A new and active malware campaign is spreading through WhatsApp, targeting everyday Windows users across more than a dozen countries.
The threat uses malicious script files disguised as routine financial documents, tricking people into running harmful code on their own machines.
Once opened, the file quietly sets off a chain of events that ends with attackers gaining full remote access to the victim’s system.
The campaign was first observed in June 2026 and remains active at the time of reporting. Victims have been identified in Malaysia, Brazil, India, Mexico, Singapore, the United Kingdom, Spain, Taiwan, Australia, Russia, and Vietnam.
Malaysia has been hit the hardest, accounting for roughly 80 percent of all recorded infections. Researchers at Securelist identified and analyzed the campaign in detail.
According to Securelist report shared with Cyber Security News (CSN), the threat actor behind this campaign gained access to real WhatsApp accounts and used them to silently send malicious attachments to everyone in the compromised contact lists.
Since the messages appeared to come from known contacts, recipients were far more likely to open them without suspicion.
The attachments are VBScript files, a type of script that Windows can run automatically through a built-in tool called Windows Script Host.
The files carried names like “Financial Reports.vbs,” “Debt Statement.vbs,” and “Account Statement.vbs,” along with versions written in Portuguese, French, German, and Malay.
This multi-language approach strongly suggests the campaign was designed to reach victims in several regions at once.
What makes this attack stand out is its use of legitimate software as the final payload. Rather than deploying a traditional virus or data stealer, the attacker installs a genuine remote management tool on the victim’s machine.
This allows the attacker to control the infected system just like a corporate IT team would, making detection far more difficult.
New Malware Attack Via WhatsApp Attacking Windows System
The infection begins the moment a user opens the VBScript attachment in WhatsApp Desktop or through a browser using WhatsApp Web.
The script launches silently through Windows Script Host and immediately begins preparing the system for further compromise.
It creates a hidden folder under the Public Documents directory using randomized names like “MSUpdate_random” to avoid attracting attention.
From there, the first script downloads two additional script files from attacker-controlled servers. The first of these tries to modify a Windows security setting known as User Account Control, which normally alerts users before any major system changes are made.
By setting this protection to zero, the attacker clears the path for the second script to install software without any prompts appearing on screen.
The second downloaded script fetches a ZIP archive containing a fully pre-configured installation package for a remote management agent.
Once extracted and executed, this package installs itself silently using Windows Installer and connects back to attacker-controlled servers. At that point, the attacker has persistent and quiet remote access to everything on the victim’s machine.
Signs Pointing to a Chinese-Speaking Operator
Security researchers noted several details within the script files that point toward a Chinese-speaking developer.
Multiple variants of the VBScript contained comments and annotations written in simplified Chinese characters, including references to Windows Update modules and system integrity checks. These comments appeared consistently across different versions of the script.
Infrastructure overlaps also raised flags. One of the attacker-controlled server addresses had previously appeared in connection with malware families known as ValleyRAT and Gh0st RAT.
While this does not confirm a definitive link, researchers assess with low confidence that the campaign was likely conducted by a Chinese-speaking operator.
Users are strongly advised to avoid opening any attachments received through WhatsApp, even from known contacts, unless the file has been verified through another channel.
File types such as VBS, VBE, EXE, BAT, CMD, JS, and PS1 should never be opened without independent confirmation.
Keeping Windows security settings intact and running current endpoint protection can significantly reduce the risk of falling victim to campaigns like this one.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| IP Address | 202.61.160[.]208 | Attacker-controlled ManageEngine UEMS server |
