to threat actors.',
'impact': {'systems_affected': 'Victim systems with remote administrative '
'access granted to attackers'},
'initial_access_broker': {'backdoors_established': 'ManageEngine Endpoint '
'Central',
'entry_point': 'Compromised WhatsApp Accounts'},
'investigation_status': 'Ongoing',
'post_incident_analysis': {'root_causes': ['Social Engineering',
'Exploitation of WhatsApp '
'Web/Desktop',
'Registry Modifications to Disable '
'UAC']},
'references': [{'source': 'Kaspersky'}],
'response': {'third_party_assistance': 'Kaspersky'},
'title': 'Global WhatsApp Malware Campaign Exploits Compromised Accounts to '
'Spread Remote Access Tools',
'type': 'Malware Campaign',
'vulnerability_exploited': ['WhatsApp Web',
'WhatsApp Desktop Client',
'Windows Script Host']}