Microsoft is warning WhatsApp users of a new malware campaign that tricks them into executing malicious Visual Basic Script (VBS) files, ultimately enabling persistence and remote access.
In a March 31 report, Microsoft Defender Experts said attackers have been distributing malicious Visual Basic Script (VBS) files through WhatsApp since at least late February, relying on social engineering to get them executed.
Once launched, the scripts run a delayed malware execution, first initiating a multi-stage infection flow designed to blend into normal system activity while working in the background to pull additional payloads for remote control. “The campaign relies on a combination of social engineering and living-off-the-land (LOTL) techniques,” Microsoft researchers wrote in the report. “By combining trusted platforms with legitimate tools, the threat actor reduces visibility and increases the likelihood of successful execution.”
The campaign ultimately installs malicious Microsoft Installer (MSI) packages to maintain control of the infected devices.
Campaign deploys a LOTL infection chain
The attack begins with a WhatsApp message carrying a VBS file. Once executed, the script creates hidden directories on the system and begins staging the next steps of the compromise.
However, rather than dropping the custom malware immediately, the campaign moves to living-off-the-land techniques. The VBS payload deploys renamed versions of legitimate Windows utilities, such as curl.exe and bitsadmin.exe, disguised under misleading filenames to evade casual inspection.
These binaries retain their original metadata, but their altered names allow them to blend into the environment while performing malicious tasks like downloading additional payloads. “Microsoft Defender and other security solutions can leverage this metadata discrepancy as a detection signal, flagging instances where a file’s name does not match its embedded OriginalFileName,” the report added.
The researchers noted that even payload retrieval happens from legitimate hosting sources. Attackers host components on well-known cloud platforms, including AWS, Tencent Cloud, and Blackblaze B2. Use of these trusted tools, trusted infrastructure, and staged execution was flagged as a reason for this being a low-noise, reliable attack path.
MSI as the backdoor vehicle for persistence
The final stages of the campaign lead to persistence, using Microsoft Installer (MSI) packages as the delivery mechanism for backdoors.
MSI files are an effective choice as they are not usually treated as inherently suspicious and can execute custom actions during installation. In this campaign, they are used to deploy malware that maintains access, escalates privileges, and enables remote control of infected systems.
By the time the MSI component is installed, the attackers have already established a foothold using scripts and system tools, making the backdoor just one layer in a broader persistence strategy found by Microsoft. The earlier stages ensure the environment is prepared, while the installer formalizes long-term access.
Microsoft also noted that the campaign incorporates privilege escalation to strengthen persistence, enabling malware to run with elevated privileges and maintain access beyond the initial user-level compromise. Recommendations included monitoring scripts and installer execution, watching for misuse of legitimate tools, and tracking suspicious activity tied to files delivered through platforms like WhatsApp.
No Responses