| IP Address | 202.61.160[.]202 | Attacker-controlled ManageEngine UEMS server |
| IP Address | 202.61.160[.]201 | Attacker-controlled ManageEngine UEMS server (previously linked to ValleyRAT/Gh0st RAT) |
| IP Address | 202.61.160[.]160 | Attacker-controlled ManageEngine UEMS server |
| IP Address | 202.61.160[.]137 | Attacker-controlled ManageEngine UEMS server |
| IP Address | 38.55.151[.]63 | Attacker-controlled ManageEngine UEMS server |
| Domain | temu.baskwms[.]top | Malware distribution domain |
| Domain | invoice.msopsa[.]top | Malware distribution domain |
| Domain | baoxis[.]cc | Malware distribution domain |
| Domain | sdcwww.oss-ap-southeast-1.aliyuncs[.]com | Payload hosting (Alibaba Cloud) |
| Domain | baoyuw2s.s3.ap-southeast-1.amazonaws[.]com | Payload hosting (AWS S3) |
| Domain | sjdkjj23.s3.ap-southeast-1.amazonaws[.]com | Payload hosting (AWS S3) |
| Domain | xijkwm2.s3.ap-southeast-1.amazonaws[.]com | Payload hosting (AWS S3) |
| Domain | yifubafu.s3.ap-southeast-1.amazonaws[.]com | Payload hosting (AWS S3) |
| File Hash (MD5) | c7f38cbb99c8b74fa0465293feeba700 | Financial Reports.vbs |
| File Hash (MD5) | b7cd06c71465038b658a6dc1f273a507 | Debt confirmation.vbs |
| File Hash (MD5) | 9f13c7b8ba391b2f597874e54d310648 | Electronic statement(A).vbs |
| File Hash (MD5) | 993f4c0cadbc769a4b0ed62a918db58d | Financial Reports(s).vbs / FinancialReportsS.vbs |
| File Hash (MD5) | 7f81c1bc8cfd588e8998968e2621456e | Outstanding Payment List.vbs |
| File Hash (MD5) | 7403cbcc5a9c32384d431856dc48fcc9 | Statement of debt (4).vbs |
| File Hash (MD5) | 68c16c46f8afb9e00bbaba0207fb0a46 | Debt Note (2).vbs |
| File Hash (MD5) | 66442f2457eca8f47385b1fb2c6fcab8 | Statement of Debt(30K).vbs |
| File Hash (MD5) | 6359e6236471cbe434d0ef4c42b7f879 | Applicationform1.vbs |
| File Hash (MD5) | 5b6bbcc06cf08cc99e1afeda486d42fb | Extrato de Conciliação.vbs |
| File Hash (MD5) | 5002eca748205d544618e3bd2dedc223 | Statement of Debt(29K).vbs |
| File Hash (MD5) | 4f0593e8e0e8fac49429e9b45ebf7fa1 | Outstanding Payment List.vbs |
| File Hash (MD5) | 4044e4b6471c9de7b0a4ba37d9d9df9a | billing statement (2).vbs |
| File Hash (MD5) | 20209b3a32769afc6a75694b8d8839dd | Statement of Debt(A).vbs |
| File Hash (MD5) | 0ba93109757776a44de9d8c88baa4963 | Financial Reports(C1).vbs |
| File Hash (MD5) | 02bb20455cc592a69c080abac770ce90 | Le formulaire de demande le plus récent.vbs |
| File Hash (MD5) | 6c39900d77dcba158e1d27c7619cb06d | Outstanding Balance Sheet(A).vbs |
| File Hash (MD5) | dad708e050632a4280cabf98ac1376b7 | Outstanding Balance Sheet.vbs |
| File Hash (MD5) | 05d188f071d097f5b6bd8138749b4b14 | Penyata bank.vbs |
| File Hash (MD5) | 2c6f05f1f309d89b2236e6c8b59c88f9 | Account Statement (13K) (2).vbs |
| File Hash (MD5) | 3b1aba44dd3d9b6339b6f56e2f42034b | Statement of Account.txt |
| File Hash (MD5) | d43fdaa1f0ee09d7e5f0f94ee9df7b6c | Bitte füllen Sie das Formular…aus.vbs |
| File Hash (MD5) | df4fa0369eaca5cec348be293890d4af | Account Statement.vbs |
| File Hash (MD5) | 63ac85195b73753333316a889cf5880f | Statement of Account(O).vbs |
| File Hash (MD5) | 74fd9f91fc93b6288b4fc253ea5b3e20 | Sila semak bil anda.vbs |
| File Hash (MD5) | d06333c360b51456f427e616c3c5f8bd | Sila semak bil anda.vbs (variant) |
| File Hash (MD5) | 1d94fbe9cab21278cc3f104bea334d08 | Promissory_Note(b).vbs |
| File Hash (MD5) | 9d9ac85765e4a818a3ccabe2cf4fef82 | Debt Statement.vbs |
| File Hash (MD5) | 6fb6a55424adfb61e31f06aef33273e5 | dfjieya.vbs |
| File Hash (MD5) | f90ed4b2d0b67114aa89ddfed658e5c0 | dfjieya.vbs (variant) |
| File Hash (MD5) | 8c3322009b8982663c0cbecd9492e7eb | 0lf.vbs |
| File Hash (MD5) | 66705384a7ad81d14c34fc6c054a0ecf | iowepv.vbs |
| File Hash (MD5) | 8c6d9fc389ad3f20ccbc71d77eb39bfa | btksfmsi.vbs |
| File Hash (MD5) | 1a3cc75466ffb1971482f7abf7aabc3f | home3.vbs |
| File Hash (MD5) | 1c47c63e5ed25060d95359c57c77b107 | zipats.vbs |
| File Hash (MD5) | 31037a42ca048e06e69a78f55bc2eff5 | 1122.vbs |
| File Hash (MD5) | 7f16449cd0c4862d1eadf8a5742bf09a | payload_1.vbs |
| File Hash (MD5) | 79ecd61b09b0f2d54b34586c916c4ec9 | sac8.vbs |
| File Hash (MD5) | 7849061c536a3efb05a56d504694e7e7 | 6oy.vbs |
| File Hash (MD5) | ddaffe9849f7f3c79f8804adb9a6b3d5 | kof.vbs |
| File Hash (MD5) | d01cad98dd0d01b75e04e784953c5e2b | sleestak_payload_1.vbs |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
